IT People NEWS, Tips and Tricks

Fraudulent Digital Certificates

2011-09-07T11:23:00.000-07:00

some major borwsers have issued a relased because DIGINOTAR the former Certificate Authority whihc managed to issue more than 500 bogus digital certificates in the name of majore web service providers mainly

Facebook
Twitter
Microsoft
Google

even in the name of some intelligence agencies.

In recent update from MoZilla Firefox it have blocked any certificate signed by DigitNotar.

Microsoft have also released an update 2607712 permanently moving all five DigiNotar's root certificates to the Certificate Revokation List whihc provides protection to all Windows versions.

DigiNotar Root CA

DigiNotar Root CA G2

DigiNotar PKIoverheid CA Overheid

DigiNotar PKIoverheid CA Organisatie - G2

DigiNotar PKIoverheid CA Overheid en Bedrijven

Netflow Vs NBAR

2011-08-25T01:57:00.000-07:00

You are the Cisco Network Designer in Cisco.com. Which statement is correct regarding NBARand NetFlow?
A. NBAR examines data in Layers 1 and 4.
B. NBAR examines data in Layers 3 and 4.
C. NetFlow examines data in Layers 3 and 4.
D. NBAR examines data in Layers 2 through 4.

Answer is C

Explanantion

Netflow works between 3 and 4

Layer Flexible Netflow workd from Layer 2 to 7 inspect payload

NBAR works 3 to 7

Switching, Backplane and Switching fabric

2011-08-12T04:59:00.000-07:00

There is a biggest confusing in the datasheets to understand Forwarding , Switching, Backplane and Switching fabric Internally to a switch.

A specialized hardware is needed to move frames between ports.This specific part can be called backplane or in some cases we talk of switching fabric.

When the forwarding capabilities of a backplane or switching fabric are greater then the sum of speeds of all ports (counted twice one for tx and one rx direction) / full duplex we call the switching fabric non blocking

Traffic between a pair of ports is not influenced by what traffic is exchanged on all other ports.The forwarding rate is expressed in packet per seconds and expresses how many packets per second are needed to reach a certain traffic volume (throughpout)

Clearly forwarding rate depends on frame size.

Ideally a backplane switching fabric should be non blocking for every frame size including the smallest ones (64 bytes in ethernet standard) but in reality most devices can be non blocking for an average size of 400 bytes.

bandwidth is the speed of traffic.

to convert between forwarding rate and used bandwidth we need to take in account some specific aspects of ethernet: with this kind of calculation using frames of minimum size 64 bytes you need 1488000 frames per second and per direction to fill a Gigabit ethernet port.

Be aware that all figures you see sum tx and rx directions so if a switch has 100 Mpps (Million Pkts per second) capability this accounts for a certain number of GE ports at 1 Gbps full duplex.

In almost all switches (Cisco and non-Cisco) the switching limitation is actually NOT bandwidth, its Mpps (mega packets per second).

So the answer actually depends mostly on what your traffic looks like. Worst-case is VOIP traffic which consists of 100byte packets, best case is file transfers using full 1500 byte packets.

CISSP CBK 8 Legal, Regulations, Compliance, and Investigations

2011-07-31T11:44:00.000-07:00

Legal, Regulations, Compliance, and Investigations

Council of Europe (CoE) Convention on Cybe rcrime:
If the organization is exchanging data with European entities, it may need to adhere to the Safe harbor

safe harbor framework how any entity that is going to move Private data to and from Europe must provide protection

Civil law deals with wrongs against individuals or companies that result in damages or loss. This is referred to as tort law. no Jail sentence

Criminal law when an individuals conduct violates the government laws / Jail sentence

Administrative/regulatory law deals with regulatory standards that regulate performance and conduct

Intellectual property laws do not necessarily look at who is right or wrong, but rather how a company can protect what it rightfully owns from unauthorized duplication or use,

Trade Secret = competitive value or advantage (formula for Drink)
Copyright= rights for authors(unauthorized copying and distribution of a work)
Trademark= protect a word,name, symbol (identifiable packaging, “trade dress.”)
Patent= (usually valid for 20 years from the date of approval)

international trademark law efforts and international registration are overseen by the World Intellectual Property Organization (WIPO), an agency of the United Nations

Similar to trademarks, international patents are overseen by the WIPO

Digital Millennium Copyright Act (DMCA), which makes it illegal to create products that circumvent copyright protection mechanisms.

Federal Privacy Act of 1974, it has enacted new laws, Gramm-Leach-Bliley Act of 1999

Federal Privacy Act If an agency collects data on a person, that person has the right to receive a report outlining data collected about him if it is requested ialso gives individuals the right to review records about themselves, to find out if these records have been disclosed, and to request corrections or amendments of these records)

Sarbanes-Oxley Act (SOX) law governs accounting practices,
Health Insurance Portability and Accountability Act (HIPAA)

Gramm-Leach-Bliley Act of 1999 (GLBA) requires financial institutions to develop privacy notices and give their customers option to share the data with other companies.

1994 U.S. Communications Assistance for Law Enforcement Act all communications carriers to make wiretaps possible

Computer Fraud and Abuse Act,1986, 1996

access to federal Govt computers to access classified info
access to financial institution computers or any computer
unauthorised access to Govt computer
knowing access of a protected computer without authorization with intend to Fraud
causing the transmission of Program/ Information and Code from a computer without owners authorization
trafficking of computer password for fraud
transmission of communication containing threats

The Federal Privacy Act of 1974
Government agencies can maintain personnel information only if it is necessary to accomplish the agency’s purpose.

The Privacy Act dictates that an agency cannot disclose this information without written Permission from the individual however there are some exceptions.

1996 U.S Economic and Protection of Proprietary Information Act Industrial and corporate Espionage

1980 Organization for Economic Cooperation and Development (OECD) Guidelines
Deals with data collection limitations, the quality of data, specifications of the purpose for data collection, limitations of data use, participation by the individual on whom the data is being collected, and accountability of the data controller

Basel II
how much capital banks need to put aside to guard against the types of financial and operational risks banks face

1987 U.S. Computer Security Act federal government agencies to conduct security-related training, to identify sensitive systems, and to develop a security plan for those sensitive systems

Computer Security Act of 1987 identify computers with sensitive information.

American citizens are protected by the Fourth Amendment against unlawful search and seizure

Payment Card Industry Data Security Standards (PCI DSS)
any entity that processes, transmits, stores, or accepts credit card data PCI DSS is a private-sector industry initiative. It is not a law and failure to comply may lead to revocation of merchant status or a fine
PCI DSS main areas

Build and Maintain a Secure Network,
Protect Cardholder Data,
Maintain a Vulnerability Management Program,
Implement Strong Access Control Measures,
Regularly Monitor and Test Networks,
Maintain an Information Security Policy

Economic Espionage Act of 1996

1991, U.S. Federal Sentencing Guidelines were developed to provide judges with courses of action in dealing with white collar crimes max fine up to 290 Million $

Employee Privacy Issues
manager can listen your conversation with customer but not your personal conversation

Government regulations SOX, HIPAA, GLBA, BASEL
Self-regulation Payment Card Industry (PCI)
Individual user Passwords, encryption, awareness

Downstream liability when two companies work to gather they must ensure proper protection for each other so if virus effect one company other wil get effected and will finally Sue upstream company.

event is a negative occurrence that can be observed, verified, and documented, whereas an incident is a series of events that negatively affects the company and/or impacts its security posture.

incident response policy should be managed by Legal Department

Three types of incident response team
virtual team members have other jobs slower response
permanent team which is dedicated strictly to incident response
hybrid team some are permanent members and some are called when needed

Main goal of incident handling is to contain and mitigate any damage caused by an incident and to prevent any further damage.

