still need work cissp Flashcards
nail down less know cards
RSA, cypher type, keys generated by…, key sizes, provides what services (4), common use
Rivest Shamir Adleman,
RSA
block cipher, (Roblox)
block size in general is 1024 but is dependent on the number of bytes in the rsa modulus
new keypair using very large prime numbers, (Supersized prime number keys)
1094-4096 bit keys ( of Amount)
services
authentication, key encryption, digital signatures, encryption
uses
AES symmetric encryption
PGP used for 4 things and uses what model
used for:
file encryption,
directory encryption &
whole disk encryption,
email,
uses Web of Trust model (if you trust me you trust those I trust)
TCP/IP - PDU - OSI mapped
OSI TCP PDU
1 physical 1 link & physical bits
2 data link 1 link & physical frames
3 network 2 internetwork packets
4 transport 3 transport segments
5 session 4 application / data data
6 presentation 4 application / data data
7 application 4 application / data data
IPv4 Header
Very Intelligent Quarterbacks Identify Top Pass Catchers Strethcing Defense Out
Version
IHL/IP Header Length
QoS
ID/Flags/Offset for fragmentation
TTL
Protocol number
Checksum
Source address
Destination address
Options
IPv6 Header
Vicious Tacklers Frighten Passers Needing To Score Deep
Version
Traffic class/ Priority
Flow label (QoS)
Payload length
Next header
TTL
Source address
Destination address
EDRM process (9 steps)
Internet-Games Involve People Chanting Pretentious R A P P
(Electronic Discovery Reference Model)
Information Governance
Identification
Preservation
Collection
Processing
Review
Analysis
Production
Presentation
Change Management Process steps (9)
In Practice All Players Try Something Not In Playbook
IPA PT SNIP
Identify
Propose
Assess risk, impact
Provisional change approval
Test the change
Schedule the change
Notification of change
Implementation of change
Post implementation reporting
DRP Lifecycle (4 phases)
Preparation
Response
Recovery
Mitigation
Developing BCP/DRP (10 steps)
prepare salvation by instituting real plans in the tomorrow mindset
P S B I R P I T T M
Project Initiation
Scoping Project
BIA (business impact analysis)
Identify Preventive Controls
Recovery Strategy
Plan Design
Implementation
Training
Testing
Maintenance
OWASP current Top 10
Best Coaches Intend Immediate Success Visionary Inspire Spur Stimulate Sacrifice
Broken Access Control
Cryptographic Failures
Injection
Insecure Design (new)
Security Misconfiguration
Vulnerable and Outdated Components
Identification and Authentication Failures
Software and Data Integrity Failures (new)
Security Logging and Monitoring Failures
Server-Side Request Forgery (new)
Agile Software Development Umbrella of Methodologies, Principles (12), how does it work (5)
Principles:
(FF PEWT CCC SSS)
1 Face to Face communication is best
2 Frequent delivery
3 Primary measure of progress is working software
4 Early continuous delivery
5 Welcome changes
6 Trusted individuals
7 Cooperation between business and developers
8 Continuous attention to good design
9 Continuous improvement
10 Self-organizing teams produce best results
11 Simplicity
12 Sustainable development at constant pace
How it works:
CFUIL
Agile does not deliver prototypes, but breaks product down to individual features and features are Continuously delivered
does not follow rigid processes, but focuses on getting the product Finished Faster
focus on User stories,
small Incremental deliveries
Less documentation, more focus on delivering right software
Extreme Programming Characteristics (7), relation to Scrum, result
(PU CAFFE) - only somebody EXTREMEly stupid would eat at the pu caffe)
Pair programming (continuous code reviewing, or taking code reviews to the EXTREME)
Unit testing
Code clarity and simplicity
Avoidance of features until they are needed
Flat management
Frequent communication between dev and bus
Expecting changes as problem is better understood
“take away regularity of scrum and add alot of code reviewig you get Extreme Programming”
Results in less errors, better code
Spiral Model phases, what does angular aspect represent, what does diameter of spiral represent
PREE
Planning
Risk Analysis
Engineering
Evaluation
angular aspect is progress
diameter of spiral is cost
Secure Coding Techniques (12)
VOMIT SCiEnCE DB
Validation Points
Obfuscation / Camouflage
Memory Management
Input Validation
Third Party Libraries and SDKs
Stored Procedures
Code Reuse / Dead Code
Encryption
Code Signing
Error and Exception Handling
Data Exposure (Applications)
Balancing Time and Quality
CSF what does it mean, phases (5)
Cybersecurity Framework NIST
(industrious physiques don’t ruin reputations)
Identify
Protect
Detect
Respond
Recover
RMF process NIST 800-37, 7 steps
Risk Management Framework (RMF)
NIST 800-37 Steps
(Perilous Cases Start In An Angry Mob)
Prepare - establish context and priorities
Categorize - based on impact of loss
Select - set of controls for a system based on risk assessment
Implement - controls and describe how they fit
Assess - controls for propiety
Authorize - system of controls to determine if risk is acceptable / reasonable
Monitor - system and controls for changes
DRM Tools (3)
Digital Rights Management
Tools:
[CAP]
Continuous Audit Trail
Automatic Expiration
Persistent Online Authentication
Supported Digital Signature Standards
NIST
DSA (FIPS 186-4)
RSA (ANSI x9.31)
ECDSA (ANSI x9.62)
Authorizing Official Decisions (RMF) (4)
[ACAD]
ATO authorization to operate
CCA common control authorization - used for inheritance when risk is acceptable
ATU authorization to use - used when third party providers servers are acceptable risks or for reciprocity of another AO’s ATO
DOA denial of authoriztion
Heirarchical MAC, grants … using predefined … for specific …
MAC is based on a … model. The … is based on … …
All users are assigned a … or … level.
All objects are assigned a … … Users can only access resources that correspond to a … … … to or … than theirs in the hierarchy.
grants access using predefined labels for specific labels
MAC is based on a hierarchical model. The hierarchy is based on security level. All users are assigned a security or clearance level. All objects are assigned a security label. Users can only access resources that correspond to a security level equal to or lower than theirs in the hierarchy.
OIDC, uses … , provides (2), is built on …
uses JSON web tokens
provides authentication and profile information for internet SSO,
it is built on OAuth 2.0 framework
Kerberos Process (6 steps), port, benefits (3)
Kerberos process:
See diagram
port 88
Easy for end users;
centralized control and
easy to administer.
KERBEROASTING
a …-… attack technique that attempts to obtain a … … of an … … account that has a … … … (“…”).
In such an attack, an … domain user requests a … ticket for an … , solutions (4)
a post-exploitation attack technique that attempts to obtain a password hash of an Active Directory account that has a Service Principal Name (“SPN”).
In such an attack, an authenticated domain user requests a Kerberos ticket for an SPN.
Prevention: HER G (Hygiene, Extraction, Restrict, Governance)
Practice good password hygiene for service accounts
Use long passwords (at least 25 characters) for service accounts
Regularly rotate passwords every 30 days
Implement group managed service accounts (gMSAs) or third-party solutions for automated password management
Institute proper governance for service accounts
Keep track of service accounts and their usage
Enforce the principle of least privilege for all service accounts
Follow NIST guidelines for password security, prioritizing password length over complexity and avoiding frequent password changes
Restrict access to the KRBTGT account password
Limit access to the KRBTGT password hash to minimize vulnerability to Golden Ticket attacks
Identify accounts with rights to extract password hashes and remove unnecessary permissions
Regularly change the KRBTGT password to invalidate any existing Golden Tickets
Use Microsoft’s KRBTGT account password reset script every 180 days
Prevent the extraction of service accounts
Create an inventory of all service accounts and their details
Maintain documentation for when accounts should be reviewed, deactivated, or deleted
Grant minimum privileges necessary for each service account
Change default passwords of service accounts
Use automated password management solutions to regularly rotate passwords
Use separate accounts for different services
Avoid using the same password for multiple service accounts
Promptly decommission service accounts that are no longer needed
Use tools to detect and manage inactive service accounts
Monitor service accounts for suspicious activity
Use a real-time auditing solution with machine learning for anomaly detection and response
Kerberos User Enumeration (attack), solution
brute-force attack on Kerberos
has a distinct advantage over attacks on other authentication methods: no domain account is required to perform the attack, just a connection to the KDC
there is a u in both enumeration and brute force and unrealistic
solution: detect unrealistic amounts of AS-REQ requests without follow-up requests
AS-REP Roasting, solution
attackers steal encrypted parts of a AS_REP message from user accounts in order to then crack them offline
AS-REP ends with P and preauthentication starts with P
solution: make sure all accounts in your domain have the Kerberos pre-authentication enabled
Golden Ticket Attack, what is it, solutions (6)
A golden ticket in Active Directory — much like its namesake for Willy Wonka’s chocolate factory — grants the bearer unlimited access. A Golden Ticket attack abuses the Kerberos protocol, which depends on the use of shared secrets to encrypt and sign messages.
P. L. Kurl is an oomploompa
solution: PLKURL
Protect against phishing attacks by training staff to identify suspicious emails and avoid sharing credentials.
Limit user privileges to necessary roles and only use admin accounts for administrative tasks.
Keep operating systems updated and disable plain text password storage in Active Directory to prevent Mimikatz-style attacks.
Use a real-time auditing solution to respond to failed login attempts with custom scripts to disable accounts, stop processes, change firewall settings, or shut down servers to prevent brute force attacks.
Regularly change the password for the KRBTGT user, doing it twice around 12-24 hours apart to avoid service disruptions.
Look for signs of a Golden Ticket attack, such as nonexistent usernames, username and RID mismatches, modified group memberships, weaker encryption types, and ticket lifetimes exceeding the domain maximum.
Secure VOIP practices (6)
US VAPI
disable Unnecessary ports and services
the use of SIPS and SRTP, both secure protocols that will keep VoIP traffic encrypted
a dedicated VLAN for VoIP devices to help separate them from other networked devices
Authentication implementation
Patching / updates
IDS / IPS
AIO book conflicts and says to use IDS / IPS
Best Authentication out of EAP, LEAP, PEAP and EAP-TLS without complexity
PEAP is the best solution. It encapsulates EAP in a TLS tunnel, providing strong encryption.
EAP is not protected
LEAP is a Cisco proprietary protocol that was originally designed to help deal with problems in WEP. LEAP’s protections have been defeated, making it a poor choice.
EAP-TLS is secure but requires client certificates, making it difficult to deploy and manage.
best option for providing free wireless to customers without need for accounts / passwords
WPA3 SAE (simultaneous authentication of equals) is new and best, if need to worry about older devices, WPA2 PSK should be used
SDWAN advantages (3)
PCS
predefined rules to optimize performance
continuous monitoring to support better performance
self-learning techniques to respond to changes in the network
802.1x authentication type and can be used with, supported by 3 802.1 standards
port based authentication (can be used on both wired and wireless)
can be used with EAP technologies
supported by 802.1AE, 802.1AR, 801.1AF
security concerns using SMS (4)
MESS
can be received by More than one phone,
messages are not Encrypted
messages can be Spoofed,
messages are typically Stored on the recipient’s phone
most common VPN protocols (5)
PPTP,
L2F,
L2TP,
IPsec
TLS
BCP Team Roles / Members (12)
HeLPS IT COMMAnD (e,n not used)
Human Resources
e
Legal Affairs
Procurement - Equipment and Supplies
Security
IT members from each major area
Transportation & Relocation
Crisis Management
Operations Assessment
Management
Media Relations
Administrative Support
n
Damage Assessment
Company Acquisition Concerns for Security (3)
the acquiring company usually acts like a DICk
DIC
Documentation of security policies
Integration of security tools
Consolidation of security functions
list of supply chain risks (6), 2 examples from practice tests
NIST 800-53
TPC VCS
Third party service providers or vendors – from janitorial services to software engineering -‐-‐ with physical or virtual access to information systems, software code, or IP. Poor information security practices by lower-‐tier suppliers. Compromised software or hardware purchased from suppliers. software security Vulnerabilities in supply chain management or supplier systems. Counterfeit hardware or hardware with embedded malware. Third party data Storage or data aggregators.
examples from practice tests:
adversary tampering with hardware prior to shipment to end customer
adversary using social engineering to compromise an employee of SaaS vendor to gain access to customer accounts
NIST SP 800-88 / Validation purpose
Validation processes are conducted to ensure that the sanitization process was completed, avoiding data remanence
Data Owners responsibilities (5)
Co Cla Set AS IS
Control Selection
Classifying the Data
Sets the Rules for use and protection of data
assisting with or Advising the System owners on security requirements
data owners are likely to ask that those responsible for control selection to Identify a Standard to use
Data processors legal requirements
Data processors are required to perform specific actions under regulations like the EU GDPR.
data stewards definition
are internal roles that oversee how data is used.
system owner security responsibilities (4)
system owner is down in the PIIT
develops system security Plan
Id’s security controls
Implements security controls
ensures system users receive appropriate security Training
CaaS
Containers as a service (CaaS) is a cloud service that allows software developers and IT departments to upload, organize, run, scale, manage and stop containers by using container-based virtualization. A CaaS provider will commonly provide a framework which allows users to make use of the service.
Reduced cost – Using CaaS allows an organisation to pay for only the services used, such as load balancing, scheduling and compute instances. CaaS can also help clients reduce infrastructure, software licensing and operating costs.
OAuth2, what is it, provides the ability to access … from another …, focus on….
protocol
provides the ability to access resources from another service,
focus on authorization - you’ve never signed up before
OIDC what is it, what is it used for and how it works, entities (2), 3 flows
OpenID Connect
standard to allow the use of an account from another service with an application,
builds on oauth2 and adds authentication
uses JSON Web Tokens (JWT)
entitiies:
relying party (target of access)
IdP (identity provider)
flows:
authorization code flow - request -> IdP -> authorization token -> use consent request -> authorization code -> ID token *preferred and more secure [R>I>AT>C>AC>IDT]
implicit flow - relying party request includes scope values *good for javascript or other serverless / browser-based request, less secure because ID token can be manipulated by user [RPR(scope values)>IDT]
hybrid flow (combo of two above)
SAML,
Standardized way to tell external applications and services that a … is … … … … …
SAML makes … technology possible by providing a way to … a user once and then … that … to multiple applications
primary role in online security is that it enables you to access … … applications using … set of login credentials
used to make … and … data
Security Assertion Markup Language
Standardized way to tell external applications and services that a user is who they say they are. (SAM is who he says he is)
SAML makes single sign-on (SSO) technology possible by providing a way to authenticate a user once and then communicate that authentication to multiple applications (Sam can use SSO)
primary role in online security is that it enables you to access multiple web applications using one set of login credentials (Sam uses SSO to sign on many places with one credential set)
used to make authorization and authentication data
XSS attack, what is it, how to prevent
Cross site scripting
malware script in site (e.g. bulletin board) which is hidden but can be unintentionally run by others who access the site
use script tags to prevent
CSRF,what is it, how does it work, how is prevented
Cross site request forgery,
an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated. CSRF attacks exploit the trust a Web application has in an authenticated user.
use session tokens / keys to prevent
XACML,what is it (2 items) and what is it used for (3 items), 2 elements
eXtensible Access Control Markup Language
Markup Language and a processing model
Uses:
DSE
used to Describe access controls,
used as a means to Send an individual’s authentication information in a standard format (password, key or certificate),
can also be used to enforce policies
elements:
subject element
resources element
SPML,what is it and what does it allow, 3 entities
service provisioning markup language
allow platforms to generate and respond to provisioning requests
entities:
RA - requesting authority
PSP - provisioning service provider (software)
PST - provisioning service target
SOAP,what is it, how is it used, what is required for it to be used, components (3)
simple object access protocol
used for the exchange of information in decentralized, distributed application environments using XML over HTTP
can transmit SOAP messages in any way that the applications require, as long as both the client and the server use the same method.
components:
message envelope - defines the messages allowed and how they will be processed by recipient
encoding rules used to define data types
conventions for remote procedures / how to interpret responses
NIST 800-12
introduction to computer security
NIST 800-34 contingency planning steps (7)
contingency planning
as a contingency, Please Buy Personal Self Care Toiletries Mama
develop Policy BIA Identify Preventive controls create contingency Strategies develop information system Contingency plan Testing and Training plan Maintenance
NIST 800-86
Guide to Integrating Forensic Techniques into Incident Response
86 should have been media sanitization (deleting data) which would prevent forensic techniques from working, but media santization is 88
NIST 800-53A
Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans - covers methods for assessing and measuring controls
RFC 1918
nonroutable IP addresses (internal IP addresses)
in 1918 we thought the moon was non-routable
RUM,what is it and what is it used for
Real User Monitoring
a passive monitoring technique that records user interaction with an application or system to ensure performance and proper application behavior
RUM is often used as part of a predeployment process using the actual user interface
SSAE 18 SOC Compliance report
is an … standard for … organizations.
It is … by many industries and organizations for … that provide them services.
The examinations and audits of these Standards are known as … reports.
Statement on Standards for Attestation Engagements no. 18 (SSAE 18),
is an auditing standard for service organizations.
It is required by many industries and organization for vendors that provide them services.
The examinations and audits of these Standards are known as SOC reports.
SCAP, meaning, use and individual specifications (6)
Security Content Automation Protocol
A suite of specifications that standardize the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. Note: There are six individual specifications incorporated into SCAP:
VCP VOX
CVE (common vulnerabilities and exposures);
CCE (common configuration enumeration);
CPE (common platform enumeration);
CVSS (common vulnerability scoring system);
OVAL (open vulnerability assessment language); and
XCCDF (eXtensible configuration checklist description format).
SCE, what does it mean, what is it designed to do
The Script Check Engine (SCE) is designed to make scripts interoperable with security policy definitions.
Statement coverage
verify that every line of code was executed during the test
Condition coverage
verifies that every logical test in the code was executed under all sets of inputs
Pair programming, description, is what type of development technique which comes from what other type of technique,
Pair programming is an Agile software development technique originating from Extreme programming (XP) in which two developers team together on one computer. The two people work together to design, code and test user stories.
CSIRT,meaning and members - core (6) extendend (4) minimum (5)
cybersecurity incident response team
members -
core:
DICCIT
CISO
Director of Security Ops
IR Team lead
Cybersecurity Analyst
IT support
Threat Intelligence Analyst
extended:
BHeLP
HR
Legal counsel
PR
Business Unit Lead
minimum:
(e lips)
engineering/technical staff
legal representatives,
information security professionals,
public affairs staff, and
senior management,
NIST SP 800-137, factors that should be used for assessment / monitoring frequency (10)
According to NIST SP 800-137, organizations should use the following factors to determine assessment and monitoring frequency:
monitoring should be 24X7 not 13X7
VV WORMCORT
Volatility of security controls,
Vulnerability information,
Weaknesses identified in security controls,
Organizational risk tolerance,
Risk assessment Results,
Monitoring strategy review output,
Categorizations/impact levels for system security controls or specific assessments
Objects providing critical functions,
Reporting requirements.
Threat information,
Fagan Inspection / Code Review, process (6 steps)
a process of trying to find defects in documents (such as source code or formal specifications) during various phases of the software development process
a process of trying to find defects in documents (such as source code or formal specifications) during various phases of the software development process
P O P Is Real Fedup [POPIRF]
(planning, overview, prep, inspect, rework, followup)
Threat Modeling Process Overview for applications (4 steps)
threat MOdeling prOcess Overview
threat MOdeling cOmmOnly involves:
Mooo at the dairy
DA IR y M AC (y not used)
Decomposing the Application to understand it and how it interacts with other components or users.
Identifying and Ranking threats allows you to focus on the threats that should be prioritized.
identifying how to Mitigate those threats finishes the process.
once complete, an organization can take action to handle the threats that were identified with Appropriate Controls.
How a NoSQL database stores data
allows to store data using a key-value store
graph database, type of db and how it works
another example of a NoSQL database, but it
uses nodes and edges to store data rather than keys and values
Stages of Information Life Cycle (ILC) 2 types 1 with 5 phases 1 with 6 phases
C/R DUM D/S
Create / Receive
Distribute
Use
Maintain
Dispose / Store
or
ASU SAD
Acquisition
Storage
Use
Sharing
Archival
Disposal
Security Modes List / criteria list
Modes:
D Size Cups Mama (DSCM)
Dedicated
System High
Compartmented
Multi-level
For Each Mode:
Nice Cans Face Nookie Ass (NCFNA or SCANU)
Signed NDA
Clearance
Formal Approval
Need to Know
All users
Dedicated Security Mode
Signed NDA All Data
Proper Clearance All Data
Formal Access Approval All Data
Valid Need to Know All Data
All users can access All Data
System High Security Mode
Signed NDA All Data
Proper Clearance All Data
Formal Access Approval All Data
Valid Need to Know Some Data
All users can access Some Data
Compartmented Security Mode
Signed NDA All Data
Proper Clearance All Data
Formal Access Approval Some Data
Valid Need to Know Some Data
All users can access Some Data
Multi-level Security Mode
Signed NDA All Data
Proper Clearance Some Data
Formal Access Approval Some Data
Valid Need to Know Some Data
All users can access Some Data
What are the protocol(s) (14) of the Application Layer?, function
communication, file transfer, network management
PISS DDMMP iN FiLTH
POP3, SMTP, IMAP, SNMP, FTP, Telnet, HTTP, MIME, PGP (app), S/MIME (app), HTTPS (app), DNS, DHCP, NTP
POP3 - Post Office Protocol version 3
IMAP - Internet Message Access Protocol
SMTP - Simple Mail Transfer Protocol
SNMP - Simple Network Management Protocol
DNS - Domain Name Service
DHCP - Dynamic Host Configuration
MIME, S/MIME - Multipurpose Internet Mail Extensions
PGP - Pretty Good Privacy
NTP - Network Time Protocol
FTP - File Transfer Protocol
LPD - Line Printer Daemon
Telnet
HTTP - HyperText Transfer Protocol
function: formats data from applications for transmission over a network
What are the protocol(s) of the Presentation Layer?, function
GET JAMUM
GIF, TIFF, JPG, MPEG, MIDI character encoding (ASCII, UNICODE, EBCDIC)
compression, encryption
function: formats (serializes) data in a manner the receiving computer can understand
not really network protocols, only layer without real network protocols
What are the protocols (9) of the Session Layer?, function
(LNNPPRRSS)
L2TP - Layer 2 Tunneling Protocol
NFS - UNIX stateless Network File System
NetBIOS - MS network basic input output system
PPTP - Point-to-Point Tunneling Protocol
RPC - Remote Procedure Call
RTCP - RTP (Real-time Transport Protocol) Control Protocol
SQL - Structured Query Language
PAP - Password Authentication Protocol
SIP - session initiation protocol
function: creates session receiving application can understand, creating session, maintaining session, releasing session
What are the protocols (4) of the Transport Layer?, function
TRANsport / TRANsmission control protocol (TCP)
TUSQ
TCP, UDP, SCTP, QUIC
TCP - Transmission Control Protocol
UDP - User Datagram Protocol
SCTP - Stream Control Transmission Protocol
QUIC
Function: creates session between two computers to enable communication
What are the protocols(s) (5) of the Network Layer?, function
IP, RIP, ICMP, IGMP, OSPF
ORIIIP
IP - Internet Protocol
RIP - Routing Information Protocol
ICMP - Internet Control Message Protocol
IGMP - Internet Group Management Protocol
OSPF - Open Shortest Path First
function: insert information into packet header for addressing and routing, isolate to broadcast domains
if it starts with “I” it’s probably network layer (IMAP is exception, it’s application layer)
What are the protocols(s) of the Data Link Layer? (13) functions (3, 2 are sub functions)
ARP, ATM, RARP, SLIP, PPP, L2TP, Ethernet, ISDN, Wi-Fi, FCoE, FDDI, Token Ring
I SLAPT A FFEW VV
ISDN - Internet Services for Digital Network
SLIP - Serial Line Internet Protocol
L2TP - Layer 2 Tunneling Protocol
ARP / RARP - (Reverse) Address Resolution
Protocol
PPP - Point-to-Point Protocol
Token Ring
ATM
FDDI
FCoE- Fiber Channel over Ethernet
Ethernet
Wi-Fi
VLAN
VxLAN
function:
formats data for the physical transmission media
2 functions
LLC - logical link control, interfaces with network layer, flow control and error checking
MAC - media access control, interfaces with physical layer adds last header / trailer [framing] to before it hits wire and what volts to put on the wire 1 is +.5 volt / 0 is 0 volts
What are the devices (5), protocols (9) and functions (5) of the Physical Layer?
PCRAV 10 RIDS C FEW CD LiST
devices:
PCRAV
Pinouts,
voltages,
cables,
antennas,
radio waves
protocols:
10 RIDS C FEW
10BaseX
RS/EIA/TIA-422,423,449,485
ISDN - Integrated Services Digital Network
DSL - Digital Subscriber Line
SONET - Synchronous Optical Networking
ethernet
wifi
Fiber Optics
coaxial
Functions:
CD LiST
Convert bits to electromagnetic signals for transmission,
Synchronization,
Data rates,
Line noise
and Transmission techniques
What are the encryption(s) of the Transport Layer?
SSL2, SSL3, TLS (therefore the encryption in support of HTTPS, POP3S, FTPS)
since IPSec is built into IP6 network protocols, and can be used with IP6, think of that to remember that it’s in the network layer
SSL - Secure Socket Layer
TLS - Transport Layer Security
What are the encryption(s) of the Data Link Layer? (3)
WEP, TKIP, CCMP
WEP - Wire Equivalent Privacy
TKIP - Temporal Key Integrity Protocol
CCMP - Counter-Mode/CBC-MAC Protocol
What are the encryption(s) of the Network layer?
IPSec Transport ESP
IPSec Tunnel ESP
(RC5, DES, AES)
What are the SW/HW of the Application Layer?
Gateways and Proxies
What are the encryptions (1 creates 4) of the Presentation Layer?
SSH (therefore, the encryption in support of S-FTP, S-HTTP, PGP, S/MIME)
What are the device(s) of the Network Layer?
Router, L3 Switch
What are the HW device(s) of the Data Link Layer?
L2 Switch, Bridge
What are the HW devices of the Physical Layer?
Hub, repeater
What is the firewall of the Application, Presentation, and Session Layer?
Proxy Firewall
What is the firewall of the Session and Transport Layer?
Circuit (SOCKS) Firewall
What is the firewall of the Network Layer?
Packet Filter Firewall
CHAP, what is it, how does it work, process (3 steps), how is password sent
A three-way handshake (challenge/response) authentication protocol used for remote access connections. Both devices are configured with a password called a shared secret. For unique user authentication, this value is associated with a user account. The challenge/response authentication mechanism occurs in three steps:
The server generates a challenge message and sends it to the client. The client responds with the username and a value created using a one-way hash function on the challenge message. The server checks the response against its own value created using the same hash. If the values match, the client is authenticated.
With CHAP, plaintext versions of the password are never sent; only the hashed challenge message is sent between devices.
RADIUS 2 benefits
Allows users to use Normal credentials across trusted networks.
Allows users in one organization to authenticate and access resources on another trusted organizations network using one set of credentials
CDN Benefits (4)
Lower latency for clients, especially for applications in which
multiple round-trips are required to load content.
Large scaling to better handle instantaneous high loads, such
as the start of a product launch event.
Reduce the traffic sent to the origin server, as requests are
handled by the edge servers.
Provides protection from DoS attacks
3 ways CDN provide DDoS protection
RAVing about CDN
A content delivery network provides DDoS protection by
design, by being able to absorb Volumetric attacks.
CDN also
include Always-on traffic monitoring,
and Real-time mitigation of
common network-level attacks.
zigbee, what it enables, designedfor, which IEEE specification, networks secured by…, rate of transmission, best suited for…
ZigBee speed range
ZigBee # of devices
ZigBee frequency
An IoT standard based protocol. Zigbee is a standards-based wireless technology that enables wireless machine-to-machine (M2M) and IoT networks.
It is designed for low-data rate, low-power applications, and is an open standard. Zigbee is a specification based on IEEE 802.15.4
Its networks are secured by 128-bit symmetric encryption keys. Zigbee has a defined rate of 250 kbps, best suited for intermittent data transmissions from a sensor or input device.
40-250 kbps
65,000
868 mhz to 2.4 ghz
Z-Wave, define, uses what encryption (same as zigbee), how many nodes permitted?
Z-Wave speed range
Z-Wave # of devices
Z-Wave frequency
IoT standard based protocol. Simpler and less expensive than Zigbee. Z-Wave was created by a Danish company named Zensys. It uses the same AES-128 symmetric encryption as Zigbee.
Like Zigbee, Z-Wave devices all link up together to form a mesh network. There’s one central hub that connects to the internet and then the devices themselves don’t have Wi-Fi at all, they use Z-Wave connectivity to talk to the hub either directly or through the mesh network. This is called a “source-routed mesh network topology.” Z-Wave allows up to 232 nodes on the mesh network.
9.8-100 kbps
232
908.42 mhz in North America
DKIM, what is it, what is it used for, how does it work
DomainKeys Identified Mail (DKIM) is an email authentication method designed to detect forged sender addresses in email (email spoofing), a technique often used in phishing and email spam.
Works by leveraging PKI
DKIM allows the receiver to check that an email that claimed to have come from a specific domain was indeed authorized by the owner of that domain.[1] It achieves this by affixing a digital signature, linked to a domain name, to each outgoing email message.
DKIM is an Internet Standard.[3] It is defined in RFC 6376, dated September 2011, with updates in RFC 8301 and RFC 8463.
NAC captive portal definition / limitations (4)
captive portal is a web page accessed with a web browser that is displayed to newly connected users of a Wi-Fi or wired network before they are granted broader access to network resources
Limitations: CBDM
may be Circumvented
Dns tunneling
Mac spoofing
require web Browser
WPA3 security has new authentication mode known as what?,
benefit of this authentication mode?
Describe 3 operational modes with some technical detail and their benefits
WPA3-Personal (WPA3-SAE). This mode focuses on improving protection for individual users by providing better security using SAE. SAE increases security over WPA2, even when using a simple password.
Operational Modes: PEE (W PEE A THREE)
Personal mode lets users choose easy-to-remember passwords while still providing increased security using perfect forward secrecy to protect data traffic.
WPA3-Enterprise. Enterprise mode builds on top of the previous WPA2 Enterprise mode. However, enterprise mode requires the use of Protected Management Frames on all WPA3 connections. Enterprise mode also has multiple Extensible Authentication Protocol (EAP) methods for authentication, 128-bit authenticated encryption, 256-bit key derivation and confirmation, as well as 128-bit management frame protection.
Wi-Fi Enhanced Open. This extra mode focuses on increasing privacy in open networks. Enhanced Open mode prevents passive eavesdropping by encrypting traffic even when a password isn’t used. This mode uses 256-bit authenticated encryption, 384-bit key derivation and confirmation, as well as 256-bit management frame protection.
SAE, define, variant of x, based on y key exchange,
doesn’t use DH because DH has no z mechanism,
resulting key is influenced by a preshared key and what?
In cryptography, Simultaneous Authentication of Equals (SAE) is a password-based authentication and password-authenticated key agreement method
SAE is a variant of the Dragonfly Key Exchange defined in RFC 7664,[2] based on Diffie–Hellman key exchange using finite cyclic groups which can be a primary cyclic group or an elliptic curve.[1] The problem of using Diffie–Hellman key exchange is that it does not have an authentication mechanism. So the resulting key is influenced by a pre-shared key and the MAC addresses of both peers to solve the authentication problem.
WPA3 vs. WPA2, 5 points
BiG SIS (i not used)
Bigger session keys
GCMP WPA2 uses AES for encryption, while WPA3 uses the more secure GCMP
SAE protocol
Individualized data encryption
Stronger brute-force attack protection
GCMP, what does it mean, what type of cryptography, what makes it special, what is it used for (12 technologies)
Galois/Counter Modea mode of operation for symmetric-key cryptographic block ciphers which is widely adopted for its performance. GCM throughput rates for state-of-the-art, high-speed communication channels can be achieved with inexpensive hardware resources
used in:
MWATTS OSWIFT
MACsec (IEEE 802.1AE Ethernet security)
WiGig (ieee 802.11AD),
AES-GCM
TLS 1.2[9][10]
TLS 1.3.[11]
SSH,[8]
OpenVPN since version 2.4.