Steps to Incident Responce
Triage : initial screening of the reported event either it is False positive
Investigation:- proper collection of relevant data
Containment:
Analysis:
Tracking:
Recovery:

honeypots can introduce liability issues and be used to attack other internal targets

Steps of Forensic Investigation
Identification
Preservation
Collection
Examination
Analysis
Presentation
Decision

exigent circumstances when law enforcement quickly seize the evidents to avoid destruction for some one

Most of the time, computer-related documents are considered hearsay, meaning the evidence is secondhand evidence

The life cycle of evidence includes
Collection and identification
Storage, preservation, and transportation
Presentation in court
Return of the evidence to the victim or owner

Oral evidence is not considered best evidence because there is no firsthand reliable proof

evidence should be authentic , complete , sufficient and reliable

Dumpster diving is unethical, but it’s not illegal.
Trespassing is illegal,
Emanation = Tempest

Some things may not be illegal, but that does not necessarily mean they are ethical

Red box simulated the tones of coins being deposited into a pay phone
Black Box method to manipulate line voltage to enable people to call toll-free lines.
Blue Box ' that enabled people to make free long-distance phone calls,

Generally Accepted System Security Principles (GASSP) are security-oriented principles and do not specifically cover viruses or worms

ISC2 Code of Ethics

Code of Ethics Preamble:

Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
Therefore, strict adherence to this Code is a condition of certification.

Code of Ethics Canons:

Protect society, the commonwealth, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to principals.
Advance and protect the profession

Business attack = competitive intelligence to get trade secret
Intelligence attack = Military
Financing Attack = Bank Fraud

Corroborative Evidence supporting evidence is used to help prove an idea or a point, however It cannot stand on its own i.e Torn clothes, 911 call recording

computer fraudsters hold a position of trust

exclusionary rule mentions that evidence must be gathered legally

incident handling Contain and repair any damage caused by an event

Memory Dump gives an State of the Machine.

Circumstantial evidence = inference of information from other, intermediate, relevant facts. Secondary evidence = copy of evidence or oral description
Conclusive evidence = overrides all other evidence

GIASP Generally Accepted Information Security Principles
Computer security supports the mission of the organization
Computer security is an integral element of sound management
Computer security should be cost-effective
Systems owners have security responsibilities outside their own organization
Computer security responsibilities and accountability should be made explicit
Computer security requires a comprehensive and integrated approach
Computer security should be periodically reassessed
Computer security is constrained by societal factors

CISSP CBK 7 BCP/DRP

2011-07-24T11:22:00.000-07:00

BCP / DRP

business continuity coordinator is leader of BCP

BCP Planing
1. Project initiation
2. BIA
3. Recovery strategy
4. Plan design and development
5. Implementation
6. Testing
7. Continual maintenance

1. Project intiation
develop the continuity planning policy statement.mgmt support and resources
Establishing need for the BCP
Obtaining management support
Identifying strategic internal and external resources
Establishing members of team
Establishing project management work plan
Determining need for automated data collection tools
Preparing and presenting status reports
2.Business Impact Analysis
Maximum tolerable downtime
Operational disruption and productivity
Financial considerations
Regulatory responsibilities
Reputation, Preventive measures
3. Recovery strategy
Business process recovery
Facility recovery
Supply and technology recovery
User environment recovery
Data recovery

hot site (subscription service) and a redundant site (owned by the company).

backup site should be 15 Miles recommended , critical environment 50-200 Miles

Software escrow means that a third party holds the source code, backups of the compiled code, manuals, and other supporting materials.

Disk duplexing means there is more than one disk controller. If one disk controller fails, the other is ready and available

Electronic vaulting makes copies of files as they are modified and periodically transmits them to an off site backup site (not real time its batch processing) bulk Information transfer

Remote journaling is off site data storage for real time transaction logs
tape vaulting auto transfer data to tape controller remote site

Block ciphers do not use public cryptography (private and public keys).

Type of testing includes
Structured walk-through
Checklist
Simulation
Parallel
Full interruption

The functions of a critical system can only be replaced by identical capabilities. Other functions can be performed manually.

Dual Data Center strategy also called redundent site or alternate site would be employed for applications, which cannot accept any downtime without impacting business.

property Insurance Replacement Cost Valuation (RCV) clause your damaged property will be compensated Based on new item for old regardless of condition of lost item

ACV (actual Cost Value)Value of item on the date of loss

disaster recovery plan is usually very information technology (IT) focused

The eight detailed and granular steps of the BIA are:
1. Select Individuals to interview for the data gathering.
2. Create data gathering techniques (surveys, questionnaires, qualitative and quantitative approaches).
3. Identify the company's critical business functions.
4. Identify the resources that these functions depend upon.
5. Calculate how long these functions can survive without these resources.
6. Identify vulnerabilities and the threats to these functions.
7. Calculate risk for each of the different business functions.
8. Document findings and report them to management.

Creating a BCP committee is part of the scope and plan initiation

Recovery Time Objectives (RTO) is the amount of time allowed for the recovery of a business function. If the RTO is exceeded, then severe damage to the organization would result. Recovery Time Objectives RTO would be defined as part of the recovery plan and not as part of the BIA.

The Recovery Point Objectives (RPO) is the point in time in which data must be restored in order to resume processing (mainly Business Transaction)

A data backup is the first step in contingency planning

Human Resources may not be a part of the BCP committee

Named PERILS Burden of proof that particular loss is covered is on Insured

The primary difference between them is that one type of policy covers what is "named" (included) in the policy while the other covers what is not included. A named peril policy is often a good choice for those business owners whose business is located in an area frequently hit by natural disasters such as hurricanes, tornados, or floods. Such a policy spells out the specific events for which you are covered. The cost of the premiums will depend on the location of the business and the likelihood of the specific peril(s). Anything not specifically named in such a policy is not covered.
An all-risk policy covers your business from damages caused by any type of disaster with the exception of those specifically excluded in the policy. Floods and earthquakes are two events that are typically excluded, but coverage for these types of disasters can be added to the policy for an additional fee.
Use of the All Risk form shifts the burden of proof onto the insurer to prove that a particular loss was not covered by the policy.

The Occupant Emergency Plan (OEP) provides the response procedures for occupants of a facility in the event of a situation posing a potential threat to the health and safety of personnel, the environment, or property. Such events would include a fire, hurricane, criminal attack, or a medical emergency

BCP is corrective control.

CISSP CBK 6 Cryptography

2011-07-20T15:56:00.000-07:00

Cryptography

open-community version of SSL is Transport Layer Security (TLS). The differences between SSL 3.0 and TLS is slight, but TLS is more extensible and is backward compatible with SSL

S-Http is to encrypt every message however SSL /TLS is for communication channel.

security parameter index (SPI), keep track of SA and For every tunnel you have two SA one in each direction.

integrity check value (ICV), AH calculates this value over whole Data Packet including header and when packet passes through NAT devices IP header changes and receiving station discard the packet due to mismatch ICV this is were ESP comes in play and it calculate ICV without using IP headers.

The OAKLEY protocol is the one that carries out the negotiation process. You can think of ISAKMP as providing the playing field (the infrastructure) and OAKLEY as the guy running up and down the playing field (carrying out the steps of the negotiation).

Simple Key Management Protocol for IP (SKIP) is another key exchange protocol that provides basically the same functionality as IKE all thease protocols work at Network Layer

passive attacks attacker is not affecting the protocol, algorithm, key, message, or any
parts of the encryption system

Cipher Only attack (COA)the attacker has the cipher text of several messages
Known Plain Text attack (KPTA)the attacker has the plain text and corresponding cipher text of one or more messages
chosen-plaintext attacks,(CPA) the attacker has the plain text and cipher text, but can choose the plaintext that gets encrypted to see the corresponding cipher text. some one forward your email text with encryption (I can change the Text and see the resulted Encrypted value)
chosen-ciphertext attacks, (CCA)the attacker can choose the cipher text to be decrypted and has access to the resulting decrypted plain text (most applicable against public key cryptography)

Timestamps and sequence numbers are two countermeasures to replay attacks.