SoftEther VPN server and client,
WPA3-Enterprise Wifi security protocol,
IPsec standards
ANSI (INCITS) Fibre Channel Security Protocols (FC-SP),
Tape storage IEEE P1619.1 t
MAC flooding, how does it work, equipment note, solutions (3)
attack works by forcing legitimate MAC table contents out of the switch and forcing a unicast flooding behavior potentially sending sensitive information to portions of the network where it is not normally intended to go
solutions:
Mac davis flooding the airwaves at 8pm
network operators usually rely on the presence of one or more features in their network equipment:
port security
MAC filtering
IEEE 802.1X
VLAN hopping definition, types and mitigation of each type (2)
gain access to traffic on other VLANs that would normally not be accessible and is mitigated through proper vlan configuration
switch spoofing - mitigated by ensuring that ports are not set to negotiate trunks automatically by disabling DTP on ports that are not meant to be trunks and explicitly configured as access ports
double tagging - mitigated by not putting any hosts on VLAN 1 (The default VLAN). i.e., assign an access VLAN other than VLAN 1 to every access port, Change the native VLAN on all trunk ports to an unused VLAN ID and Explicit tagging of the native VLAN on all trunk ports. Must be configured on all switches in network autonomy
IP spoofing how and how to stop (2)
IP address spoofing or IP spoofing is the creation of Internet Protocol (IP) packets with a false source IP address, for the purpose of impersonating another computing system
solutions: packet filtering and do not allow authentication based on IP address1
IEEE 802.3
IEEE 802.3 is a working group and a collection of standards defining the physical layer and data link layer’s media access control (MAC) of wired Ethernet
IEEE 802.15
IEEE 802.15 is a working group of the Institute of Electrical and Electronics Engineers (IEEE) IEEE 802 standards committee which specifies Wireless Specialty Networks (WSN) standards. WPAN / Bluetooth
IEEE 802.15.5
Mesh networking
IEEE 802.15.7
7 is an inverted L (for LiFi)
Visible Light Communication / LiFi
IEEE 802.15.13
Multi-Gigabit/s Optical Wireless Communications
lay 3 on left side for M in Multi-Gigabyte
SRTP what does it stand for, what OSI layers, 4 services
Secure Real-time Transport Protocol
Secure Real-time Transport Protocol (SRTP) is a profile for Real-time Transport Protocol (RTP) intended to provide encryption, message authentication and integrity, and replay attack protection to the RTP data in both unicast and multicast applications
between transport and application layer
provides
CREM
confidentiality,
replay protection
encryption,
message authentication
SRTP (4 services) vs SIPS / SIP TLS (2 services), services provided
E AIR
SRTP is an RTP profile intended to provide Encryption, message Authentication and Integrity, and Replay attack protection to the RTP data.
PI
SIP TLS protocol aims primarily to provide Privacy and data Integrity between two or more communicating computer applications.
NAT vs PAT
NAT maps public to private via IP address
PAT maps public to private via port#
PAT more efficient as it can use one public address for many different internal devices
BIA process (5 steps)
Business Impact analysis
Business Is:
Protect Real Life Investment Revenue
(id Priorities, id Risks, Likelihood, Impact, Resource priorities)
Communication threats (5)
RIDEM
(Replay, Impersonation, Modification, Eavesdropping, Denial of service)
serverless, definition, benefits, aka
Like microservices, each function is made to work independently and
autonomously. It does not hold resources in volatile memory; computing in short bursts with the results
persisted to storage.
Cost is based on actual use. When the app is not in use, no compute resources are used.
Elasticity: resources expand, or contract based on the need.
Scalability: we scale resources to meet expected needs.
aka: FaaS (only functions)
Vigenere Cipher
uses a matrix (vigenere square) X axis is plain teXt / Y axis is keY
IPSec Modes (2)
Transport Mode (Only data encrypted)
Tunnel Mode (entire packet encrypted)
TCP Flags mnemonic
Nosetackles Can Easily Upend Any Puny Runningback Sneaking the Football or first 3 not used, Unskilled Attackers Pester Real Security Folks
NS (not used anymore)
CWR (not used anymore)
ECE (not used anymore)
URG urgent
ACK acknowledgement
PSH push
RST reset
SYN synchronizeing
FIN finish
CMM(I) levels (5 steps), aka
Capability Maturity Model Integration
I Rarely Develop My Own
1 Initial -undocumented and not consistent
2 Repeatable - some processes are repeatable, process might be strictly controlled
3 Defined - documented processes and standards
4 Managed - metrics used for performance measurement and process users are competent
5 Optimizing - focus on continuous improvement
SWMM
Authentication Header provides… (2)
provides integrity and non-repudiation
ABAC, often used in…?
Attribute Based Access Control
grants access based on attributes (often used in SDN’s)
network access server within RADIUS
is a client
ALE / SLE (formula)
ALE = ARO*SLE [Ale = A RO SlE]
SLE = AV * EF
SLE single loss expectancy
AV asset value
EF exposure factor
ALE = ARO * SLE
or
ALE = ARO * AV * EF
BCP high level processes (2 with 4 steps each)
SPAT
(strategy, provisioning, approval, training)
SICA
(scope, impact, continuity, approval)
Incident Response process (8 steps)
[Pathetic Dirty Rotten Mean REPublicans RECruit REMarkable Losers]
preparation
detection, search for indicators, declaration of incident
response, (initial response, contain damage)
mitigation, (eradicate threat actor, determine details of attack and how to mitigate and perform mitigation)
reporting,
recovery, (restore full functionality of business process)
remediation, (prevent future incidents)
lessons learned (continuous improvement)
PASTA steps (7)
Process for Attack Simulation and Threat Analysis
Pasta, It’s a bowl of alphabet soup
DO DTS ADA TA VA AMS RAM
(determine objectives,
define tech scope,
application decomp analysis,
threat anal,
vulnerability anal,
attack modeling simulation,
risk anal mngmt)
SAMM Elements (5), Each element has 3 security practices
Software Assurance Maturity Model - from OWASP focused on secure software development
Business functions:
[Giving Developers Incentive Via Offers]
Security practices
SPE, TRA, BDD, ART, IEO
Governance, (strategy / metrics, policy / compliance, education / guidance) SPE
Design, (threat assessment, security requirements, secure architecture) TRA
Implementation, (secure build, secure deployment, defect management) BDD
Verification, (architecture assessment, testing driven by requirements, security testing) ART
Operations (incident management, environment management, operational management) IEO
Application attack types (4)
RoBBoT
Rootkits
Buffer overflow,
Backdoors,
TImeofchecktotimeofuse TOCTOU (asynchronous attack)
Auditing activities (8)
A DAM LIAR
(alarm triggers,
data reduction,
analysis of logs,
monitoring,
logging,
IDS,
alert usage,
review of logs)
Authorization mechanisms (7)
IAACCCC (implicit deny, ACL, ACM, capability tables, constrained xfaces, content, context)
COBIT elements (6)
GOD HO ST GOS TA EN
(GOvernance is Dynamic,
HOlistic approach,
STakeholder value,
GOvernance Separate from mgmt,
TAilored to entity,
ENd to end)
Computer Crimes (6)
[The Mother Fuckers Better Takeoff Running]
(terrorism,
military,
financial,
business,
thrill,
revenge)
Control Classification (7)
CCDDDPR
(corrective,
compensating,
detective,
deterrent,
directive,
preventive,
recovery)
Data Classification Criteria (9)
DATa LIVe SUM
(disclosure damage,
age,
timeliness,
lifetime,
implications of disclosure to business or national security,
value,
storage,
usefulness,
modification damage, )
Elements of Cable Plant (5)
BEETH
(Backbone distribution,
Entrance facility,
Equipment room,
Telecommunication room,
Horizontal distribution)
Evaluating access control attacks involves what 3 total risk related things
VAT
(vulnerabilities,
assets,
threats)
Halon subs (8)
FF AI CLAN
(FM200,
FE13,
Argonite,
Inergen,
CEA410/308,
Low pressure water mist,
Aragon,
NAFSIII)
Memory addressing methods (5)
BIRDI
(base+offset,
immediate,
register,
direct,
indirect)
Processing States (5)
RRSSW
(ready,
running,
supervisory,
stopped,
waiting)
Sabotage prevention (4)
CAMO
(compensation / recognition of excellence,
auditing,
monitoring,
open communication)
Symmetric Encryption Modes (7)
Symmetric Encryption Modes with IV (3)
Authenticated Modes (2)
which modes propagate errors (2)
ECCCCOG
ECB, electronic code book - block is always encrypted using only the key, a certain plain text will always result in same cipher text
CBC, cipher block chaining - unencrypted text is xor’d with block of cipher text resulting from previous block before encyption, first block uses IV or ECB of key, errors DO propagate
CFB, cipher feedback - streaming version of cbc using memory buffers instead of blocks, errors DO propagate
CTR, similar to ofb but uses counter increments instead of seed value to XOR plaintext, errors DO NOT propagate
CCM, counter with cbc - ctr with confidentiality mode (used only with 128 bit block lengths) uses a nonce which is changed with each transmission, results in authenticity added
OFB, output feedback - similar to cfb but instead of using previous block, it uses a seed value to XOR the plaintext, IV is used to create first seed value, no chaining, errors DO NOT propagate
GCM, galois / counter mode - ctr + authenticity controls by using authentication tags to encryption process
ECB should be used on short mesages only
With IV
CCO
(CBC,
CFB,
OFB)
Authenticated Modes: (authenticity added - all other modes only provide confidentiality)
GCM,
CCM
propagation of errs:
CBC
CFB
Threat ranking methods (3)
PD HML DREAD
(Probability X Damage Potential,
H/M/L,
DREAD)
Threat rating model criteria (5)
DREAD
(damage,
reproducibility,
exploitability,
affected users,
discoverability)
Virus propagation (4)
BI FI MI SI
Bootsector Infection,
File Infection,
Macro Infection,
Service Injection,
Security Models List mnemonic
Bill Belichik Loves Great Head Coaches Big Nose Tackles
(Bell-La Padula,
BIBA,
Lattice,
Graham-Denning,
HRU,
Clark-Wilson,
Brewer-Nash,
Non-Interference,
Take / Grant)
DEP, what does it mean, what does it do
data execution prevention - prevents damage from malware by not allowing execution in Windows reserved memory locations
Number of Symmetric keys required:
n(n-1)/2, where n = number of users
Number of Asymmetric keys required
2n, where n = number of users
Digraph Attack
frequency analysis with two letter combos
SOC Type 1
review of description provided by management, specific point in time
RFC 1087
Privacy
High Level Cyber Supply Chain Security Principles (3)
Cyber Supply Chain Security Principles:
Since it’s high level it’s the BIG picture
BIG (breaches happen so develop defenses for them, IT isn’t only concern, Gaps will exist between physical and cybersecurity)
Develop your defenses based on the principle that your systems will be breached. When one starts from the premise that a breach is inevitable, it changes the decision matrix on next steps. The question becomes not just how to prevent a breach, but how to mitigate an attacker’s ability to exploit the information they have accessed and how to recover from the breach. Cybersecurity is never just a technology problem, it’s a people, processes and knowledge problem. Breaches tend to be less about a technology failure and more about human error. IT security systems won’t secure critical information and intellectual property unless employees throughout the supply chain use secure cybersecurity practices. Security is Security. There should be no gap between physical and cybersecurity. Sometimes the bad guys exploit lapses in physical security in order to launch a cyber attack. By the same token, an attacker looking for ways into a physical location might exploit cyber vulnerabilities to get access.
divestiture security risks (5)
CA CA SP RC IP
Which security measures will be in place for Continuity of Access?
How employees will Access Business-critical applications and systems as the divestiture proceeds. (Critical App access)
The buyer’s and seller’s Security Policies. Are their policies compatible, or will additional training be needed before employees transfer to the new business unit?
Are there Regulatory and IT Compliance issues requiring additional training before the divestiture concludes?
Are there issues with Intellectual Property custody and protection as per the divestiture agreement or not covered by the agreement.
SAML, most commonly used to
It is more commonly used to help enterprise users sign in to multiple applications using a single login (i.e. provide sso for enterprise users)
PaaS vs CaaS
PaaS focuses on code stack infrastructure, while CaaS offers more customization and control over applications and services. Pay for a period of time, no matter what is used.
As a result, CaaS is better suited to emerging frameworks, such as microservices. Pay as you use. Timed use. CaaS must be started, stopped
blind [IP Address] spoofing, what is it, most effective for…, solutions (3)
Peaky blindER packets - to remember the solutions
A type of network attack where the sequence ACK numbers cannot be attained. Packets are sent to the target to obtain a sampling of the sequence numbers so that the attacker can generate a valid sequence number for the attack. Mostly used to attack older machines. Newer machines use random sequence number generation.
Solutions:
PER
use Packet filtering;
use Encryption on routers for inbound traffic; and
Reject packets with incorrect network origin.
non-blind spoofing, what is it, prevented by (3)
A type of network attack which occurs when the attacker is on the same subnet as the victim. The attack sniffs the sequence and ACK numbers and uses them to hijack the session.
Solutions:
You don’t have to be blind to give some EFS
enable Encryption on a router for outside connections
use ingress Filters on packets to filter inbound traffic
use Secure protocols to connect to other systems
Man-in-the-Middle attack (MITM), what is it, can be accomplished how (2), solutions (4)
A type of network component attack where the attacker intercepts communications between two trusted hosts. The attacker gains the ability to view and change the information sent, and to forward it undetected.
The attack can be accomplished using ARP cache poisoning or ICMP redirect.
Solutions:
MITM might SEEM like he’s not there.
SEEM
prevented by using Secure connections (HTTPS, SSL, TLS, VPN),
Endpoint detections,
Education
MFA,
MAC Flooding attack, what is it, prevented by (4)
A type of network component attack in which the attack is connected to a switch and “floods” the switch with a large number of different fake MAC address sources.
Prevented by:
Hey MAC, avoiding a flood is SIMPle.
Segmentation of network
IDS
MAC address filtering:
Port security
802.1Q and Inter-Switch Link (ISL) protocol attack, solutions (2)
type of network component attack. It is a tagging attack that occurs when a user on a VLAN gets unauthorized access to another VLAN.
Solutions:
ISL (I Still Love) D FC (Deep Fried Chicken)
Dynamic Trunking Protocol (DTP) on all non-trusted ports
Following Configuration guidelines for the switch.`
Double-Encapsulated 802.1.Q nested VLAN attack
remember this one as it’s Nested which is starts with the same letter as Native
A type of network component attack where an attack can cause traffic to hop VLANS by injecting packets that are double-tagged in an 802.1Q VLAN.
Clear the native VLAN from all 802.1Q trunks or pick an unusual VLAN as the native VLAN.
ARP Cache Poisoning, solutions (5)
A type of network component attack where an attacker can send spoofed ARP messages in to a LAN, causing the ARP cache to associate the target’s IP address with the attacker’s computer. All packets meant for the target will then be sent to the attacker. ARP is the protocol used to map an IP address to the physical MAC address.
Prevented by:
Use your PENUS to plug the ARP Cache poison and penus both start with p
Physical Security
Encryption
Network segmentation / isolation
Using switch security / or DAI (dynamic arp inspection)
Static ARP table
ping of death attack, 3 solutions
A type of ICMP network, Denial of Service (DoS) attack on a computer that involves sending malformed or oversized IMCP packets to a target. Hackers send several oversized packets, which can cause the victim’s system to be unstable at the least, and possibly freeze up.
Prevented by:
Death starts with D… CBA, also it’s one of the oldest attacks so should be easy as…
ABC
avoid legacy equipment and patching
block incoming icmp
checks to packet reassembly process to prevent large / malformed packets
Smurf attack, solution, equipment note
U in smurf indicates UDP is used.
Smurf’s must be disabled from broadcasting ip addresses at each router and firewall.
A type of ICMP, DDoS, network attack. The attacker sends a large amount of UDP echo traffic to an IP broadcast address, all of it having a fake source address, which will be the target of the system. As a DDoS attack the target system is flooded with spoofed ICMP packets.
Prevented by:
Smurfs is an old broadcast
disable IP broadcasting addresses at each network router and firewall.
Older routers are likely to enable broadcasting by default, while newer routers will likely already have it disabled
Fraggle Attack, what is it, what kind of traffic is used, what ports are used, solutions (4)
A type of ICMP network, DoS attack attacker sends a large amount of UDP traffic to ports 7 (Echo) and 19 (CHARGEN)
Solutions:
watching Fraggle Rock on my FUTON is FAB ulous
FU TO NF AB
solutions:
Filtering UDP inbound
Turn off source address spoofing by router
configure routers to Not Forward packets directed to broadcast addresses. Until 1999, standards required routers to forward such packets by default. Since then, the default standard was changed to not forward such packets.[6]
Configure hosts and routers to ignore packets where the source Address is a Broadcast address;
ICMP Redirect Attack, is what type of attack, how does it occur, solutions (2)
A type of ICMP network attack and an example of a MITM attack.
A router sends an ICMP redirect request to a host when packets are routed via sub optimal paths, requesting the packets use the attacker’s machine as a a default route. The attacker will forward all the redirected traffic to a router so that the victim will not know that his or her traffic has been intercepted.
solutions:
turn off redirect on hosts or network equipment
IDS / IPS can prevent
ping scanning, aka, solution
A type of ICMP network attack that pings every IP address and keeps track of which IP address responds to the ping. This technique is also a basic network scanning technique used to map networks and can also be used to find networking devices.
(aka port scannning)
Prevented by blocking incoming ICMP
port scanning attack
A type of network attack that occurs in the form of probing the TCP services on a machine by establishing the initial handshake for connection. It allows an attacker to test for vulnerabilities on a target system. The scan pings every address and port number combination and tracks which ports are open on each device as the pings are answered by open ports with listening services and not answered by closed ports.
DNS Cache Poisoning, used to …, solutions (4)
DNS
U
Cache
E
A type of DNS attack where the attackers feed false information into the DNS cache. When the server refreshes its query, the attacker inserts his own access point in an attempt to harvest passwords from users through newly created fake website.
Prevented by:
DUCE
DNSSEC
Use most current version of DNS
Configure DNS servers to not rely on trusts with other servers
Education - don’t click links in emails
Distributed Denial of Service (DDoS) attack webservers, solutions (3)
A type of DNS attack that uses multiple compromised systems to send network traffic to a specific targeted system creating a Denial of Service (DoS) attack.
a MIC can unDENIALbly Distribute your voice
Mitigated by:
MIC
Monitoring network traffic volume
IDS / IPS
CDN
URL hiding attack, solutions (6), aka
A type of DNS attack that takes advantage of the ability to embed URLs in web pages and emails.
solutions:
Da BEEPS give you away when trying to hide
dmarc
browser security plugins
email gateways
education
proxy firewalls
sandboxing
aka: clickjacking
Bluesnarfing, solutions (3)
A type of wireless attack that is unauthorized access to a device using a Bluetooth connection. In this case the attacker is trying to access information on the device rather than send messages to the device.
Prevented by:
turn off bluetooth if not being used
have a long password if possible for bluetooth
turn off discovery when not needed
Bluejacking, what is it, solution
A type of wireless attack that happens when an unsolicited message is sent to a Bluetooth-enabled device for the purpose of adding a business card to the victims contact list. It can be prevented by putting the device into a non-discoverable mode.
Email spoofing, solutions (4)
A type of email attack where the sender addresses parts of the email with a header altered to appear as through the email originated from a different source. Since SMTP does not provide any authentication, it is easy to impersonate and forge emails. The email appears to come from one source when it actually comes from another.
Solutions:
SPF, DKIM, DMARC
Third party services
SYN ACK attack, 2 solutions, network layer
A type of cyber attack where a hacker takes advantage of the three-way TCP handshake, and spams the victim with SYN packet’s from a spoofed IP address. The victim responds with a SYN-ACK packet, but never gets a response. Eventually, it will reach its maximum number of uncompleted three-way handshakes and will refuse legitimate network connections.
Mitigated by:
In memory, SYNful pACKman eats cookies
limiting memory for syn / ack use
use of syn cookies
Layer 4 / Transport
SYN Flooding, what is it, solutions (4)
DoS attack where the attacker sends SYN packets to a single server, overwhelming the victim system and blocking access to legitimate traffic.
Solutions:
Flooding put out the fires of hell where the increasing backlog of half open souls is recycled into cookies for your SYNs.
FIReS
Firewall Filtering
Increase Backlog Queue
Recycling the oldest half-open connection
SYN Cookies (will lose some details but not enter DoS state)
teardrop attack, 2 solutions
A type of cyber attack that is a process in which a hacker sends malformed fragments of packets that when reassembled by the receiver, cause the receiver to crash or become unstable.
Solutions (Fucking Pussy, for crying)
Mitigated with firewall / IDS / IPS
patching also helps prevent
IP Address Spoofing, prevented by (4)
The spoofing happening here must FADE.
A type of cyber attack that hackers use to hide their trail or to masquerade as another computer in which they alter the IP address as it appears in the packet.
Prevented by:
FADE
using Firewall
Authentication of all IP addresses
DNSSEC
Ip Encryption
session hijacking attack, how does it work, solutions (3)
Don’t SIT, hijacking!
A type of cyber attack where an intruder exploits a valid computer session to gain unauthorized access to the system. The attacker places himself in the middle of an active conversation between two computers, for the purposes of taking over the session of one of the two computers, thus receiving all data sent to that computer.
TCP session hijacking takes advantage of predictable TCP sequence numbers
Mitigated by:
SIT
Strong session managment (rotating keys, preventing predictable sequences, enforcing session timeouts)
IDS / IPS
Token based authentication
TKIP attack, Parking Lot attack, and shared key authentication flaw, krack attack, solutions
types of attacks on wireless networks.
solutions:
tkip - upgrade to wpa2 enterprise ccm / wpa3
parking lot attack - ensure wireless signal is not too strong
key authentication flaw - upgrade to wpa2 / wpa3
krack attack - enforce strong key management
SQL Injection, what is it, if successful what can it allow (5), solutions (4)
A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application.
A successful SQL injection exploit can:
FORMA
Read sensitive data from the database,
Modify database data (Insert/Update/Delete),
execute Administration operations on the database (such as shutdown the DBMS),
recover the content of a given File present on the DBMS file system and
in some cases issue commands to the Operating system.
Mitigation:
DIPS
Parameterized sql statements / queries
secure Stored procedures
Input validation, input list validation
Do not use escaping for user supplied data whenever possible
Salami attack, what is it, solutions (4)
A salami attack is a cybercrime that attackers typically use to commit financial crimes. Criminals steal money or resources from financial accounts on a system one at a time. This attack occurs when several minor attacks combine to form a powerful attack. Because of this type of cybercrime, these attacks frequently go undetected.
Mitigation:
I PAID for that salami.
Periodic audits
Anomaly detection (many small transactions going to one account)
integrity checks
Data validation
CMMI, what it is, 6 stages and the stage definitions
Capability Maturity Model Integration (aka CMM) - if hiring an outside development firm, can ask if they’ve been CMMI certified
I,I Might Die Questioning Others (IMDQO)
Incomplete (0) chaotic or ad hoc
Initial (1) no effective management, no assurance of consistency or quality
Managed (2) formal structure for change control and QA, repeatable processes
Defined (3) formal procedures carried out in all projects, ability to be proactive
Quantitatively Managed (4) metrics in place and used for self-improvement
Optimizing (5) budgeted and integrated plans for continuous process improvement, can respond quickly to changes
Stateful filtering/inspection firewall, what is it, aka, characteristics (5), weaknesses (1)
a stateful firewall is a network-based firewall that individually tracks sessions of network connections traversing it. Stateful packet inspection, also referred to as dynamic packet filtering,[1] is a security feature often used in non-commercial and business networks.
Characteristics:
state of pennsylvania (chili peppers lyric) is where we find the
SHS CoW Pie (o not used)
State table
High security without performance degrading
Scalable
provides data for tracking Connectionless traffic
stores and updates state / context of data Within packets
Weaknesses:
susceptible to DoS attacks (filling state table)
packet filtering firewall, what is it, advantages (3), weaknesess (4)
inspects packets transferred between computers. The firewall maintains an access-control list which dictates what packets will be looked at and what action should be applied, if any, with the default action set to silent discard
packets inspected by SAH ALUF
advantages:
Scalable
not Application dependent
High performance
weaknesses:
cannot prevent Application vulnerabilities from being exploited
Limited logging
do not support advanced User authentication
may not detect packet Fragment attacks
enterprise security architecture, definition, steps (5)
Bo Bacardi (BA RA RC DI) is our enterprise security architect.
an integrated and comprehensive strategy for protecting the organization against cyber threats
BO BA RA RC DI
Identify Business Objectives, goals and strategy
Identify Business Attributes that are required to achieve those goals
Identify all the Risk Associated with the attributes that can prevent a business from achieving its goals
Identify the Required Controls to manage the risk
Define a program to Design and Implement those controls
program to design and implement Enterprise Security Architecture controls (4 high level steps)
Architecture is usually the top level and the top is sometimes known as the Capo.
CA PA CAMP OA
define Conceptual Architecture for business risk
define Physical Architecture and map with conceptual architecture
define Component Architecture and Map with Physical architecture
define Operational Architecture
SABSA, what does it mean, what is it - tool for aligning … … with … … and each layer increases … and decreases … (… to …), matrix axes description x (6) y (6), SABSA success factors (4)
Sherwood Applied Business Security Architecture - tool for aligning security architecture with business strategy; each layer increases detail (Y axis) and decreases abstraction (policy to implementation)
Matrix
there’s AMPPLe Time on the SABSA Primay CLOCC
X axis: Assets (What), Motivation (Why), Process (How), People (Who), Location (Where), Time (When) (AMPPLT)
Y axis: Contextual, Conceptual, Logical, Physical, Component, Operational (P CLOCC)
SABSA is SABEPESE
SA BE PE SE
Strategic Alignment - business drivers and regulatory requirements met by security architecture
Business Enablement - core business processes are integrated withing the security operating model, standards based + risk based (can do new things)
Process Enhancement - integrating security components into business processes (can do things better)
Security Effectiveness - measured by security assessments
ISMS vs ESA
ISMS - (Information Security Management System) specifies the components of the security program
ESA (Enterprise Security Architecture) - specifies how the components of the security program relate to the general business architecture and how the components are integrated in the business environment and is part of EA (enterprise architecture)
NIST 800-39, subject, 3 tiers, what type of models are applicable (1)
Hitler mad ‘39 a difficult time to manage information security risks
Managing Information Security Risk
3 Tiers:
Organizational view
Mission / Business view
Information Systems view
Trust models
encapsulation occurs in what layers of the OSI model
occurs in level 1-4
ISRM (9 principles)
Information System Risk Management
Should address:
RR CORK CAP (risk reward cork cap)
formal process of Risk identification
approach of changing staff behavior / resource allocation in Response to risk analysis
Connection between ISRM policy and strategic planning
Objectives of ISRM team
Responsibilities of ISRM team
KPI’s
mapping of risk to internal Controls
Acceptable level of risk
mapping risks to Performance targets / budgets
RM Team, goal, 10 principles
Goal: Organization is protected in a cost effective way
Principles:
The risk management team’s goal is to protect the organization in a cramped mine.
CRAMPED MINe (e not used)
mapping of legal / regulation Compliance to controls
appropriate Resources / fund allocation
security Awareness training
ability to establish risk Mitigation in specific areas as necessary
Procedures to identify and mitigate risks
Establish risk acceptance level
Documented risk assessment process
development of Metrics / KPI’s
Integration of ISRM and change control process
ability to identify and assess New risks
RM Process overview NIST-FARM, 12 sub tasks
FARM PACT TR REDI SM
Frame risk: PACT
Priorities
Assumptions
Constraints
Tolerance
Assess risk: TR
Threat and Vulnerability Identification
Risk Determination
Respond to risk: REDI
Risk Response Identification
Evaluation of Alternatives
Risk Response Decision
Implementation of Response
Monitor risk: SM
Risk Monitoring Strategy
Risk Monitoring
risk analysis goals (4)
a risky goal is to skip BAIL
provide economic Balance between threat impact and cost of countermeasure / control
identify Assets and value of assets
determine the business Impact of threats
determine Likelihood a threat exploits a vulnerability
assigning value to assets considerations (10)
MOOR MULA AI
Maintenance cost
Operational losses without the asset
value to Owners / users
Replacement cost
Market value
Userfulness to organization
Liabilities if asset is compromised
Acquisition cost
value to Adversaries
Impact to brand / reputation if asset is lost
NIST 800-30, subject, High Level Steps (4), categories of threat events (8), Conducting Risk Assessment (5 steps)
Guide for Conducting Risk Assessments
Focuses on computer systems and IT security
30 days after assessing the risk, People Can Count Money from ART CRIME. You’ll have 2 eyes (I’s) popping on tripple d’s but TV could be LIaR
High Level Steps:
People Can Count Money
Prepare
Conduct
Communicate
Maintain
Categories of Threat events:
ART CRIME
Attack
impact / Results
Tools of attack creation
Coordinate campaign
Reconnaissance
malicious capability Insertion / delivery / Installation
Maintain presence / capabilities
Exploit / compromise
Steps:
guys under 30 have 2 eyes (I’s) popping on tripple d’s but TV could be LIaR
identify Threats
identify Vulnerabilities
determine Likelihood of occurrence
determine Impact magnitude
determine Risk
FRAP, what is it, intended for … a … … / …, based on experience of … …, not …
Facilitated Risk Analysis Process
Intended for evaluating a single entity / system
Based on experience of team members, not calculations
OCTAVE, what does it mean,
… percent of consequences come from … percent of the causes, intended for … …,
… and focused on …
8 steps (3phases)
Operationally Critical Threat, Asset and Vulnerability Evaluation (Carnegie Mellon U)
80 percent of consequences come from 20 percent of the causes
Intended for Information Security
Qualitative and focused on speed
Steps:
EOS S MIRS
E Octave Sounds Simply Melodic In Rhythmic Songs
Phase 1
identify Enterprise Knowledge
identify Operational Knowledge
identify Staff Knowledge
Phase 2
establish Security Requirements
Phase 3
Map High-priority information assets to Information Infrastructure
perform Infrastructure Vulnerability evaluation
conduct Mulidimensional Risk analysis
develop Protection Strategy
FMEA, what is it, used for (4), goal, uses … … and … .., steps (5)
Failure Modes and Effect Analysis
The failure of PRO’S shows Bad Info Fouls Credible Reports
used for:
PRO’S
Product development,
assurance Risk management and
Operational environments,
first developed for Systems engineering
goal: identify most likely failure and fix possible causes or reduce impact of break
uses failure modes and effect analysis, due to the depth it is usually only performed on critical functions
application of method to chronic failure enables the determination of the point where failure is most likely
steps:
BIFCR (Bad Info Fouls Credible Reports)
BD IF FE CD RA (Bad devices, I find, fail eventually causing destruction right away)
Block Diagram of system / control
consider Impact of Failure for each block
table with Failures and their Effects
Correct Design of system
have engineers Review Analysis of the failure modes and effects
NIST 800-161
theirs 161 links in our supply chain
Supply Chain Risk Management Practices
Create supply chain map
external control evaluation examples (5)
FDIPS
US Federal Risk and Authorization Management Program (FedRAMP)
US DOD Cybersecurity Maturity Model Certification (CMMC)
ISO 27001 certification
PCI DSS certification
Service Organizational Control (SOC1 or SOC2)
BCM definition, lifecycle (5 phases)
Business Continuity Management - holistic management process covering BCP and DRP
Lifecycle:
PADIV
continuity is similar to persistence
Persistent Actions Don’t Involve Variability
Policy / Program management
Analysis - BIA and Risk Assessment
Design
Implementation
Validation - using TTE
3 high level categories of business controls (not CIA)
TAP
Technical
Administrative
Physical
CCPA, what does it mean, what does it apply to (2 + 1 of 3, 1 with 1 other), 1 other note
California Consumer Privacy Act (2020)
PII = first name, last name + (SSN or DL# or CC# with PIN)
Has been copied by many different stats
Data types protected by GDPR (17, W includes 4), Key Provisions of GDPR (6)
SHIPP RT WE BANG
Sexual Orientation
Health
ID numbers
Political
Phone
Religious
Trade Union
Web Data (LICE - location, IP address, cookies, email)
Ethnic
Biometric
Address
Name
Genetics
DF CRIP
Data Protection Officer (DPO)
right to be Forgotten
Consent
data breach Reporting (72 hours)
right to be Informed
right to restrict Processing
ISO 27005, what is it, should be used with…, steps (6), risk treatments (4)
Even in 27005, Crime Is Ever Evolving TREAT As-such and treat risk. What’s the MATA?