In an HMAC operation, a message is concatenated with a symmetric key and the result is put through a hashing algorithm. This provides integrity and system or data authentication. CBC-MAC uses a block cipher to create a MAC, which is the last block of ciphertext

Key clustering different keys generate the same ciphertext for the same message
Collision If the algorithm does produce the same value for two distinctly different messages,

RSA algorithm’s security is based on the difficulty of factoring large numbers into their original prime numbers

The Clipper chip is a chipset that was developed and promoted by the U.S. Government as an encryption device to be adopted by telecommunications companies for voice transmission. It was announced in 1993 and by 1996 was entirely defunct.

The heart of the concept was key escrow. In the factory, any new telephone or other device with a Clipper chip would be given a "cryptographic key", that would then be provided to the government in "escrow". If government agencies "established their authority" to listen to a communication, then the password would be given to those government agencies, who could then decrypt all data transmitted by that particular telephone.

The CISSP Prep Guide states, "The idea is to divide the key into two parts, and to escrow two portions of the key with two separate 'trusted' organizations. Then, law enforcement officals, after obtaining a court order, can retreive the two pieces of the key from the organizations and decrypt the message."

There are four types of MACs:
(1) unconditionally secure,
(2) hash function based,
(3) stream cipher-based
4) block cipher-based.

The algorithm does produce the same value for two distinctly different messages, this is called a collision, MD5 is subject to this attack

HAVAL variable one way hash modification of MD5 and hash 128 or 256

An attacker can attempt to force a collision, which is referred to as a birthday attack.

A digital signature is a hash value that has been encrypted with the sender’s private key.the act of signing means encrypting the message’s hash value with a private key,

A send message to B generate hash value and then encrypt this with sender Private Key , So when B receives the message will perform the hashing function on the message, and come up with his own hash value. Then he will decrypt the sent hash value (digital signature) with Senders (A) public key and compare the two values. ensure integrity and authenticity/ non repudiation Signing means value encrypting with private Key X.509 Version 4
When users need new certificates, they make requests to the RA (registration authority)

The frequency of use of a cryptographic key has a direct correlation to how often the key should be changed

end-to-end encryption, the headers, addresses, routing, and trailer information are not encrypted however in Link encryption (some time Online encryption) every thing is encrypted and every hop need to decrypt it read the header and decide where to send traffic.

Link encryption Data Link Layer.

End-to-end encryption happens within the applications.

SSL encryption takes place at the transport layer.

PPTP encryption takes place at the data link layer.
IPsec at Network

S/MIME provides confidentiality through encryption algorithms, integrity through hashing algorithms, authentication through the use of X.509 public key certificates, and nonrepudiation through cryptographically signed message digests

protocols within PEM (Private enhanced Module) provide authentication, message integrity, encryption, and key management

Message Security Protocol (MSP) is the military’s PEM. Developed by the NSA,it is an X.400-compatible application-level protocol used to secure e-mail messages

PGP uses IDEA for Encryption , MD5 for hashing and it uses its own digital certificates.

A message can be encrypted, which provides confidentiality.
A message can be hashed, which provides integrity.
A message can be digitally signed, which provides authentication,non repudiation, and integrity.
A message can be encrypted and digitally signed, which provides confidentiality, authentication, non repudiation, and integrity.

Simple substitution and transposition ciphers are vulnerable to attacks that perform frequency analysis. In every language, there are words and patterns that are used more than others.
Some patterns common to a language can actually help attackers figure out the transformation between plaintext and ciphertext, which enables them to figure out the key that was used to perform the transformation. Polyalphabetic ciphers use different alphabets to defeat frequency analysis.

NSA took the 128-bit algorithm Lucifer that IBM developed, reduced the key size to 64 bits and with that developed DES.

Twofish. is related to Blowfish as a possible replacement for DES.

Skipjack. was developed after DES by the NSA .

Digital envelop A message encrypted with a secret key attached with the message. The secret key is encrypted with the public key of the receiver.

digital watermarking is a computing techniques for inseparably embedding unobtrusive marks or labels as bits in digital data-text, graphics, images, video, or audio#and for detecting or extracting the marks later. The set of embedded bits (the digital watermark) is sometimes hidden, usually imperceptible, and always intended to be unobtrusive. It is used as a measure to protect intellectual property rights. Steganography involves hiding the very existence of a message.

SHA-1 = 160 bit digest
SHA-256 = 256 bit digest
SHA-384 = 384 bit digest
SHA-512 = 512 bit digest

DSS provides Integrity, digital signature and Authentication, but does not provide Encryption.

An analytic attack refers to using algorithm and algebraic manipulation weakness to reduce complexity

RC5 is a fast block cipher designed by Ronald Rivest for RSA Data Security (now RSA Security) in 1994

The Clipper Chip is a NSA designed tamperproof chip for encrypting data and it uses the SkipJack algorithm. Each Clipper Chip has a unique serial number and a copy of the unit key is stored in the database under this serial number. The sending Clipper Chip generates and sends a Law Enforcement Access Field (LEAF) value included in the transmitted message. It is based on a 80-bit key and a 16-bit checksum..

Authentication Header is a mechanism for providing strong integrity and authentication for IP datagrams. It might also provide non-repudiation,

concealment cipher, every X number of words within a text, is a part of the real message.

IDEA 128 Bits

PKCS #1= RSA Cryptography Standard

AES Rijindel Algoritham
10 rounds if the key/block size is 128 bits
12 rounds if the key/block size is 192 bits
14 rounds if the key/block size is 256 bits

Cryptography supports all three goals of the CIA Triad.

Key encapsulation is one class of key recovery techniques and is defined as a key recovery technique for storing knowledge of a cryptographic key by encrypting it with another key and ensuring that that only certain third parties called "recovery agents" can perform the decryption operation to retrieve the stored key.
Key encapsulation typically allows direct retrieval of the secret key used to provide data confidentiality.
The other class of key recovery technique is Key escrow, defined as a technique for storing knowledge of a cryptographic key or parts thereof in the custody of one or more third parties called "escrow agents", so that the key can be recovered and used in specified circumstances.

ECC KEY In most cases, the longer the key, the more protection that is provided, but ECC can provide the same level of protection with a key size that is shorter than what RSA requires. Because longer keys require more resources to perform mathematical tasks, the smaller keys used in ECC require fewer resources of the device

Private key Cryptosystem is a synonym to Symmetric Key or Secret Key cryptosystems very important to remeber it in EXAM!!!!!!!!

Cipher Block Chaining and Cipher Feedback create a key that is dependent of the previous block and the final block serves as a Message Authentication Code.

Key clustering happens when a plaintext message generates identical ciphertext messages using the same transformation algorithm, but with different keys.

Blowfish is a symmetric block cipher with variable-length key (32 to 448 bits) designed in 1993 by Bruce Schneier as an unpatented, license-free, royalty-free replacement for DES or IDEA.

IKE= Key establishment , Partly based on Okley, putting in place auth keying material.
SKIP= Hybrid encryption for session Key
KEA= simmilar to DH

Users can obtain certificates with various levels of assurance.
Class 1/Level 1 for individuals, intended for email, no proof of identity
Class 2/Level 2 is for organizations and companies for which proof of identity is requiredLevel 2 certificates verify a user's name, address, social security number, and other information against a credit bureau database. -
Class 3/Level 3 is for servers and software signing, for which independent verification and checking of identity and authority is done by the issuing certificate authorityLevel 3 certificates are available to companies. This level of certificate provides photo identification to accompany the other items of information provided by a level 2 certificate.
Class 4 for online business transactions between companies-
Class 5 for private organizations or governmental security

Certificated issued to CA = ARL
Certificated issued by CA = CRL

Internet Key Exchange. A hybrid protocol that implements Oakley and Skeme key exchanges inside the ISAKMP framework. IKE can be used with other protocols, but its initial implementation is with the IPSec protocol. IKE provides authentication of the IPSec peers, negotiates IPSec keys, and negotiates IPSec security associations (SA).