Risk treatment (differs from NIST RMF in that risk communication is also an additional process where in NIST RMF it’s only implied)
Should be used with ISO 27001 security program
Steps:
C I E E T A (Crime Is Ever Evolving Treat As-such)
Context Establishment
risk Identification (risk analysis + assessment)
risk Estimation (risk analysis + assessment)
risk Evaluation (risk assessment)
risk Treatment
risk Acceptance
risk treatments:
MATA
Mitigate
Accept
Transfer
Avoid
FAIR framework, what is it, focuses on … measurement of … of incidents and their … , why it’s unique, focus not on … threats but … threats
Factor Analysis of Information Risk framework - focuses on precise measurement of probabilities of incidents and their impacts
Only international standard that is quantitative
Focus not on possible threats but probable threats
NIST RMF, which publications make it up (3)
consists of 800-30, 800-37 and 800-39
NIST 800-53
catalog of controls and how to select them to protect US Federal systems, has 20 families of controls and 1000+ controls in those families
COBIT 2019
business framework for IT enterprise management (ISACA)
DoDAF, focus on 7 things
US DoD Architecture Framework - ensures interoperability to meet military goals
Focus on:
IRS is part of US gov
4 C’s IRS (irs all end in nce)
Command
Control
Communications
Computers
Intelligence
Surveillance
Reconnaissance
Risk Frameworks (4)
FONI
NIST RMF
ISO 27005
OCTAVE
FAIR
Security Control Frameworks (3)
there is 2 c’s and 1 n in “security control”
NIST 800-53
CIS Controls
COBIT 2019
Enterprise Architecture Frameworks (4)
ZTDS
Zachman - taxonomy
TOGAF - The Open Group Arch. Framework
DoDAF - Dept. of Defense Arch. Framework
SABSA - Sherwood Applied Business Security Architecture
NIST Cybersecurity Framework (CSF) activities (5), tiers (3), what does each tier mean
Industrious Physiques Don’t Ruin Reputation, Causing Imaginary Problems
Activities:
IPDRR
Identify
Protect
Detect
Respond
Recover
Tiers:
CIP
Framework Core - applies to all organizations
Implementation Tiers - categories of rigor / sophistication
Framework Profile - describes the state of organization in regards to categories
CIS Controls, how many families, how many subcontrols, categories (3), implementation groups and what type of org for each (3)
Framework with 20 families of controls and 171 subcontrols
Control Categories:
Basic - should be implemented in every organization
Foundational - best practices
Organizational - focus on people and processes
Implementation Group 1 - SMB’s
Implementation Group 2 - Large organizations with an IT security department
Implementation Group 3 - Large organizations with security experts in different specialty areas
ITIL, what is it, dimensions (4)
Information Technology Infrastructure Library - framework to combine business and IT processes
4 dimensions:
VOIP
Value Streams and Processes
Organizations and People
Information and Technology
Partners and Suppliers
data classification procedure (9 steps)
DSOCCETRA (Dont separate otherwise classified categories even to raise awareness)
Define classification levels
Specify classification criteria
identify data Owners responsible for classifying data
identify data Custodians responsible for maintaining data and classification level
indicate security Controls
document Exceptions
methods for Transferring custody / ownership
Review procedures for classification / ownership / custody declassification
security Awareness for the above
NIST 800-88
guidelines for media sanitization
NIST 800-111
Guide to storage encryption
NIST 800-82, 7 recommendations
guide to industrial control systems (ICS),
in ‘82 I became an adult in industrial society and now have to follow adult people rules
AP RULES
monitor Audit trails regularly
ensure process for Patch management
apply Risk management to ICS
disable Unneeded ports / services on all ICS devices
implement Least privilege
use Encryption when possible
Segment network to allow IPS/IDS within subnet boundaries
NIST 800-190, 4 recommendations
Application Container Security Guide
TVOG
use container-aware defense Tools (e.g. IPS)
adopt container-specific Vulnerability management tools
use container specific host O/S
only Group containers with same purpose, senstivity and threat postures on the same O/S
cryptosystem definition and components (4), cryptosystem services (5)
all needed components to allow encryption
components:
paks
protocols
algorithms
keys
software
services:
ciaan
confidentiality
integrity
authentication
authorization
nonrepudiation
symmetric encryption provides, does not provide (2)
confidentiality, does not provide authenticity or nonrepudiation
NIST 800-57
Key management
you need a key for a 57 chevy
Lockheed Martin Cyber Kill Chain, attack stages (7), Defender actions (6), goals (2)
Attacker Stages:
Real Wars Don’t Ever Indicate Course of Action (RWDEICA)
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command / Control
Actions on Objective
Defender Actions: (5D’s + C)
Deceive
Degrade
Deny
Detect
Disrupt
Contain
Goals:
Identify indicators of attack stages
Defender Actions taken earliest
opportunity is best
MITRE ATT&CK Framework, 14 tactics
Adverserial Techniques Tactics & Common Knowledge
14 tactics have techniques and sub-techniques used by threat actors:
ICED CLoCk DRIPPER (ok to not use ok)
Initial Access
Credential Access
Execution
Defense Evasion
Collection
Lateral Movement
o
Command and Control
k
Discovery
Reconnaissance
Impact
Persistence
Privilege Escalation
Exfiltration
Resource Development
11 Secure Design Principles
DFKLN PSSST Z
Defense in Depth
Fail Securely
Keep it Simple
Least Privilege
Need-to-know
Privacy by Design
Shared Responsibility
Separation of Duties
Secure Defaults
Trust but Verify
Zero Trust
physical security goals (5)
DDDAR
deterrence
delaying
detection
assessment
response
developing physical security steps (10)
I don’t really recommend drawing protective curtains closed in morning
(IDRRDPCCIM)
Identify team
Define scope (site vs facility)
Risk analysis
Regulatory / legal requirements
Define acceptable risk level
Performance baselines based on risk levels
Countermeasure performance metrics
Criteria for physical security goals
Identify and implement countermeasures
Monitor for performance and changes
Fire classes (5), fire combustion element - suppression agent (4, matched with element)
A - common combustibles
B - liquids / gases
C - Electrical
D - metals
K - cooking oils
fuel - soda acid
oxygen - carbon dioxide
temperature - water
chemical reaction - FM-200
Class D address, types of addresses, ip4 vs ip6
224.0.0.0 to 239.255.255.255, multicasting addresses (IP4)
IP6 - addresses starting with 8 1’s
IGMP, what is it, what is it used for
Internet Group Management Protocol
used to report multicast group memberships to routers
802.1AE, what is it, what does it provide (3), what OSI layer, prevents … …, how does it work
tilt E to the right you get an M for MACsec
MACSec,
provides confidentiality, integrity and authentication
at layer 2,
prevents rogue devices,
checks each frame for ICV (integrity check value) and allows if valid
802.1AR, subject, specifies … per-device … and … binding, provides … device … , works with …
I gave my AR a…
secure device identity
specifies unique per-device identifiers and cryptographic binding, provides secure device provisioning, works with EAP-TLS
802.1AF
provides key agreement for session keys
well known ports range, definition of well known port
0 to 1023, standardized port for particular traffic
registered ports range, how they are used
1024-49151 can be registered with IANA for a particular use
dynamic ports range, aka, used for
49152-65535 can be used as needed (aka ephemeral ports)
IP6 packet size limit
4,294,967,295 bytes
6to4 tunneling, what is it, intersite vs intrasite
embeds IP4 addresses within IP6 addresses (intersite)
Teredo tunneling, what is it, uses … encapsulation so that … are unaffected, intersite or intrasite
temporary IP4 / IP6 solution
uses UDP encapsulation so that NAT are not affected (intersite)
ISATAP tunneling, what is it, intersite vs intrasite
Intra-Site Automatic Tunnel Addressing Protocol treats IP4 network as a virutal IP6 address (intrasite)
DHCP address assignment process 4 steps
Client -> DHCPDISCOVER -> DHCP Server
Client <- DHCPOFFER <- DHCP Server (with IP Address)
Client -> DHCPREQUEST -> DHCP Server
Client <- DHCPACK <- DHCP Server (confirming IP address with validity period)
DHCP attacks list (5), solutions (2)
CMRSS
Compromise Client Configuration
MITM
Route traffic to unauthorized networks
DHCP Spoofing - configure fake DHCP servr on network
DHCP Starvation - flood DHCP server with bogus requests
Solutions:
enable DHCP snooping
port security
DHCP Snooping, ensures only valid … addresses receive … addresses from the … , can provide protection against … … servers
Security measure performed on a switch, ensures only valid MAC addresses receive IP addresses from the server (NOT AN ATTACK)
These switches also can provide protection against rogue DHCP servers
ICMP attacks (4 types), solutions (5)
CRaMP DD FISt
attacks:
CRaMP
can be used as a covert channel - attacker sets up an ICMP responder
can be used to redirect traffic (routers use icmp to determine best route,etc.)
can be used to map network (traceroute)
can be used for DoS
Solutions:
DDFIS
disable ICMP if coming from one of your on-network devices
disable icmp redirect (hosts)
firewall, block incoming icmp
IDS / IPS
Secure icmp redirect (accept only from default gateways)
Protect against SNMP attacks (4)
Change default community strings
Don’t use SNMP v1 or v2 (clear text community string)
Close ports 161/162 to untrusted networks
Filter ports 161/162 to only authorized endpoints / individuals
DNS attacks and mitigation, not mentioned elsewhere (3 each with a solution)
unauthorized zone transfer (update of dns information from one dns server to another) - allow zone transfers only on specific servers
poisoning dns cache or primary records - use DNSSEC
host file manipulation, don’t allow users to have admin access or access to host files
Routing Protocol Attack prevention (1)
enabling router authentication
OFDM, what is it, used in … (6)
Orthogonal Frequency Division Multi-plexing - uses modulated signals that are orthogonal (perpendicular) to each other in tighter frequency spreads, since signals are perpendicular, they don’t interfere with each other,
used in:
digital tv,
audio broadcasting,
DSL,
wifi and
4/5G wireless
DSSS, what is it, how does it work, uses what
Direct Sequence Spread Spectrum - takes the entire spectrum and splits it into smaller subchannels, uses all frequencies simultaneously using chipping code
FHSS, what is it, how does it work - takes the entire … and … it into smaller …, then … the … frequently, sender and receiver have … … synchronized, protects against …
Frequency Hopping Spread Spectrum - takes the entire spectrum and splits it into smaller subchannels, then changes the subchannels frequently, sender and receiver have hop sequence synchronized, makes eavesdropping harder if hopping sequence is unknown
chipping code definition, aka
allows receiver to reassemble transmission (aka pseudo-nonce sequence) in DSSS
802.16
WiMAX standard
802.11e
all traffic is not Equal
wireless QoS standard supporting multimedia trafic
802.11f
f for free-range wireless
addresses roaming / handoff for wireless networks
802.11h, what is it for, where developed, uses what two technologies
h - hell
subject: address wireless interference (wireless hell)
originally developed in Europe to address interference from other wireless activities using DFS (dynamic frequency selection) and TPC (transmit power control)
WEP deficiencies (4)
WSIL
weak authentication
static encryption keys
ineffective initialization vectors
lack of packet integrity assurance
802.11i what is it , improvements over WEP (5), WPA2 Enterprise adds
WPA2 (note WPA is just WEP on steroids)
Improvements:
STAMP
sequence numbers
TKIP - temporal key integrity protocol - each frame has a new key
AES encryption with CCMP
Message integrity checks
PSK size increased to 256 + salt of the SSID
WPA Enterprise adds 802.1X (port authentication and EAP)
802.11w, subject, provides protection from … and … attacks
to remember turn over w and it makes an m for management frame
Management frame protection (certain frames that can’t be encrypted) - protects from replay and DOS attacks
WLAN best practices (10)
DAV WU SWAMP
change Default SSID
put AP’s as close to middle of building as possible
VPN for wireless devices
implement WPA3
guest networks should connect to Untrusted VLAN
Separate VLANS for each class of users
deploy Wireless Intrustion Detection System (WIDS)
put AP in DMZ with firewall protection from wireless side
MAC filtering
Penetration testing
4G / 5G cellular networks require which multiple access technology?
OFDMA
IMSI catchers
International Mobile Suscriber Identity catchers - devices that can jam 3G / 4G / 5G signals and force devices down to 2G which does not have authentication between devices and towers, can be built for less than $1500
POODLE attack, originated in what year, why did it work
Padding Oracle On Downgraded Legacy Encryption - (originated in 2014) the attack worked because SSL allowed security downgrading for interoperability
TLS 1.3 handshake process (4 steps), cipher suites (5), … keys (like one time pad), what other versions of TLS are considered insecure and not deprecated until when, most features of 1.x were optional in 1.y
1Client Hello - list of cipher suites and protocols supported by client, client input for key exchange
2Server Hello - servers selection of cipher suite and protocol, server input for key exchange
3Server Authentication - server’s digital certificate, proof server owns the certificate’s private key
4Optional Client Authentication - client’s digital certificate, proof client owns the certificate’s private key
Supported Cipher Suites:
TLS_AES_256_GCM_SHA384 (best protection but highest resources)
TLS_AES_128_GCM_SHA256 (next best protection but next highest resources) - ideal for systems with hardware encryption support
TLS_AES_128_CCM_SHA256 - CCM is 16 bit similar to GCM
TLS_AES_128_CCM_8_SHA256 - CCM is 8 bit, better suited for embedded devices
TLS_CHACHA20_POLY1305_SHA256 - 20 rounds of ChaCha cipher combined with Poly1305 MAC - good for software based encryption
Other feature: ephemeral keys - similar to one time pad, only used once, provides forward secrecy (aka perfect forward secrecy) which is attackers could only decrypt a small portion if they got the key
most features of 1.3 were optional in 1.2
TLS 1.0 and 1.1 are insecure (but not formally deprecated until 3/2021)
ChaCha20 / Poly1305, provides … … key encryption
algorithms providing authenticated symmetric key encryption
AE, what is it, provides … and … (2) for … ciphers
AE is IN (integrity nonrepudiation)
Authenticated Encryption - integrity and non-repudiation for stream ciphers
AEAD, what is it, prevents…
Authenticated Encryption with Additional Data - present in TLS 1.3 to prevent replay attacks
PPTP, what is it? default port, works on, secure or not?
Microsoft’s point to point tunneling
protocol,
TCP port 1723
works on IP networks
(insecure)
L2TP, what is it, default port, works on (3), used for, provide encryption?
Layer 2 Tunneling protocol (current version 3) combination of Cisco L2F [Layer 2 forwarding] and PPTP
UDP port 1701(1 comes before 2 in l2tp)
works on IP, ATM, X.25,
by itself doesn’t provide much protection but integrates with protocols that do (e.g. IPSec) to provide confidentiality, integrity, authentication
used when PPP needs to be extended through another network
DOES NOT ENCRYPT
Why is PPP needed, what does it mean
Point to Point Protocol
line devices (e.g. routers) do not understand ip networks, but do understand PPP
Why is L2TP needed
extends PPP connections to be able to go through IP networks (which don’t understand PPP)
Gateway VPN’s, what are they, don’t need… (3)
VPN provided by connecting Gateways on each end, they don’t need PPP, L2TP, IPSec (LIP)
gateway vpn’s don’t need any lip, ok?
IPSec works at what layer, components (5) what do components provide, works on, used for …
works at network layer (layer 3)
AH - integrity, authentication, protection from replay attacks
SA - specifies security properties that are recognized by communicating hosts, allows for secure exchange of data
ESP - confidentiality, authentication, integrity, anti-replay (most secure part of ipsec)
ISAKMP - framework for SA and IKE
IKE - authenticated keying material for ISAKMP
works on IP networks only, LAN to LAN communication
used for g/w to g/w connections
TLS VPN’s what layer, 2 types, features (3), used to protect … application layer traffic
session (layer 5)
PT PEG
types:
PT
tls Portal vpn - accessed via web browser (with built in TLS) to connect to websites
tls Tunnel vpn - accessing non-web-based protocols / applications, usually needs custom programming to access through web connection
features:
PEG
Protects a small number of Protocol types, so not good for infrastructure-level VPN
Granular access control and configuration
Easy to deploy (already built in browser)
used to protect specific application layer traffic
REST, what does it mean, uses … to provide … to make … from … , creates a … where every … is a an … … , must use…, also needs … … (to make it secure)
Representational State Transfer architectural pattern
uses HTTP to provide API to make requests from servers, creates a language where every statement is a an HTTP URI
since it does the above, must use HTTPS
also needs input validation
WSS, what is it, enables … security, provides …, … and … through … … signatures and security …
Web Service Security, enables SOAP security, provides confidentiality, integrity and authentication through XML digital signatures and security tokens
DNS Tunneling what is it, solutions (3), what does not stop it
an attack using DNS to exfiltrate / infiltrate data
solutions:
RIM of tunnel
RIM
Rate limiting - capping DNS traffic per host
IDS / IPS
dns Monitoring tools
DNSSEC does not stop it
DNS reflection, what is it, solutions (4)
I see a BIRD in the reflection
DOS attack that uses open DNS servers to bombard a server with DNS queries, while spoofing source address
solutions:
bird
Block unsolicited dns replies
IDS / IPS
dns Rate limiting
DNS aware firewall
DNS amplification, what is it, how does it work, what DNS queries can be used (3), solutions (5)
DOS attack that uses open DNS servers to bombard a server with DNS queries that require much larger responses than the size of the query (DNS ANY, EDNS(0), DNSSEC)
Solutions:
DNS and Doctor both start with D
DR RL SIV LR MD (DR RL Silver, MD)
Disabling Recursion on authoritative name servers.
Rate Limiting
Implementing Source IP Verification on a network device.
Limiting Recursion to authorized clients.
Monitoring of DNS traffic
DNSSEC, what is it, provides (1), does not provide (2), digitally … groups of … records into … with an … record, drawbacks (1), think of it as a … … for DNS queries
set of standards developed to protect DNS record integrity (not confidentiality or availability)
digitally signs groups of DNS records into RRSets with an RRSig record
Also opens the possibility of DNS amplification attack
think of it as a digital signature for DNS
DoH, what is it, how does it work, provides … (2 related), does not provide (1), drawback (1)
DNS over HTTPS - sends DNS queries over HTTPS/TCP/IP instead of UDP providing confidentiality / privacy, does not provide integrity, but makes some DNS attacks harder to discover
DNS Filtering, how is it implemented
a web proxy that blocks DNS requests to known malicious domains
ESMTP, what is it, allows … to negotiate … sessions when … …
Extended SMTP allows servers to negotiate TLS sessions when sending mail (SMTPS)
POP what is it, what port(s), authentication capabilities
Post Office Protocol, POP3 is current, listens on port 110 or port 995 (POP3S using TLS)
110 ends in 0 POP has O
SASL authentication
IMAP what is it, what port(s), authentication capabilities
can remember port as 3 turned on left size makes an M in IMAP
Internet Message Access Protocol listens on port 143 / 993 (IMAPS)
143, 3 tilted on left side makes an M in IMAP
SASL authentication
SPF (email), what is it, what does it do
Sender Policy Framework, email validation to prevent email spoofing (forged emails)
DMARC, what does it mean, how implemented
Domain-based Message Authentication, Reporting and Conformance combines SPF and DKIM
Modbus
enables communications among SCADA devices (PLC’s)
VNI
Virtual Network Identifier - equivalent to VID in VLAN’s
Approaches to SDN (3)
Open - Open Network Foundation approach relying on open-source code and standards as the building blocks of a solution, uses OpenFlow a standard interface
API - Cisco claims that OpenFlow is insufficient to fully leverage SDN, can do deep packet inspection and manipulation, propietary approach that enriches ONF approach
Overlays - virtual overlay of physical network
synchronous vs asynchronous communication, 6 characteristics of both (how each: controls character separation, is used for, complexity / cost, error checks, overhead, type of data - framed vs stream)
asynchronous:
uses start / stop bits to separate characters,
typically used for unpredictable data transmission
simple, less costly
error checking using parity bits
each byte requires 3 bits (stop/start/parity)
framed data
synchronous:
uses timing to separate characters clock or signal,
typically used for large amounts of data in a predictable manner
more complex, costlier
robust error checking, CRC (cyclic redundancy check)
less overhead
stream of data
repeaters, bridges, switches, routers:
repeater … and … entire frame received, do not separate … or … domains
bridges can separate … domains
bridges do not separate … domains, switches do
bridges / switches … and can send to specific … addresses (if not a broadcast)
routers can send to specific … addresses, do not forward …
repeater amplifies and resends entire frame received, do not separate collision or broadcast domains
bridges can separate collision domains
bridges do not separate broadcast domains, … do
bridges / switches amplifies and can send to specific MAC addresses (if not a broadcast)
routers can send to specific IP addresses, do not forward broadcasts
802.1Q, subject, 3 sub topics
Qanon is a bridge leading from reality to fantasy RealM M
bridges
relaying and filtering frames on MAC addresses
maintenance of frame filtering / relaying decisions
management of listed elements
STP what is it, where used, what does it do, can also build…, assigns … (2), calculates…
spanning tree protocol, prevents frames from looping endlessly, used in bridges on up
also can build redundancy information
assigns unique bridge ID’s
assigns priorities
calculates path cost
SPB, what is it, vs. STP
shortest path bridging, more efficient than STP
802.1aq
the bridge over AQua water is the shortest path
SPB (shortest path bridging standard)
switches, are like…, prevents … and … issues, operates in … … that doesn’t compete for same …, basic switch OSI level, what other types are available, what does tagging do, why can they be faster than routers
is like a multi port bridge
prevents collisions and contention issues
operates in duplex mode that doesn’t compete for the same bandwidth
basic switches are layer 2, however layer 3 and 4 switches are also available, they read deeper into the data packets for decisions and tag data, the first switch a data packet encounters tag the data so any other switches can just read the tag instead of analyze the packet, last switch before destination removes the tag
since switches have ASIC chips processing at the hardware layer, they can be faster than routers which function on the software layer.
MPLS, what is it, use of … in switches, allows for faster … and … service requirements for different … … (…)
multiprotocol label switching, use of tags in switches, allows for faster routing and differing service requirements for different packet types (QoS)
proxy servers act as … (and can add …) between clients that want … to … and the … that provide the …
can provide … for frequently requested data - reduces …
act as intermediary (and can add controls) between clients that want access to services and the servers that provide the services
can provide caching for frequently requested data - reduces latency
POTS:
SS7 (PTSN), what is it, when developed
SSP (PTSN), what does it mean, what is it
STP (PTSN)
SCP (PTSN), what does it mean, what is it
PTSN main components (3)
Signaling System 7 , developed in 70’s, protocol used by PSTN to connect calls
Signal Switching Point - a point belonging to the telephone company where your phone is connected
signal transfer point in telephone companies which allows phone calls to be made
sCp - c for cell phones
service control point - signaling which allows PTSN to connect to mobile numbers
STP, SSP, SCP
H.323, what is it, 4 components and their functions
VOIP standard for voice and video calls
4 components:
TGMG
terminals - endpoints such as phones, video conferencing equipment
gateways - interface H.323 with non H.323 networks
MCU - multipoint control units, allow 3 or more conferences
gatekeeper - provides call control services
SIP, what is it, components (2), process (6 steps), what does SIP do
Session Initiation Protocol
UAC - user agent client, places calls
UAS - user agen server, connects calls
process:
Isn’t Open Always Ring Bell Once
IOARBO
INVITE (trying, ringing)
OK (after answer)
ACK
RTP voice call
BYE (after hangup)
OK
SIP does not carry the call only the signaling to start / end calls, call carried by RTP
SIP architecture components (3)
be a siPRR
Proxy Server - relay packets between UAC and UAS
Registrar Server - store locations of users on network
Redirect Server - allows users to change locations and still get calls
RTP / RTCP, what are they, what do they do, what OSI network layer for each
RTP (Real Time Protocol) - used for streaming call data (transport layer)
RTCP - (Real Time Control Protocol) used to control RTP (session layer) and provide QoS data
Meeting Application precautions (8)
we’ll work on the case in the meeting
CASE WURK
don’t use Consumer-grade products
use AES256 bit encryption where possible
restrict participant screen / camera Sharing as appropriate
control access to Each meeting
enable Waiting room feature (prevent zoom-bombing)
keep software Updated
don’t Record meetings unless necessary or low risk
know how to Kick-out unwanted participants
EAP variants (top 10)
TIPT MG FAGS
EAP-TLS - considered one of most secure, uses digital certificates
EAP-IKE2 - provides mutual authentication, can be used with symmetric or asymmetric keys
EAP-PSK - preshared keys
EAP -TTLS - tunneled TLS, only server requires key
PEAPv0/EAP-MSCHAPv2 - only requires server certificate
PEAPv1/EAP-GTC - Cisco variant using Generic Token Card
EAP-FAST - Cisco variant, flexible authentication via secure tunneling
EAP-AKA - authentication key agreement (UMTS Universal mobile telecom systems) using USIM
EAP-GSS - generic security services (kerberos)
EAP-SIM - uses SIM (subscriber identity module)
Socket, what OSI network layer construct, components (5)
To secure sockets (5 recommendations)
layer 4 (transport) construct defined by:
source address
source port
destination address
destination port
protocol (tcp or udp)
a socket is the SAME As an ip address and port combination
SAME A
use Segmentation
apply ACL to block every connection except those authorized
Map every authorized socket
where possible Encrypt channel
Authenticate requests
NIST 800-63B, subject, guidelines for passwords (3)
63 and earlier I only had a digital identity 8/64 AD parents had first anniversary
digital identity guidelines
passwords:
8-64 characters
allow special characters (but not require)
disallow password hints
Core RBAC characteristics (5)
a RoBe or A MUMU can be worn
AMUMU
Accommodates Robust group-based access control,
Maps to Security policy,
Uses a Session as a mapping,
Many to Many relationship among users and privileges,
Uses Other information than user ID and credential for access decisions
Hierarchical RBAC, maps to … structures and … delineations,
an … of rights and permissions can occur,
… … (allows only one level to be …) or
… … (allows more than 1)
… separation of duty - two roles have no shared …
… separation of duty - two roles may have shared …, but users can’t assume … simultaneously
maps to organizational structures and functional delineations,
an accumulation of rights and permissions can occur,
limited (allows only one level to be inherited) or
general hierarchies (allows more than 1)
static separation of duty - two roles have no shared principles
dynamic separation of duty - two roles may have shared principles, but users can’t assume both simultaneously
RADIUS vs TACACS+, differences in: encryption, authentiction / authorization / auditing treatment, protocol the work over, authenticaion process, good for…, similarity
Radius does not encrypt all data (unless used with TLS)
TACACS+ encrypts all data
RADIUS combines authentication and authorization
TACACS+ separates authentication / authorization / auditing (or accounting) in ture AAA architecture
RADIUS only works over PPP
TACACS+ works over many protocols such as Apple talk, NetBIOS and IPX
RADIUS - single challenge and response
TACACS+ each AAA activity must be authenticated
RADIUS - good for simple accept or deny situations
TACACS+ - good for more sophisticated implementations
both are just protocols
Diameter, builds on …, base protocol provides … …, has … built on base to allow … with different technologies, compatibility with radius, AVP’s compared to radius
builds upon RADIUS
base protocol - provides secure comms
extensions - built on top of base to allow functionality with different technologies
not directly compatible with RADIUS but has upgrade path
has 2^32 AVP’s (attribute value pairs) compared to RADIUS (2^8)
if a company is providing an SOA to other organizations, it needs what markup languages (2) and protocol
XACML, SAML and SOAP
if a company is providing access to employees of another company’s SOA it needs what markup language
SAML
penetration testing steps (5), knowledge types (3)
Steps:
Does Everybody Vicariously Enter Reality
DEVER
Discovery
Enumeration
Vulnerability mapping
Exploitation
Report
knowledge types
zero
partial
full
ISO 27004, subject
4 things for info sec
MAME
Monitoring, measurement, analysis and evaluation of Information Security
6 characteristics of useful security metrics 5 general characteristics of metrics
QARRCS
quantifiable - objective measurement
actionable - leads to improvement
robust - relevant over time
relevant - aligns with goals
comparative - can be evaluated against other metrics, baselines or standards
simple - easy to understand
SMART
specific
measurable
achievable
relevant
time-bound
Types of metrics (3)
Risk (strategic)
Preparedness (for security incidents - operational)
Performance (tactical)
KPI definition and process (5 steps)
key performance indicators - where we are in relation to goals
Fast Breaking Performance Always Counts
FBPAC
Choose Factors that show state of security
Define Baselines for factors
Develop Plan for capturing factor values
Analyze and Interpret data
Communicate Indicators to stakeholders
Key Administrative Processes to Monitor (6)
ASS BAM
security Awareness training
Security training
Suspending accounts
Backup verification
Adding accounts
Modifying accounts
social engineering definition / types (14)
manipulating a person to take an action to assist in a violation of a security policy
Types:
BBD HPP QSSS TV WW
baiting - offering something of perceived value
blackmail - threatening to expose secret information
diversion theft - having something of value sent to an unintended destination
honey trap - fake romance
pretexting - simulating a situation
phishing - fake email
Quid pro Quo - promising reward for doing something (aka Tech Support Attack)
SMS phishing / whaling - like phishing / whaling using SMS (aka smishing)
scareware - fake virus alerts
Spear phishing - like phishing only with a particular target in mind
tailgating / piggybacking - unathorized individual following somebody to secure area
Vishing - like phishing using phone (voice phishing)
whaling - fake email to executives
watering hole - capturing user credentials at a legitimate site
OEP (physical security), what does it mean, used to ensure…
occupant emergency plan - used to ensure safety of personnel during emergencies
Elements of Mature SOC, technology (3), people (4), internal components / processes (5)
Technology:
EDR
NDR
SIEM
People:
TTII
Tier 1 Analyst - monitor alerts, eliminate false positives
Tier 2 Analyst - deeper analysis of alerts
Intelligence Analyst - investigate items passed by Tier1/2 analysts
Incident Responder - contain, eradicate threats
Processes:
SOCks and podiatrists concern feet
podiatrists prevent bunion pain gout
Policies
Procedures
Business
Partners
Government
Threat Intelligence characteristics (4) and cycle (4)
CART ‘R CAD (if you’re from Boston)
Characteristics:
CART
Complete - enough to detect / prevent the threat from actualization
Accurate - factual / error free
Relevant - useful to detect / prevent the threat from actualization
Timely - performed fast enough to impact damage
Cycle:
RCAD
Requirements
Collection
Analysis
Dissemination
CMF, what does it mean, what is it used for, data sources (3)
Collection Management Framework - collecting relevant data, organizing and analyzing the data
Data Sources:
Third-party Feeds (generally proprietary)
Open-Source INTelligence [OSINT] (free)
Internal Sources - logs, alerts, etc.