DEA is the algorithm that fulfills DES, which is really just a standard. So DES is the standard and DEA is the algorithm, but in the industry we usually just refer to it as DES. The CISSP exam may refer to the algorithm by either name, so remember both

DES MODES
Electronic Code Book (ECB) encypt individual block , good for Databases (reveal a pattern)
Cipher Block Chaining (CBC) The results of one block are XORed with the next block before it is encrypted good large chunks of data at a time
Cipher Feedback (CFB) steady stream of data
Output Feedback (OFB) what if bit of first block get corrupted (small amount of data at a time but you need to ensure possible errors do not affect your encryption and decryption processes)
Values used to encrypt the next block of plaintext are coming directly from the keystream, not from the resulting ciphertext
Counter Mode (CTR) very similar to OFB uses IV Counter

DES-EEE3 Uses three different keys for encryption, and the data are encrypted, encrypted, encrypted.
DES-EDE3 Uses three different keys for encryption, and the data are encrypted, decrypted, and encrypted.
DES-EEE2 The same as DES-EEE3 but uses only two keys, and the first and third encryption processes use the same key.
DES-EDE2 The same as DES-EDE3 but uses only two keys, and the first and third encryption processes use the same key

CISSP CBK 5 Physical Security

2011-07-15T10:56:00.000-07:00

Physical Security

Crime Prevention Through Environmental Design (CPTED) is a discipline that outlines how the proper design of a physical environment can reduce crime by directly affecting human behavior

Soda acid removes fuel from the fire by discharging a thick form that moves the fire away from the fuel supply.
Carbon dioxide removes oxygen from the fire.
Water reduces fire temperature.
Halon (gas) or its substitutes interferes with the chemical reactions between elements in the fire.
clapper valve hold the water back in Dray pipe

Auxiliary station alarms automatically cause an alarm originating in a data center to be transmitted over the local municipal fire or police alarm circuits for relaying to both the local police/fire station and the appropriate headquarters
auditing is a technical control auditing as a audit logs

static charge of 1500 volts is able to cause disk drive data loss.
A charge of 1000 volts is likely to scramble monitor display and a charge of 2000 volts can cause a system shutdown.
It should be noted that charges of up to 20,000 volts or more are possible under conditions of very low humidity with non-static-free carpeting.

The preaction system combines both the dry and wet pipe systems,is most recommended in Comms room . though it is WATER point to remember.

The organization may also have to comply with requirements of the Occupational Safety and Health Administration (OSHA) and the Environmental Protection Agency (EPA)

Tempered glass heating and immediately cooling it 6 to 7 times stronger
Acrylic glass can be made out of polycarbonate acrylic, which is stronger than
standard glass but produces toxic fumes if burned.
The strongest window material is glass-clad polycarbonate good for wide range like
fire chemical and breakage.

passive relocking function, it can detect when someone attempts to tamper with it,
in which case extra internal bolts will fall into place to ensure it cannot be compromised.

Common-mode noise is electrical noise between the hot and ground wire and between
the neutral and ground wire

If a safe has a thermal relocking function, when a certain temperature is met (possibly from drilling), an extra lock is implemented to ensure the valuables are properly protected.

Capacitance detectors monitor an electrical field surrounding the object being monitored. They are used for spot protection within a few inches of the object, rather than for overall room security monitoring used by wave detectors.

The focal length value relates to the angle of view that can be achieved. Short focal length lenses provide wider-angle views, while long focal length lenses provide a narrower view. The size of the images shown on a monitor, along with the area covered by one camera, is defined by the focal length. For example, if a company implements a CCTV camera in a warehouse, the focal length lens values should be between 2.8 and 4.3 millimeters (mm) so the whole area can be captured. If the company implements another CCTV camera that monitors an entrance, that lens value should be around 8mm, which allows a smaller area to be monitored.

depth of field refers to the portion of the environment that is in focus when shown on the monitor. The depth of field varies depending upon the size of the lens opening, the distance of the object being focuse on, and the focal length of the lens. The depth of field increases as the size of the lens opening decreases, the subject distance increases, or the focal length of the lens decreases. So, if you want to cover a large area and not focus on specific items, it is best to use a wide-angle lens and a small lens opening.

EPA-approved replacements for Halon: FM-200, NAF-S-III, CEA-410, FE-13, Water, Inergen, Argon and Argonite

Rate-of-rise temperature sensors usually provide a quicker warning than fixed-temperature sensors

Lighting should be used to discourage intruders and provide safety for personnel, entrances, parking areas and critical sections. Critical areas should be illuminated 8 feet high and 2 feet out.

CISSP CBK 4 Telecom and Network security

2011-06-20T15:02:00.001-07:00

Forth domain as under.

Telecom and Network security

Quarter Inch Cartridge drives (QIC). This format is mostly used for home/small office backups, has a small capacity, and is slow, but inexpensive.

Digital Linear Tape (DLT) is only 0.498 inches (8mm Tape format) in size, yet the compression techniques and head scanning process make it a large capacity and fast tape the QIC and DAT 5Mbps. Digital Audio Tape (DAT)

LTO (Linear Tape-Open) open-format technology and storage in TB

Application: Gateway

Presentation: encryption, compression, formating

Session:

Transport:

Network: Router

Datalink: Bridge, Switch

Physical: Repeater

Amplitude (height of the signal)

Frequency (number of waves in a defined period of time)

Digital signals are more reliable to be used over a longer distance because can easily be extracted from noise and retransmitted and it has only two possible discrete values 1 and 0

ASynchronous communication sender can send data at any time, and the receiving end must always be ready. (Modem use start and stop bit Asynchronous)

Synchronous communication takes place between two devices that are synchronized usually via a clocking mechanism (Remember synchronous Token was time based access control)

Baseband uses the entire communication channel for its transmission, Ethernet is a baseband technology that uses the entire wire for just one channel.

Broadband divides the communication channel into individual and independent channels.

***Important to note that node authentication, by itself, should not be used to establish trustworthiness of a user within the network.

Fast Ethernet uses the traditional CSMA/CD

wireless LAN technology, 802.11, usesCSMA/CA for its media access functionality.

Token Ring IEEE 802.5 standard. Each computer is connected to a central hub, called a Multistation Access Unit (MAU) 16 Mbps Speed

UTP Categories Cat 1 voice grade Cat 2 Data 4 Mbps Cat 3 10 Mbps for Token ring Cat 4 16 Mbps Cat 5 100 Mbps and Cat 5E 1 Gbp.

Polling LAN media access method setup primary and secondary station primary ask secodary if it need to transmit.

MAC to IP address ARP

IP to MAC = RARP

Attackers alter a system’s ARP table so it contains incorrect information known ARP table poisoning. The attacker’s goal is to receive packets intended for another computer. This is a type of masquerading attack

Wires are encapsulated within pressurized conduits so if someone attempts to access a wire, the pressure of the conduit will change, causing an alarm to sound.

Class D multicast uses IGMP protocol.

DHCP Discover, client searches for the present DHCP Server

DHCP Offer, Server offer a client an available IP address

DHCP Request, Client Confirms accepting allocated setting

DHCP Pack. ack that ip address has been allocated with lease time.

DHCP snooping ensures that DHCP servers can assign IP addresses to only selected systems, identified by their MAC addresses

RARP The diskless machine hold mac adress it broadcast the information for a specific hardware address and RARP Server reponds with IP address

RARP evolved into BOOTP, which evolved into DHCP.

ARP knows the IP address and broadcasts to find the matching hardware address, the MAC address. RARP knows the hardware address and broadcasts to find the IP address

Loki attack ICMP status packet is stuffed with data as well

Routers usually do not pass broadcast information, but bridges do pass broadcast information

e-mail gateway convert the message into a standard that all mail servers understand X.400

phreaker (a phone hacker)

Types of Firewalls

1. Packet filtering simple ACL based (Network Layer)

2. Stateful keep track of every connection state and maintain state table. (Transport Layer 3rd Generation)

3. Proxy 2nd generation firewall, it had 2 types

3.1 application-level (layer 7 make decision on contents of packet) does not understand a certain protocol

3.2 circuit-level Proxy firewalls (session Layer) SOCKS is a circuit-level proxy gateway

4. Dynamic packet filtering 4th Generation firewall, once inside system decide to communicate firewall creates an ACL that allows the external entity to communicate with the internal system via this high port

5. Kernel proxy 5th generation FW uses stacking for packet inspection,.(Application Layer)

Three main FW architecture

• Screened host

• Dual-home

• Screened subnet

legal honeypot Enticement system indicating that free Songs are available to download on the honeypot system is entrapment, because this sets up the user to access the honeypot for reasons other than the intent to harm

DNS Hierarical structure 1992 the National Science Foundation (NSF)

authoritative root DNS server contained 13 files one for each root server.