Prevention / Detection Process (5 steps)
detecting radio waves with my RCA SIMulator
R C C C A
S I M
Risk analysis
Control Selection
Control Implementation
Configuration Management
Assessment
TCP States (11)
LoSSeS RarE oFF CoW C LA ToW c
L SS SR E F1 F2 CW C LA TW c
LISTEN
SYN-SENT
SYN-RECEIVED
ESTABLISHED
FIN-WAIT1
FIN-WAIT2
CLOSE-WAIT
CLOSING
LAST-ACK
TIME-WAIT
CLOSED (fictional)
proxy firewall, what is it (4 items), two types, advantages (3), disadvantages (3)
HUBS
Hides true source of data from untrusted network
Used between trusted and Untrusted networks
Breaks communication channel (no direct connections)
Starts new communication Sessions between sender and receiver on the sender’s behalf
Types:
circuit-level proxy (on lower OSI levels - up to session layer) - cannot look at packet contents, application independent, can only approve on protocol (up to session layer) not by command, does not require configuration for each protocol (e.g. SOCKS)
application-level proxy (on application layer) - inspect all the way up to application layer, can see packet content - can make specific command level decisions (e.g. FTP put or get) but must be configured for each protocol
Advantages:
EDS
Extensive logging capabilities
Direct authentication
Spoofing protection
disadvantages:
RNL
not good for high bandwidth / real-time applications
limited in support for new applications / protocols
lower performance
Next generation firewall (NGFW), description:
multiple …
combines … , … , … capabilities and adds … based … engine
can share … with all other … of the same vendor
connects to … … sources such as … … , … , … , … …
multiple layers
combines packet, stateful, proxy capabilities and adds signature based IPS engine
can share signatures with all other firewalls of the same vendor
connects to external data sources such as:
Active Directory, whitelists, blacklists, policy servers
MSSP, before hiring checklist (5 items)
Managed Security Service Provider - third party security service vendors
Before hiring:
DCURL (don’t use really corrupt losers)
Determine requirements
determine if MSSP Understands your business processes
Reputation
Costs
Liability limits
NIST 800-61, life cycle (7 steps), report contents (8)
Computer Security Incident Handling guide
I hope I’m not 61 before I handle security incidents
lifecycle:
Please Don’t Allow Creepy, Evil, Random People
Preparation
Detection
Analysis
Containment
Eradication
Recovery
Post Incident activity
information to include in report:
SIRACI IN
Summary
Indicators
Related Incidents
Actions Taken
Chain of custody for all evidence
Impact assessment
Identity / Comments of incident handlers
Next steps
IOA / IOC, what does it mean, what are typical indicators (5)
indicators of attack / indicators of compromise
typical indicators:
HRODD
unusually large HTTP requests / responses
new Registry entries
Outbound traffic to specific IP address(es)
abnormal DNS queries
DDoS traffic
ISO 27037 - phases of evidence handling (4) and description of each phase
Guidelines for digital evidence
I CAP
Identification:
determination of the evidence required
Collection:
gaining control of evidence in a lawful manner
Acquisition:
digital acquisition - creating forensic image of digital data for examination, bit by bit copy of media outside the O/S [logical acquisition is done using the O/S)]
2 copies are made (1 is control copy) 1. Primary image 2. Working image
Compute cryptographic hash of original and each copy
Preservation:
hashing as indicated above + access limited to qualified people to do limited actions (read only), possibly two-person control
Requirements Phase, what 4 security tasks are done during this phase, security requirements include what 3 categories,
G RA PA RA
Gather system and security requirements from SOW and / or other product management documentation
security requirements should be in categories: (triad)
confidentiality
integrity
availability
security Risk Assessment - identify threats and associated consequences
Privacy risk Assessment - HML rating of private data,
H - stores / transfers private data (PII), or makes it possible to do so<e.g. change settings, install software>,
M - one time user initiated transfer of PII
L - no effect to privacy
Risk-level Acceptance
Design phase, what is it, 3 models, what security tasks (2) in this phase
mapping planned functionality to real world possibilities
BIF models designs AS A TM task
Models:
BIF
Behavioral - explains state system will be in during and after certain transitions take place
Informational - type of information to be processed and how it will move around the software system
Functional - task, functions and their sequence(s)
Security tasks:
attack surface analysis - reduce the code that is usable by untrusted users, reduce entry points for untrusted users, provide least privilege, eliminate unnececessary services, can use software tools to perform
threat modeling - analyzing the various weak points in the system (e.g. input fields, back doors, vulnerabilities, etc.) using threat trees or other constructs, software tools are also available, such as OWASP Threat Dragon
SDLC Security Concerns - Development phase (3)
USC developed
Use of automated tools helps develop more secure code
Secure Coding techniques - helped by MITRE CWE (Common Weakness Enumeration) list of most impactful issues
Code reviews catch common syntactical issues, especially input validation, prevention of covert channels, proper data typing, checksums, etc.
Testing Phase security concerns (7)
If you pass the test you’re all square MR. EF
MR SQUAR EF
Map security risks to test cases and code
Separation of duties including not allowing developers to access production code
separate QA testing, including possibly Red Team type of testing
Unit Testing for modules using Test-Driven Development where a test is designed before or during actual coding
Attack simulation / Penetration Testing
Repeat testing until objectives are achieved
Ensure systems Fail securely if no human life is at risk
Operations and Maintenance Phase security concerns (2 closely related concerns), most likely phase to concern …
Change Management (general approach) / Change Control (specific changes)
Most likely phase to concern CISSP individuals
Incremental Development Methodology, what is it, benefits (4), used when
incremental waterfalls often result in a werl of water
a multi-waterfall approach, each incremental phase results in a deliverable
benefits:
WERL
working model delivered early
end-users can provide input
lower cost of initial delivery
risk of critical changes are lower due to feedback cycle with end-users
best used when various aspects of the project need to be understood early in the development cycle
RAD, phases (7)
Rapid Application Development - using working prototypes to quickly deliver software
that’s RAD dude, A Quick Board Doesn’t Really Turn Instantly
Analysis
Quick design
Build,
Demonstrate,
Refine (prototypes)
Testing
Implementation
Scrum, 6 characteristics
SCRUM SCCRAL
uses Sprints (predefined time of building, usually 2 weeks) or time between scrums
focused on Collaboration
Continuous delivery
project can be Reset (like in rugby, when the game is reset to a scrum) adding new features, etc.
a very widely Adopted Agile devlopment methodolgy
Lean and customer focused
Kanban stresses …, uses …
stresses visual tracking of all tasks so priorities can easily be accommodated
uses a “Kanban Wall” where all tasks are placed for visualization under Planned, In progress and Done
Application Security Testing types (3)
SDF
Static - examining source code, typically with automated tools without executing the code, of course requires access to the source code
Dynamic - examining running code without access to the source code, of course requires running the code
Fuzzing - used to discover flaws and vulnerabilities by sending large amounts of test data to the target trying to cause failure
ISO 27034
Software developer certification
FEDRAMP, what does it mean, what is it - provides a … approach to … …, … and … … for … products and services
It’s a standard approach ramp to SA A C’M in the cloud.
Federal Risk and Authorization Management Program - United States federal government-wide compliance program that provides a standardized approach to Security Assessment, Authorization, and Continuous Monitoring for cloud products and services.
3 Tiers of Information Security (Main directives)
Tier 1 Create / Deliver value
Tier 2 Support business
Tier 3 Protect assets from threats through safeguards to achieve CIA
Security Professional characteristics (7)
BS VOICE
Behave ethically, responsibly and legally
think Strategically
focus on Value / ROI
emphasize Outcome and cost / benefit
Innovate / enable business
Continuous improvement
Effective / Efficient
STRIDE
microsoft threat modeling for categorization
Spoofing
Tampering
Repudiation
Information disclosure
Denial of service
Elevation of privilege
DREAD
microsoft threat modeling for prioritization
Damage
Reproducibility
Exploitability
Affected users
Discoverability
Threat modeling common steps (5)
A MODEL of Resistance Definitely Inspires Many Victims (RDIMV)
define security Requirements
create Diagram of system
Identify threats
Mitigate threats
Validate threat mitigation
Threat landscape (5 elements)
RAATT running over the landscaping
collection of Risks, Assets, threat Actors, Threats, and observed Trend
Access Control Components (3)
Authentication - proving identity
Authorization - proving clearance
Accounting - recording activity
ISO 29100 Privacy Principles (11)
My CUPs could use some privacy CAIN CAID
CUP of CAIN CAID
Consent
Use, retention and disclosure limitation
Purpose
Collection limitation
Accuracy
Individual participation / access
Notice provided to owner
Compliance with privacy laws
Accountability
Information Security
Data minimization
NIST 800-64 R2 SDLC (5 phases)
no IDIOTs born in 64
Initiation
Development / acquisition
Implementation / assessment
Operations / maintenance
Trash / disposal
SDLC Security Activities - Initiation (5 steps)
Initiate Cycle By Pushing Switch
ICBPS
Initiate Security Planning
Categorize System
Business impact Analysis
Privacy impact analysis
ensure use of Secure dev processes
SDLC Security Activities - Dev. / Acq. (6)
Random Strangers Develop Eventual Social Ties (RS DEST)
Risk assessment
Select / doc. security controls
Design security architecture
Engineer security controls
Security documentation
Testing of dev., function, security
SDLC Security Activities - Implementation (4)
DIAA de implementacion
DIAA
Detailed compliance / auditing plan
Integrate security into established systems
Assess system security
Authorize the system
SDLC Security Activities - Operations (3)
(OCC)
operational readiness
configuration management
continuous monitoring
SDLC Security Activities - Disposal (5)
dispose of that Cockroach PEST
P E S T C
build disposal Plan
Ensure information preservation
Sanitize media
Trash / dispose of h/w & s/w
Close system
ISO 31000, subject, concepts (4)
The risk management chain has 31000 links where Virtuous People Find Purpose.
Subject: Risk management guidelines
elements:
Virtuous People Find Purpose
Values -> Risk Management Principles -> Risk Mangement Framework -> Risk Management Process
ISO 22301 / 22313
business continuity planning
NIST 800-34, subjects (2)
addresses risk at the level of information systems and
introduction to organizational resilience planning
SDO (bcp)
Service Delivery Objective - level of service during alternate mode until returning to normal operations (e.g. 60% of normal capacity)
BCMS, elements (6)
Business Continuity Management System - set of interrelated or interacting elements to establish policies and objectives and processes to achieve objectives of business continuity
Components:
if you need to manage elements, you have to see the Continuity Planning PIMP.
CI
P
P
I
MR
PA
Continual improvement
Policy
Planning
Implementation / Operation
Management review
Performance assessment
Lean software development, principles (7)
translation of lean manufacturing principles and practices to the software development domain
principles:
Lean or skinny like a snake (boa)
BOA DEED
Build integrity in
Optimize the whole
Amplify learning
Decide as late as possible
Eliminate waste
Empower the team
Deliver as fast as possible
release and deployment management, aims to …, … and … the movement of … to test and live environments, what tech org, primary goals (2)
ITIL: aims to plan, schedule and control the movement of releases to test and live environments.
The primary goal of this process is to ensure that the integrity of the live environment is protected and that the correct components are released.
CWSS, what is it, metric groups (3), factors (16)
Common Weakness Scoring System (CWSS) provides a mechanism for prioritizing software weaknesses in a consistent, flexible, open manner. It is a collaborative, community-based effort that is addressing the needs of its stakeholders across government, academia, and industry.
BAE 565
TI AP AL IC FC (tilapia icky fish)
RP RL AV AS IN SC (raper lava as in SC)
BI DI EX EC EP/p (bidi exec p)
Metric Groups:
BAE
Basic Finding
Attack Surface
Environmental
Factors:
TI AP AL IC FC RP RL AV AS IN SC BI DI EX EC EP/p
Metric Group | factor |description
Base Finding Technical Impact (TI) The potential result that can be produced by the weakness, assuming that the weakness can be successfully reached and exploited.
Base Finding Acquired Privilege (AP) The type of privileges that are obtained by an attacker who can successfully exploit the weakness.
Base Finding Acquired Privilege Layer (AL) The operational layer to which the attacker gains privileges by successfully exploiting the weakness.
Base Finding Internal Control Effectiveness (IC) the ability of the control to render the weakness unable to be exploited by an attacker.
Base Finding Finding Confidence (FC) the confidence that the reported issue is a weakness that can be utilized by an attacker
Attack Surface Required Privilege (RP) The type of privileges that an attacker must already have in order to reach the code/functionality that contains the weakness.
Attack Surface Required Privilege Layer (RL) The operational layer to which the attacker must have privileges in order to attempt to attack the weakness.
Attack Surface Access Vector (AV) The channel through which an attacker must communicate to reach the code or functionality that contains the weakness.
Attack Surface Authentication Strength (AS) The strength of the authentication routine that protects the code/functionality that contains the weakness.
Attack Surface Level of Interaction (IN) the actions that are required by the human victim(s) to enable a successful attack to take place.
Attack Surface Deployment Scope (SC) Whether the weakness is present in all deployable instances of the software, or if it is limited to a subset of platforms and/or configurations.
Environmental Business Impact (BI) The potential impact to the business or mission if the weakness can be successfully exploited.
Environmental Likelihood of Discovery (DI) The likelihood that an attacker can discover the weakness
Environmental Likelihood of Exploit (EX) the likelihood that, if the weakness is discovered, an attacker with the required privileges/authentication/access would be able to successfully exploit it.
Environmental External Control Effectiveness (EC) the capability of controls or mitigations outside of the software that may render the weakness more difficult for an attacker to reach and/or trigger.
Environmental Prevalence (P) How frequently this type of weakness appears in software.
RAID 0 - 6, features of each (mirroring, parity, striping), min # of disks for each
0 - used for striping data on a disk, increases speed, no redundancy, min # drives = 2
1 - Mirroring without parity or striping, min drives = 2
2 - Bit-level striping with Hamming code for error correction, min # drives = 3
3 - Byte-level striping with dedicated parity, min # drives = 3
4 - Block-level striping with dedicated parity, min # drives = 3
5 - Block-level striping with distributed parity, min # drives = 3
6 - Block-level striping with double distributed parity, min # drives = 4
scaled agile framework, what is it, core values (5), principles (9)
The Scaled Agile Framework® (SAFe®) is a set of organizational and workflow patterns for implementing agile practices at an enterprise scale. The framework is a body of knowledge that includes structured guidance on roles and responsibilities, how to plan and manage the work, and values to uphold.
SAFe promotes alignment, collaboration, and delivery across large numbers of agile teams. It was formed around three primary bodies of knowledge: agile software development, lean product development, and systems thinking.
Core Values:
TABLe P
Transparency
Alignment across org
Built-in quality - five key dimensions of built-in quality: flow, architecture and design quality, code quality, system quality, and release quality
Leadership
Program execution
Principles:
EAV BMW CMD
1 take an Economic view
2 Apply systems thinking
3 assume Variability; preserve options
4 Build incrementally with fast, integrated learning cycles
5 base Milestones on objective evaluation of working systems
6 visualize and limit Work in Process (WIP), reduce batch sizes, and manage queue lengths
7 apply Cadence, synchronize with cross-domain planning
8 unlock the intrinsic Motivation of knowledge workers
9 Decentralize decision making
generational programming languages characteristics and examples
12 = 7 + 5
2nd - assembly
3rd - 3GLs are much more machine-independent (portable) and more programmer-friendly [C, C++, Java, Python, PHP, Perl, C#, BASIC, Pascal, Fortran, ALGOL, COBOL]
4th - Fourth-generation languages tend to be specialized toward very specific programming domains [ABAP, Unix Shell, SQL, PL/SQL, Oracle Reports, R, Halide] low code, GUI based, database, screen painters, data manipulation, software creators, mathematical optimization, web developmet
5th - A fifth-generation programming language (5GL) is any programming language based on problem-solving using constraints given to the program, rather than using an algorithm written by a programmer [Prolog, OPS5, Mercury, CVXGen [6][7] , Geometry Expert] Mainly used in AI
PII, 23, 3 categories
Personally Identifiable Information
Examples of personally identifiable information (PII) include :
categories:
general (9)
biometric (5)
inference (9)
Social security number (SSN),
passport number,
driver’s license number,
taxpayer identification number,
patient identification number, and
financial account or
credit card number
Personal address and
phone number
Biometric records such as photographic image (especially of face or other distinguishing characteristic),
x-rays,
fingerprints,
retina scan,
voice signature,
facial geometry
Information that when combined with other information like that listed above which can then be used collaboratively to identify a specific individual. For example,
date of birth,
place of birth,
race,
religion,
geographical indicators,
employment information,
medical information,
education information,
financial information.
SCAP, what does it mean, what is it for, features (3), benefits (3)
security content automation protocol
SCAP is a method for using specific standards to help organizations automate vulnerability management and policy compliance evaluation. SCAP comprises numerous open security standards, as well as applications which use these standards to check systems for vulnerabilities and misconfigurations
Features:
SIR
Scan systems against open cybersecurity standards
Report back with a “score” to help evaluate the system’s security posture
Interoperate with other SCAP-validated scanners to express results in a standardized way
Benefits:
SSS
cooperation among Stakeholders
Stops attacks and closes vulnerabilities
puts Standards into action
metrics used in cvss (3 groups) and meaning of each
BE the I in TEEM
Base:
exploitability metrics
impact metrics
Threat / Temporal:
exploit maturity
Environmental:
modified base + CIA
Config Mgmt DB implementation process (6 steps), 3 C’s
Process:
D DIED V
(configuration, Don’t Do It Every Day Victoria)
Determine business objectives.
CMDB Discovery tools.
ITSM system integration.
Equip data owners/data stewards with the right tools.
Data management and retention plan.
CMDB: data Visualization.
The 3 C’s of CMDB -
Configuration Items,
Changes, and
Compliance -
types of block chain and what they’re used for (4),
3 types have aka’s, one of these has two aka’s
Permissionless Blockchain
It is also known as trustless or public blockchains, are available to everyone to participate in the blockchains process that use to validate transactions and data. These are used in the network where high transparency is required.