DNS namespaces are split up administratively into zones and record are called Resource Record

It is recomended to have two DNS servers Primary and secondary and zones are shared via zone transfer.

cyber squatters, individualswho register prominent or established names, hoping to sell these later

Protocol field values TCP 6, UDP 17, ICMP 1, IGMP 2

Diverse routing is a method of providing telecommunication continuity that involves routing traffic through split or duplicate cable facilities. Alternative routing is accomplished via alternative media such as copper cable or wire optics

Transport layer is responsible for reliable data delivery , Congestion Control

IEEE 802.5 standard defines the token ring media access method.

802.3 refers to Ethernet's CSMA/CD,

802.11 refers to wireless communications and

802.2 refers to the logical link control.

NFS allow Different types of file systems to interoperate.

FRDS+ (Failure Resistant Disk System Plus).

The physical layer (layer 1) defines the X.24, V.35, X.21 and HSSI standard interfaces.

Circuit level proxy (Session Layer) does not anayze the application content of the packet in making its decisions, it has lower overhead than an application level proxy

Internet Message Access Protocol, version 4 (IMAP4) as an Internet protocol by which a client workstation can dynamically access a mailbox on a server host to manipulate and retrieve mail messages that the server has received and is holding for the client. IMAP4 has mechanisms for optionally authenticating a client to a server and providing other security services

TLS = (TLS) Handshake Protocol + TLS Record Protocol

Digital Signal level 1 (DS-1) is the framing specification used for transmitting digital signals at 1.544 Mbps on a T1 facility. DS-0 is the framing specification used in transmitting digital signals over a single 64 Kbps channel over a T1 facility. DS-3 is the framing specification used for transmitting digital signals at 44.736 Mbps on a T3 facility.

The Point-to-Point Protocol (PPP) was designed to support multiple network types over the same serial link SLIP only support IP over serial network

A Failure Resistant Disk System provides the ability to reconstruct the contents of a failed disk onto a replacement disk and provides the added protection against data loss due to the failure of many hardware parts of the server.

Data Link layer of the OSI/ISO model provides SLIP, CSLIP and PPP protocol.

DOD Application Layer contains protocols that implement user-level functions, such as mail delivery, file transfer and remote login.

DOD Host-to-Host Layer handles connection rendez vous, flow control, retransmission of lost data, and other generic data flow management between hosts. The mutually exclusive TCP and UDP protocols are this layer's most important members.

DOD Internet Layer is responsible for delivering data across a series of different physical networks that interconnect a source and destination machine. Routing protocols are most closely associated with this layer, as is the IP Protocol, the Internet's fundamental protocol.

DOD Network Access Layer is responsible for delivering data over the particular hardware media in use. Different protocols are selected from this layer, depending on the type of physical network

A differential backup is a partial backup that copies a selected file to tape only if the archive bit for that file is turned on, indicating that it has changed since the last full backup. A differential backup leaves the archive bits unchanged on the files it copies.

A full copy backup (which Microsoft calls a copy backup) is identical to a full backup except for the last step. The full backup finishes by turning off the archive bit on all files that have been backed up. The full copy backup instead leaves the archive bits unchanged.

Structured Query Language (SQL), implemented at the session layer (layer 5)

The Secure Electronic Transaction (SET) protocol requires two pair of asymmetric keys and two digital certificates.(Application Layer)

Hierarchical Storage Management (HSM) is commonly employed in very large data retrieval systems

Write-once, read-many (WORM) optical disk "jukeboxes" are used for archiving data that does not change.

Secure HTTP (S-HTTP) is designed to send individual messages securely. SSL is designed to establish a secure connection between two computers. SET was originated by VISA and MasterCard as an Internet credit card protocol using digital signature

Secure HTTP (S-HTTP), which operates at the application layer. S-HTTP is being overtaken by SSL and TLS works on transport layer#

X.400 is used in e-mail as a message handling protocol. X.500 is used in directory services. X.509 is used in digital certificates and X.800 is used a network security standard

An open network architecture is one that no vendor owns

intranet, a “private” network that uses Internet technologies.

extranet extends outside the bounds of the company’s network to enable two or more companies.

MAN Connects LAN, MANs are Synchronous Optical Networks (SONETs) or FDDI rings

SONET self HEaling network

ATM encapsulates data in fixed cells 53 bytes

T3 = 28 T1

T2 = 4 T1

T4 = 168 T1

T1 1.544 Mbps

T3 44.736 Mbps

OC1 51.84 Mbps

Statistical time-division multiplexing (STDM) determines in real time how much time each device should be allocated for data transmission

Frequency division Multiplexing: in available wireless spectrum Each frequency within the spectrum is used as a channel to move data

CSU/DSU provides a digital interface for Data Terminal Equipment (DTE), such as terminals, multiplexers, or routers, and an interface to the Data Circuit-Terminating Equipment (DCE) device,

circuit Switching Dedicated virtual link.

Packet Switching one connection can pass through a number of different individual devices.X.25 , framerelay

DTE is usually a customer-owned device

DCE is the service provider’s device

Switched Multimegabit Data Service (SMDS) is a high-speed packetswitched technology

Synchronous Data Link Control (SDLC) Dedicated leased lines IBM 1970

High-level Data Link Control (HDLC) protocol is also a bit-oriented link layer protocol used for transmission over synchronous lines (time based)

HDLC is extention of SDLC

High-Speed Serial Interface (HSSI) is an interface used to connect multiplexers and

routers to high-speed communications services

SIP is an application layer protocol that can work over TCP or UDP

isochronous network contains the necessary protocols and devices that guarantee continuous bandwidth without interruption.

voice stream is carried on media protocols such as the Real-time Transport Protocol (RTP).

User Agent Client (UAC) IPhone, SIP Phone

User Agent Server (UAS) SIP Server

New spam for VOIP = SPIT (Spam over Internet Telephony).

WEP only provide system authentication however 802.1X provides User authentication.

supplicant (wireless device),

authenticator (AP),

Authentication server (usually a RADIUS server).

EAP allows for mutual authentication to take place between the authentication server and wireless device and provide flexibility.

802.11i does not specify particular authentication protocols Cisco uses a purely password-based authentication framework called Lightweight Extensible Authentication Protocol (LEAP). Other vendors, including Microsoft, use EAP and Transport Layer Security (EAP-TLS), which carries out authentication through digital certificates. And yet another choice is Protective EAP (PEAP), where only the server uses a digital certificate

WEP Problems

1. static WEP encryption keys on all devices (every one have same pasword in company)

2. how initialization vectors (IVs) + RC4 are used that are XOR with packet to produce cipher text (IV value is used over and over again)

3. integrity assurance issue ICV Integrity check value

802.15 Bluetooth 1 to 3 Mbps 2.4 GHz Bluejacking is a type of attach some one send message to avoid setup ur blouetooth device undiscoverable.range is 10 Meter

For WAP transport layer security protocol called Wireless Transport Layer Security (WTLS) When WTLS data come for Internet service provider have to decrypt and encrypt it back in TLS And SSL so it is in plain taxt for a second whihc is called gap in the WAP

WAP uses an XML-compliant Wireless Markup Language (WML

Imode is same as WAP but target entertainment market , i-Mode works with a slimmed-down version of HTML called compact HTML

“log scrubbers” that remove traces of the attacker’s activities from the system logs

First generation firewall" packet filtering firewalls

"Second generation firewall" Proxy based firewalls. Under proxy based firewall you have Application Level Proxy and also the Circuit-level proxy firewall. The application level proxy is very smart and understand the inner structure of the protocol itself. The Circuit-Level Proxy is a generic proxy that allow you to proxy protocols for which you do not have an Application Level Proxy. This is better than allowing a direct connection to the net. Today a great example of this would be the SOCKS protocol.

"Third generation firewall" Stateful Inspection firewall. This type of firewall makes use of a state table to maintain the context of connections being established.

"Fourth generation firewall" dynamic packet filtering firewall

WAP Stack

Wireless Markup Language (WML)

Wireless Application Environment (WAE)

Wireless Transport Layer Security Protocol (WTLS)

Wireless Application Environment (WAE)

Wireless Session Layer (WSL)

Wireless Transport Layer (WTL)

TCP Wrapper is a program that monitors incomming packets. It is considered open source. TCP Wrappers can be used to control when UDP servers start, but it has no other control over the server once it is started. UDP servers may continue to run after they've finished processing a legitimate request.

Again PPTP operates at Layer 2 of the OSI model.

High-rate Digital Subscriber Line (HDSL) delivers 1.544 Mbps of bandwidth each way over two copper twisted pairs.

SDSL also delivers 1.544 Mbps but over a single copper twisted pair.

IPSec Transport mode is established when the enpoint is a host

10Base2, also known as RG58, or thinnet, is limited to 185 meters. 10Base5, also known as RG8/RG11 or thicknet, is limited to 500 meters

Failure Resistand Disk System (FRDS) is that it enables the continuous monitoring of these parts and the alerting of their failure.

AH (51) provides integrity, authentication, and non-repudiation. Security Associations (SAs) can be combined into bundles to provide authentication, confidentialility and layered communication.

The Well Known Ports are those from 0 through 1023.

The Registered Ports are those from 1024 through 49151.

The Dynamic and/or Private Ports are those from 49152 through 65535.

There are six basic security services defined by the OSI:

Authentication, access control, data confidentiality, data integrity, nonrepudiation and logging and monitoring.

POP 110

Post Office Protocol (POP2) 109

Network News Transfer Protocol 119

NetBIOS 139

The TRANSPORT LAYER establish logical connection between the END POINTS of an internetwork, that is, the originating host and the destination host.

The Land attack involves the perpetrator sending spoofed packet(s) with the SYN flag set to the victim's machine on any open port that is listening

The Boink attack, involves the perpetrator sending corrupt UDP packets to the host. It however allows the attacker to attack multiple ports where Bonk was mainly directed to port 53 (DNS

CISSP CBK 3 Security Architecture and Design

2011-06-15T15:13:00.000-07:00

Hi everyone, 3rd domain is as under

System is working in asymmetric mode one CPU is dedicated to one application.

A process is the set of instructions that is actually running, program is not a process until unless its is loaded and being allocated resources.

multiprogramming, which means that more than one program (or process) can be loaded i.e antivirus and another programme running side by side

.A maskable interrupt is assigned to an event that may not be overly important and the programmer can indicate that if that interrupt calls, the program does not stop what it is doing. Non-maskable interrupts can never be overridden by an application because the event that has this type of interrupt assigned to it is critical. As the reset button.

Watchdog timer is an example of critical process that resets the system if the system cannot recover it self from the problem

thread is made up of an individual instruction set and the data that must be worked on by the CPU like print function in word process multi threading refers to the multiple thread handling simultaneously.

A garbage collector is software that runs an algorithm to identify unused committed memory and then tells the operating system to mark that memory as “available.”

kernel mode, privileged mode, and supervisory mode all mean the same thing A monolithic kernel means all of the kernel’s activity works in privileged (supervisory) mode windows vista anad xp are all monolitic operating system as alll function workd inside kernel

Computer Security Policy Model Orange Book is based is the Bell-LaPadula Model.

The reference monitor is an abstract machine that mediates all access subjects have to objects

Security labels are not required until security rating B; thus, C2 does not require security labels but B1 does.

TCSEC addresses confidentiality, but not integrity ITSEC addresses CIA

Limitation of Orange book is it dosent evaluate the system for what those users do with the information oncethey are authorized, Only address Single system Security

Trusted Network Interpretation (TNI), also called the Red Book because of the color of its cover, addresses security evaluation topics for networks and network components. It addresses isolated local area networks and wide area internetwork systems.

ITSEC (European) actually separates these two attributes (functionality and assurance) and rates them separately, whereas TCSEC clumps them together and assigns them one rating (D through A1).

Certification is the comprehensive technical evaluation of the security components and their compliance for the purpose of accreditation.

Accreditation Accreditation is the formal acceptance of the adequacy of a system’s overall security and functionality by management.

Certification is a technical review that assesses the security mechanisms and evaluates their effectiveness. Accreditation is management’s official acceptance of the information in the certification process findings

Security testing and trusted distribution are required for Life-Cycle Assurance.

DIACAP

DIACAP (DoD Information Assurance Certification and Accreditation Process) effective Nov 2007 for C&A within the Department of Defense.

The DoD Information Assurance Certification and Accreditation Process (DIACAP) is the United States Department of Defense (DoD) process to ensure that risk management is applied on information systems (IS). DIACAP defines a DoD-wide formal and standard set of activities, general tasks and a management structure process for the certification and accreditation (C&A) of a DoD IS that will maintain the information assurance (IA) posture throughout the system 's life cycle.

NIACAP

National Information Assurance Certification and Accreditation Process (NIACAP), establishes the minimum national standards for certifying and accrediting national security systems.

HIPAA

The HIPAA legislation had four primary objectives:

(1) Assure health insurance portability by eliminating job-lock due to pre-existing medical conditions,

(2) Reduce healthcare fraud and abuse,

(3) Enforce standards for health information and

(4) Guarantee security and privacy of health information.

B2 and B3 are concerned with covert channels, only level A1 involves a formal covert channel analysis.

In state machine models, to verify the security of a system, the state is used

Evaluation is the process of independently assessing a system against a standard of comparison, such as evaluation criteria.

Certification is the process of performing a comprehensive analysis of the security features and safeguards of a system to establish the extent to which the security requirements are satisfied.

Accreditation is the official management decision to operate a system.

Acceptance testing refers to user testing of a system before accepting delivery.

Orange book Operational Assurance and Life-Cycle Assurance.

Clark Wilsom integrity model defines a constrained data item, an integrity verification procedure and a transformation procedure?

National Computer Security Center (NCSC)= TCSEC

The life cycle assurance requirements specified in the Orange Book are:

security testing,

design specification and testing (B1,2,3,A1),

configuration management

trusted distribution(A1).

System integrity is also defined in the Orange Book but is an operational assurance requirement, not a life cycle assurance requirement

Complex Instruction Set Computer (CISC) uses instructions that perform many operations per instruction.

Pipelining involves overlapping the steps of different instructions to increase the performance in a computer.

Reduced Instruction Set Computers (RISC) involve simpler instructions that require fewer clock cycles to execute.

Scalar processors are processors that execute one instruction at a time.

Polyinstantiation permits a database to have two records that are identical except for their classifications

Information Labels contain more information than Sensitivity Levels, but are not used by the Reference Monitor to determine access permissions.

There are three main requirements of the security kernel:

• It must provide isolation for the processes carrying out the reference monitor concept, and the processes must be tamperproof.

• It must be invoked for every access attempt and must be impossible to circumvent. Thus, the security kernel must be implemented in a complete and foolproof way.

• It must be small enough to be able to be tested and verified in a complete and comprehensive manner.

Indirect addressing is when the address location that is specified in the program instruction contains the address of the final desired location.

Direct addressing is when a portion of primary memory is accessed by specifying the actual address of the memory location.

Indexed addressing is when the contents of the address defined in the program's instruction is added to that of an index register.

D – Minimal protection

C – Discretionary protection

C1 – Discretionary Security Protection

C2 – Controlled Access Protection

B – Mandatory Protection

B1 – Labeled Security

B2 – Structured Protection

B3 – Security Domains

A – Verified Protection

A1 – Verified Design

In MAC Model subject has clearance and Need to know when this alliens with Object classification and Category information can flow

EAL 1 : functionally tested

EAL 2 : structurally tested

EAL 3 : methodically tested and checked

EAL 4 : methodically designed, tested and reviewed

EAL 5 : semifomally designed and tested

EAL 6 : semifomally verified design and tested

EAL 7 : fomally verified design and tested.