Permissioned Blockchain
These are the closed network only a set of groups are allowed to validate transactions or data in a given blockchain network. These are used in the network where high privacy and security are required.
Hybrid Blockchain:
combination, controlled by permissionless
Consortium Blockchain:
It is a creative approach that solves the needs of the organization. This blockchain validates the transaction and also initiates or receives transactions.
Also known as Federated Blockchain.
This is an innovative method to solve the organization’s needs.
Some part is public and some part is private.
In this type, more than one organization manages the blockchain.
Manual penetration testing vs. automated, which is better and why (5 points)
manual goes beyond automated
There are five primary reasons why manual pen testing yields superior outcomes when compared to automated penetration tests.
[Helping Human Can Make Improvements]
Human expertise: Manual penetration tests are conducted by security experts with in-depth industry experience and technical know-how. They can adjust the testing methodology as per your organization’s structure. This results in optimal findings with efficient remediation measures down the line when compared to an automated report that may contain false positives.
Human validation of findings: In a manual pentest exercise, the testing team validates their findings during the process as everything is done manually; each step can be documented and double-checked. However, in automated tests, this transparency is not available, and results can be tough to verify. The findings from pure automated pentests may contain false positives that analysts must verify before remediation can occur.
Customized Pentest Engagements: Manual testing allows customizations based on threats your organization is more likely to face. While the efforts required by the testing team increase substantially, a thorough inspection is conducted in manual pen testing.
Manual Detection of Logical Flaws: Automated tests fail to identify logical flaws in applications. While not every logical flaw is a vulnerability, manual tests can identify broken structures within your applications.
Improve Mean Time to Remediate (MTTR): The remediation process becomes more effective when a test is customized for your organization’s structure, compliance requirements, and external and internal environments. Organizations can realize their return on investment by significantly reducing their overall mean time to remediate as they eliminate vulnerabilities discovered in manual pen testing
IKE OSI layer
3 / network
if you take the N from network and put it in front of IKE you get NIKE
kerberos security concerns (4)
Weaknesses of Kerberos:
kerberos ESOS
Each Network Service Needs a Set of Kerberos Keys
Single Point of Failure
one password gives access to all accounts
Strict Time Requirements
IKE process, 2 phases, results of each phase, phase 1 modes
phase 1, an authenticated connection between the host and user is established using a preshared key or a digital certificate. The goal is to secure the communications that occur in phase 2. The Diffie-Hellman key exchange algorithm creates a secure authentication communication channel. This digital encryption method uses numbers raised to specific powers to produce decryption keys. The negotiation should result in session keys and one bidirectional SA.
Phase 1 operates under one of two modes: main mode or aggressive mode. The main mode consists of both parties sending three two-way exchanges equaling six messages in total. The first two messages confirm encryption and authentication algorithms. The second set of two messages starts a Diffie-Hellman key exchange, where both parties provide a random number. The third set of messages verifies the identities of each party.
Aggressive mode accomplishes the same task as the main mode but does so in just two exchanges of three messages. Whereas the main mode protects both parties’ identities by encrypting them, the aggressive mode does not.
Phase 2 of IKE negotiates an SA to secure the data that travels through IPsec, using the secure channel created in phase 1. The result is a minimum of two SAs that are unidirectional. Both parties also exchange proposals to determine which security parameter to use in the SA.
Phase 2 operates in only one mode: quick mode. Quick mode provides three resources: proxy IDs, perfect forward secrecy (PFS) and replay protection. The proxy IDs of each participant are shared with each other. PFS delivers keys independent from preceding keys. Replay protection is a security method to protect against replay attacks.
The main and aggressive modes found in phase 1 only apply to IKE version 1 and not to IKE version 2.
IKE v2 improvements (10)
Improvements in IKEv2 over IKEv1 are as follows:
BDFL
MMNORS
requires less Bandwidth;
provides more resistance to denial-of-service (DoS) attacks;
enables message Fragmentation and allows IKEv2 to operate in areas where IP Fragments might be blocked and an SA may fail to establish;
detects automatically if an IPsec tunnel is still Live so that IKE can automatically reestablish a connection if needed;
demands fewer cryptographic Mechanisms to protect packets;
supports Mobile platforms, including smartphones;
comes equipped with the built-in Network Address Translation (NAT) traversal needed to support routers that perform translations;
requires only One four-message initial exchange mechanism;
enables Rekeying to build new keys for SA.
supports the securing of Stream Control Transmission Protocol (SCTP) traffic;
looped DOS attack, how does it work, solutions (4)
A novel attack technique is found capable of launching a looped denial of service (DoS) attack between a pair of network applications, blocking legitimate access to their respective servers indefinitely.
This is an application layer attack, targeted at systems running a vulnerable transport layer protocol — user datagram protocol (UDP) — that inherently lacks request verification because of its connection-less nature.
“Application-layer loop DoS attacks rely on IP spoofing and can be triggered from a single spoofing-capable host,” CISPA, the German research firm that made the discovery, said in a blog. “The attacks pair two network services in such a way that they keep responding to one another’s messages indefinitely.”
solution:
PPAR
Patching affected systems
Protect or replace UDP applications
deploy Anti-spoofing
enforce network Rate-limiting
microservices (5 notes)
No single definition for microservices. Most often, they include:
FCASS
- Services in a microservice architecture (MSA) are often processes that communicate over a network to fulfill a goal using technology-Agnostic protocols such as HTTP.
- services are organized around business Capabilities.
- services can be implemented using different programming languages, databases, hardware, and software
environments, depending on what Fits best. - services are Small in size, messaging-enabled, bounded by contexts, autonomously developed,
independently deployable, decentralized, and built and released with automated processes. - A microservice is not a layer within a monolithic application. It is a Self-contained piece of business
functionality with clear interfaces and may implement a layered architecture through its own internal
component
Container benefits (6)
DEEP ContainerS
deployment speed,
enhanced security,
easy to manage,
portability,
cost-effective (10-100
times more application vs. normal virtualization)
scalability,
Overpass the Hash (kerberos attack) aka, Like PtH but used when … is disabled on a network. Even when … is disabled, the systems generate an … … and store it in …. The attacker requests a … with the user’s … to gain access to network resources
aka: pass the key
Like PtH but used when NTLM is disabled on a network. Even when
NTLM is disabled, the systems generate an NTLM hash and store it in memory. The attacker requests a TGT
with the user’s hash to gain access to network resources
Pass the Ticket (kerberos attack)
The attackers attempt to collect tickets held in the lsass.exe process. The attackers then
inject the ticket impersonating the user.
Silver Ticket (kerberos attack), solutions (3)
The attacker uses the NTLM hash of a service account to make a ticket-granting service (TGS)
ticket. Service accounts use TGS tickets instead of TGT tickets. The silver ticket gives the attacker all the
privileges granted to that specific service account.
solutions:
PPE will earn you some silver
implement kerb with Privilege attribute certificate (as in sesame)
strong passwords for local user, admin and service accounts
encryption (AES for kerberos)
Kerberos Brute-Force attack, Attackers can … passwords and … by using the Python script … on Linux or … on Windows because Kerberos will report whether a username is … or not.
Attackers can guess passwords and usernames by using the Python script kerbrute.py on Linux or Rubeus on Windows because Kerberos will report whether a username is valid or
not.
SDLC (networking)
Synchronous Data Link Control: A synchronous L2 WAN protocol that uses polling to transmit data;
combined nodes can act as primary or secondary but using NRM transmission only.
HDLC, what does it mean, The … to SDLC; adds … … and … … and two additional modes (… , …)
High-Level Data Link Control: The successor to SDLC; adds error correction and flow control and two
additional modes (ARM/ABM)
three modes of HDLC and the one of SDLC
- NRM (Normal Response Mode): Secondary nodes transmit when they get permission from the primary.
- ARM (Asynchronous Response Mode): Secondary nodes can initiate communication with the primary node.
- ABM (Asynchronous Balanced Mode): When nodes act as primary or secondary, initiating transmissions
without receiving permission; this is the most commonly used mode.
PANA, what does it mean, allows a … to … itself with a … to be granted access. … will be used for … protocol, … distribution, …
agreement, and key … protocols
(Protocol for Carrying Authentication for Network Access
allows a device to authenticate itself
with a network to be granted access. EAP will be used for authentication protocol, key distribution, key
agreement, and key derivation protocols
Super Sign-on
One login can allow you to access many systems and sites. Social media logins are common
super sign-on; an attacker can access multiple other sites or systems if an account is compromised. The
social media account is linked to all the other systems
SESAME, what does it mean, Called the successor to …, uses … encryption, which fixed the … issue with the … storage of … keys issue. Uses a PAS (… … …), which issues PACs (… … …) instead of Kerberos’ … .
widely used or not?
(Secure European System for Applications in a Multi-vendor Environment): Called the successor to Kerberos, addresses some of the issues of Kerberos. It uses PKI encryption, which fixed the Kerberos the plaintext storage of symmetric keys issue. Uses a PAS (Privilege Attribute Server), which issues PACs (Privilege Attribute Certificates) instead of Kerberos’ tickets.
Not widely used.
All-Pairs Testing, aka, All-Pairs Testing is defined as a …-… test design technique in which test cases are designed to execute all possible … combinations of each pair of input parameters; the most common … in a program are generally triggered by either a single … … or an … between … of …; it uses carefully chosen test …, this can be done much … than an … search of all combinations of all parameters by … the tests of parameter pairs.
aka Pairwise Testing
All-Pairs Testing is defined as a black-box test design technique in which test cases are designed to execute all possible discrete combinations of each pair of input parameters; the most common bugs in a program are generally triggered by either a single input parameter or an interaction between pairs of parameters; it uses carefully chosen test vectors, this can be done much faster than an exhaustive search of all combinations of all parameters by parallelizing the tests of parameter pairs.
NIST 800-128, subject, parts (4)
The configuration of 128 in Boston is a mess, and ICBM would fix it
Guide for Security-Focused Config. Mgmt. of Information Systems (also change mgmt)
The basic parts of a CM Plan include:
* Configuration Control Board (CCB): Establishment of and charter for a group of qualified people
with responsibility for the process of controlling and approving changes throughout the
development and operational life cycle of products and systems may also be referred to as a
change control board.
* Configuration Item Identification: For selecting and naming configuration items that need to be
placed under CM.
* Configuration Change Control: Process for managing updates to the baseline configurations for
the configuration items.
* Configuration Monitoring: Process for assessing/testing the level of compliance with the
established baseline configuration and mechanisms for reporting on the configuration status of
items placed under CM.
Common logical data models for databases (7)
E DRONES
(1) Navigational databases: Hierarchical database model, Network model, Graph database.
(2) Relational model
(3) Entity–relationship model, Enhanced entity–relationship model
(4) Object model.
(5) Document model.
(6) Entity–attribute–value model.
(7) Star schema.
Database Normalization, Used to … … the data in a database … to make it … …, …, and … . Removes … data and improves the … and … of the database
3 forms:
* First Normal Form: … the base data into …. The … … is assigned to most or all … .
* Second Normal Form: … data partially dependent on the primary key to another … .
* Third Normal Form: … data that is not dependent on the … … .,
BENEFITS list (5)
Used to clean up the data in a database table to make it logically concise, organized,
and consistent. Removes redundant data and improves the integrity and availability of the database
Normalization has three forms (rules):
* First Normal Form: Divides the base data into tables. The primary key is assigned to most or all tables.
* Second Normal Form: Move data partially dependent on the primary key to another table.
* Third Normal Form: Remove data that is not dependent on the primary key.
FORCeS
(1) greater overall database Organization.
(2) Reduction of Redundant data.
(3) data Consistency within the database.
(4) a much more Flexible database design.
(5) a better handle on database Security.
Database Query Language Subsets (2), and their associated statements
Database query languages have at least two subsets of commands:
* Data Definition Language (DDL):
* A standard for commands that define the different structures in a database.
* Creates, modifies, and removes database objects such as tables, indexes, and users.
* Common DDL statements are CREATE, ALTER, and DROP.
* Data Manipulation Language (DML):
* Used for selecting, inserting, deleting, and updating data in a database.
* Common DML statements are SELECT, DELETE, INSERT, UPDATE.
Object-Oriented Databases, characteristics (4), Object characteristics (3)
DB characteristics:
SO UL DN C
- Object databases store objects rather than data such as integers, strings, or real numbers.
- Objects are used in object-oriented languages such as Smalltalk, C++, Java, …
- Objects in an object-oriented database reference developing a product and then defining and naming it.
- The object can then be referenced, or called later, as a unit without going into its complexities
Object characteristics:
AMC
- Attributes: Data that defines the characteristics of an object. This data may be simple such as
integers, strings, real numbers, or a reference to a complex object. - Methods: Defines the behavior of an object and are what were formerly called procedures or
functions. Objects contain both executable code and data. - Classes: Define the data and methods the object will contain; they are the template for the object.
It does not contain data or methods but defines the data and methods contained in the object.
ORB, what does it mean, what is it, 4 brokers, 3 types
Corba, better have that ORB checked at the CDC.
(Object Request Broker): Middleware that allows program calls to be made from one computer to
another via a network, providing location transparency through remote procedure calls. ORBs promote
interoperability of distributed object systems, enabling such systems to be built by piecing together objects
from different vendors while different parts communicate with each other via the ORB.
Common object
brokers included:
.NET remoting,
COM,
DCOM, and
CORBA.
Types:
CDC
- COM (Component Object Model): A language-neutral way of implementing objects that can be used in
environments different from the one in which they were created, even across machine boundaries. It is
used to enable inter-process communication object creation in a large range of programming languages. - DCOM (Distributed COM): The networked sequel to COM, which adds to support communication among
objects on different computers—on a LAN, a WAN, or even the Internet. The application can be distributed
at locations that make the most sense to your customer and to the application itself. DCOM includes Object
Linking and Embedding (OLE) to link documents to other documents. - CORBA (Common Object Request Broker Architecture): Open vendor-neutral ORB standard defined by the
Object Management Group (OMG) designed to facilitate the communication of systems that are deployed
on diverse platforms; enables collaboration between systems on different operating systems, programming
languages, and computing hardware; uses an object-oriented model although the systems that use the
CORBA do not have to be object-oriented.
GP (AI)
Genetic Programming:
* A technique where computer programs are encoded as a set of genes that are then modified (evolved)
using an evolutionary algorithm, often a GA (Genetic Algorithm).
* The results are computer programs able to perform well in a predefined task.
* The methods used to encode a computer program in an artificial chromosome and to evaluate its fitness
with respect to the predefined task are central in the GP technique and still the subject of active research.
* GP evolves computer programs, traditionally represented in memory as tree structures. Trees can be easily
evaluated recursively. Every tree node has an operator function, and every terminal node has an operand,
making mathematical expressions easy to evolve and evaluate.
* Traditionally, GP favors programming languages that naturally embody tree structures, such as Lisp or other
functional programming languages.
* The process is in its simple form like this:
* Generate an initial population of random computer programs.
* Execute each program in the population and assign it a fitness value according to how well it
solves the problem.
* Create a new population of computer programs.
* Copy the best existing programs.
* Create new computer programs by mutation.
* Create new computer programs by crossover.
* Genetic Algorithms and Genetic Programming have been used to program a Pac-Man playing program,
robotic soccer teams, networked intrusion detection systems, and many others
list of security administrator responsibilities (7)
DD STIC M
Defending systems against unauthorized access, modification and/or destruction Scanning and assessing network for vulnerabilities Monitoring network traffic for unusual activity Configuring and supporting security tools such as firewalls, anti-virus software and patch management systems Implementing network security policies, application security, access control and corporate data safeguards Training fellow employees in security awareness and procedures Developing and updating business continuity and disaster recovery protocols
capability table vs ACL
capability lists (table) are used to grant access rights to objects, while access control lists specify the access rights for objects in a network
Delegated Identity Management (DIM)
site is simply outsourcing its authentication needs to another pre-selected site
Due Care vs Due Diligence vs Prudent Person Rule
Due care: refers to the level of care that an individual would reasonably be expected to exercise in a particular situation
Due diligence: the investigative process conducted to assess a business transaction
Prudent Person Rule: a legal concept that typically applies to the management of another’s affairs, especially in a fiduciary capacity