NIST PRODUCES and PUBLISHES the Federal Information Processing Standards (FIPS)

operational assurance requirements specified in the Orange Book are

1. system architecture,

2. system integrity,

3. covert channel analysis,

4. trusted facility management

5. trusted recovery

Trusted Facility Management is Separation of Duties and is provided in the form of support for system administrator and operator functions and that stringent configuration management controls are imposed. You have single accounts to perform specific functions and not general accounts available to all individuals. (single admin account is use to do all Security things)

Polyinstantiation permits a database to have two records that are identical except for their classifications (i.e., the primary key includes the classification). Thus, APFEL's new unclassified record did not collide with the real, top secret record, so APFEL was not able to learn about FIGs pineapples.

Polymorphism is a term that can refer to, among other things, viruses that can change their code to better hide from anti-virus programs or to objects of different types in an object-oriented program that are related by a common superclass and can, therefore, respond to a common set of methods in different ways. That's also irrelevant to this question.

CISSP CBK 2 Access control

2011-06-05T11:35:00.001-07:00

Access Control

Hi every one !!! Cramm sheet for Second domain as ready

A race condition is when processes carry out their tasks on a shared resource in an incorrect order like authorization is done before authentication.

When system rejects an authorized individual, it is called a Type I error (false rejection rate). When the system accepts impostors who should be rejected, it is called a Type II error (false acceptance rate).

CER (Cross Error Rate) where Type I and Type II matches and CER 3 is good then CER 4
Biometrics Process time 5 to 10 minutes

OTP asynchronous is based on challenge/response mechanisms, while synchronous is based on time- or counter-driven mechanisms

Rainbow table An attacker uses a table that contains all possible passwords already in a hash format.

A digital signature is a technology that uses a private key to encrypt a hash value (message digest). The act of encrypting this hash value with a private key is called digitally signing a message

A memory card holds information but cannot process information. A smart card holds information and has the necessary hardware and software to actually process that information.

Fault Generation attach attacker generate the fault and try to figure out how the system behave like in smart card they increase the input voltage

Side channel attack the attacker watches how something works and how it reacts in different situations instead of trying to “invade” it

Kerberose The authentication service is the part of the KDC that authenticates a principal, and the TGS is the part of the KDC that makes the tickets and hands them out to the principals.
TGTs are used so the user does not have to enter his password each time he needs
to communicate with another principal

Kerberos uses tickets to authenticate subjects to objects, whereas SESAME (it is used to address the weakness in Kerberose and uses symmetric and Asymmetric Encryption) uses Privileged Attribute Certificates (PACs),

Three main types of access control models:
discretionary, (Owner gives access to resource) identity based access control
mandatory, (owners dont have control every thing is based upon clerence levels
nondiscretionary (also called role based). (RBAC model is the best system for a company that has high employee turnover)

Controls are implemented to mitigate risk and reduce the potential for loss. Preventive controls are put in place to inhibit harmful occurrences; detective controls are established to discover harmful occurrences; corrective controls are used to restore systems that are victims of harmful attacks.

DAC Data owners decide who has access to resources, and ACLs are used to enforce the security policy.
MAC Operating systems enforce the system’s security policy through the use of security labels.
RBAC Access decisions are based on each subject’s role and/or functional position

Access control matrix Table of subjects and objects that outlines their access relationships
ACL Bound to an object and indicates what subjects can access it
Capability table Bound to a subject and indicates what objects that subject can access
Content-based access Bases access decisions on the sensitivity of the data, not solely on subject identity
Context-based access Bases access decisions on the state of the situation, not solely on identity or content sensitivity
Restricted interface Limits the user’s environment within the system,thus limiting access to objects
• Rule-based access Restricts subjects’ access attempts by predefined rules

Watchdog timers are commonly used to detect software faults, such as a process ending abnormally or hanging
Diameter is a peer-based protocol that allows either end to initiate cnnection.

Administrative Controls
• Policy and procedures
• Personnel controls
• Supervisory structure
• Security-awareness training
• Testing
Physical Controls
• Network segregation
• Perimeter security
• Computer controls
• Work area separation
• Data backups
• Cabling
• Control zone
Technical Controls
• System access
• Network architecture
• Network access
• Encryption and protocols
• Auditing

The seven different access control functionalities are asfollows:
• Deterrent Intended to discourage a potential attacker
• Preventive Intended to avoid an incident from occurring
• Corrective Fixes components or systems after an incident has occurred
• Recovery Intended to bring controls back to regular operations
• Detective Helps identify an incident’s activities
• Compensating Controls that provide for an alternative measure of control
• Directive Mandatory controls that have been put in place due to regulations or environmental requirements
threshold = clipping Level
when hacker deletes the audit logs it is known as Scrubbing

Avoid Tempest two solution control Zone by having special material in the walls to contain electrical signals or White Noise uniform spectrum of random electrical signals.

entrapment is illegal where u trap the hacker
Entrancement when you leave a system as a honey pot
Pharming is the DNS poisoning

DAC is implemented and enforced through the use of access control lists (ACLs), which are held in a matrix (access control Matrix). MAC is implemented and enforced through the use of security labels.

In the lattice model, users are assigned security clearences and the data is classified. Access decisions are made based on the clearence of the user and the classification of the object.

Cognitive passwords are fact or opinion-based information used to verify an individuals identity
Due Diligance is for Compliance

A network-based IDS is passive while it acquires data.

Bell-LaPadula model Simple security rule: A subject cannot read data within an object that resides at a higher security level ("No read up" rule).*- property rule: A subject cannot write to an object at a lower security level ("No write down" rule).

Assurance procedures ensure that access control mechanisms correctly implement the security policy for the entire life cycle of an information system.

The position of a bank teller is a specific role within the bank, so you would implement a role-based policy

Kerberose is authentication NOTT authorization service

Soft Control is another way of referring to Administrative control

From most effective (lowest CER) to least effective (highest CER) are: Iris scan, fingerprint, voice verification, keystroke dynamics.

Emanation attacks are the act of intercepting electrical signals that radiate from computing equipment (TEMPEST)

SESAME uses Attribute Certificate (AC) that allows for granular access control . It supports authentication, confidentiality but also authorization. In environment with well defined roles and capability is an issue , SESAME and PERMIS are role based single sign on technologies

Capability is Row in Matrix and ACL is Column in Matrix.

Access control list (ACL) "It [ACL] specifies a list of users [subjects] who are allowed access to each object"
A capability table are used to track, manage and apply controls based on the object and rights, or capabilities of a subject
An access control matrix is a way of describing the rules for an access control strategy.

Discretionary access control is Identity based ACL (widely used in Commercial environment)
MAC is Lattice Based.

Systems accountability depends on the ability to ensure that senders cannot deny sending information and that receivers cannot deny receiving it. Because the mechanisms implemented in nonrepudiation prevent the ability to successfully repudiate an action, it can be considered as a preventive control.

A Subject could be a users, a programs, a print queue, and processes where Objects would be files, directories, devices, windows, and sockets
Padded cells are simulated environments to which IDSs seamlessly transfer detected attackers and are designed to convince an attacker that the attack is going according to the plan.

Principle P1 authenticates to the Key Distribution Center (KDC), principle P1 receives a Ticket Granting Ticket (TGT), and principle P1 requests a service ticket from the Ticket Granting Service (TGS) in order to access the application server P2

The Clark-Wilson model uses separation of duties, which divides an operation into different parts and requires different users to perform each part. This prevents authorized users from making unauthorized modifications to data, thereby protecting its integrity.

Each ticket in Kerberos has a timestamp and are subject to time expiration to help prevent replay attack

In 1973 Bell and LaPadula created the first mathematical model of a multi-level security system.

Biometric devices can be use for either IDENTIFICATION or AUTHENTICATION
ONE TO ONE is for AUTHENTICATION
ONE TO MANY is for IDENTIFICATION

Internal consistency of the information system. ensures that internal data is consistent, the subtotals match the total number of units in the data base. total number of Printers in LAN

External consistency of the information system. External consistency is were the data matches the real world. If you have an automated inventory system the numbers in the data must be consistent with what your stock actually is.

Rule based or role based = Non-Discretionary Access Control (NDAC)
Identity based = DAC

Computer Security Policy Model Orange Book is based is the Bell-LaPadula Model.
Bell LaPadula = Confidentiality , NO READ UP
* STAR (NO Write Down)

ClarkWilson = Program B/W subject and Object/ Separation of Duties

BIBA *STAR = NO Write UP

Twofish encryption to encrypt network traffic thereby evading IDS/IDP detection. Netcat is a utility that can be used to open ports on a compromised host.Cryptcat does this but supports twofish (Schneier) encryption which is not decryptable by an IDS in transit
Static Password token the owner identity is authenticated by the token. An example of this occurring is when an employee swipes his or her smart card over an electronic lock to gain access to a store room. (smart card is like users password something you have)

The hand geometry pattern can be stored in only 9 bytes. Retina pattern uses 96 bytes whereas the fingerprint uses between 0.5 and 1.5 kb and the voice pattern typically uses between 1 and 10 kb.

The principal decrypts the message containing the session key (Kc, tgs) with its secret key (Kc), and will now use this session key to communicate with the TGS principal (sometimes refer to as resource or server) he wishes to access.

The Operations Security domain is concerned with triples - threats, vulnerabilities and assets. (ATV)

The hand geometry pattern can be stored in only 9 bytes
Retina pattern uses 96 bytes whereas the fingerprint uses between 0.5 and 1.5 kb
voice pattern typically uses between 1 and 10 kb

The Take-Grant access control model uses a directed graph to specify the rights that a subject can transfer to an object, or that a subject can take from another subject. The Biba and Clark-Wilson models are integrity models and the Non-interference model is an information flow model.

CISSP CBK 1 Information Security and Risk Mgmt

2011-06-04T09:43:00.000-07:00

Information Security and Risk Mgmt

Hi guys, I have strated writing down Cramm sheet for CISSP Exam, though it is tough task buy I am commited to complete it by the end of June 2011.

All the best for Exam.

Control Objectives for Information and related Technology (CobiT) is a framework and set of best practices developed by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI)

CobiT was derived from the COSO framework, developed by the Committee of Sponsoring Organizations (COSO)

COSO is a model for corporate governance and CobiT is a model for IT governance. COSO deals more at the strategic level, while CobiT focuses more at the operational level. You can think of CobiT as a way to meet many of the COSO objectives, but only from the IT perspective.

BS7799 Part 1, which outlines control objectives and a range of controls that can be used to meet those objectives; and BS7799 Part 2, which outlines how a security program can be set up and maintained. BS7799 Part 2 also served as a baseline that organizations could be certified against. Organization can decide to be accredited against for part 2 or only the portion of part 2 same is the case with ISO17799

ISO9000 Quality Control

• ISO/IEC 27001 Based on British Standard BS7799 Part 2, which is establishment, implementation, control, and improvement of the Information Security Management System
• ISO/IEC 27002 Code of practice providing good practice advice on ISMS (previously known as ISO 17799), itself based on British Standard BS 7799 Part 1
• ISO/IEC 27004 A standard for information security management measurements
• ISO/IEC 27005 Designed to assist the satisfactory implementation of information security based on a risk management approach
• ISO/IEC 27006 A guide to the certification/registration process
• ISO/IEC 27799 A guide to illustrate how to protect personal health information
http://www.27000.org/

CobiT and COSO provide the “what is to be achieved,” but not the “how to achieve
it.” This is where ITIL and the ISO/IEC 27000 series come in

Annualized Loss Expectancy (ALE) is the average monetary value of losses per year.

Annualized Loss Expectancy = Single Loss Expectancy * Annualized Rate of Occurrence

Discretionary Access Control (DAC) DACs are an access control policy that restricts
access to files and other system resources based on the identity and assignment of
the user and/or the groups to which the user belongs. DACs are considered a
policy-based control.

Functional Requirements evaluation means, “Does this solution carry out the
required tasks?”

Assurance requirements evaluation means, “How sure are we of the level of
protection this solution provides?” Assurance requirements encompass the integrity,
availability, and confidentially aspects of the solution

The Annnualized Rate of Occurence (ARO) is a value that represents the estimated
frequency in which a threat is expected to occur.if 100 DEO doo 1 mistake every
month and 12*100 = 1200 ARO

Good Configuration Management process is one that can
(1) accommodate change;
(2)accommodate the reuse of proven standards and best practices;
(3) ensure that all requirements remain clear, concise, and valid;
(4) ensure changes, standards, and requirements are communicated promptly and precisely;
(5) ensure that the results conform to each instance of the product.

Risk is the possibility of damage happening and the ramifications of such damage
should it occur. Information risk management (IRM) is the process of identifying
and assessing risk, reducing it to an acceptable level, and implementing the right
mechanisms to maintain that level. There is no such thing as a 100 percent secure
environment.

Standards are a "Mandatory statement of minimum requirements that support some part
of a policy, the standards in this case is your own company standards and not
standards such as the ISO standards

Guidelines are discretionary or optional controls used to enable individuals to make judgments with respect to security actions

Procedures are step-by-step instructions in support of of the policies, standards, guidelines and baselines. The procedure indicates how the policy will be implemented and who does what to accomplish the tasks

Test equipment must be secured. There are equipment and other tools that if in the wrong hands can "sniff" a network traffic and be used to commit fraud. The storage and use of this equipment should be detailed in the security policy for this reason.

It is common for system development and systems maintenance to be undertaken by the same person. In both cases the programmer requires access to the source code in the development environment, but should not be allowed access in the production environment.
Other choices are not correct.

The roles of security administration and change management are incompatible functions. The level of security administration access rights could allow changes to go undetected. Computer operations and system development are incompatible since it would be possible for an operator to run a program that he/she had amended. The system development and change management task are incompatible because the combination of system development and change control would allow program modifications to bypass change control approvals.

The common steps used the the development of security policy are initiation of the
project, evaluation, development, approval, publication, implementation, and
maintenance.

The other choices listed are the phases of the software development life cycle and not the step used to develop documents such as Policies, Standards, etc...

The data owner, not the database administrator, is responsible for accurate use of the information and should normally provide authorization for users to gain access to computerized information. The database administrator (DBA) handles technical matters, not access authorization to data.

Threat analysis is the examination of threat sources against system vulnerabilities to determine the threats for a particular system in a particular operational environment.

A risk analysis has three main goals: identify risks, quantify the impact of potential threats, and provide an economic balance between the impact of the risk and the cost of the associated countermeasure.

Choosing the best countermeasure is not part of the risk analysis. The Operations Security domain is concerned with triples - threats, vulnerabilities and assets.

Risk Analysis Steps

1 Assign Vlaue to Assets
2 Estimate Potential loss per threat (SLE)
3 Perform a threat Analysis (ARO)
4 Derive overall annlai Loss potential per threat (ALE)
5 Reduce/ Transfer/ Avoid and Accept the Risk
SLE = Asset Value x Exposure Factor
ALE = SLE x ARO

Risk Analysis = value to assets + risk analysis and assessment + Countermeasure
selection

Advisory
Advisory policies are security polices that are not mandated to be followed but are strongly suggested, perhaps with serious consequences defined for failure to follow them (such as termination, a job action warning, and so forth). A company with such policies wants most employees to consider these policies mandatory.

Most policies fall under this broad category.

Advisory policies can have many exclusions or application levels. Thus, these policies can control some employees more than others, according to their roles and responsibilities within that organization. For example, a policy that
requires a certain procedure for transaction processing might allow for an alternative procedure under certain, specified conditions.
Regulatory
Regulatory policies are security policies that an organization must implement due to compliance, regulation, or other legal requirements. These companies might be financial institutions, public utilities, or some other type of organization that operates in the public interest. These policies are usually very detailed and are specific to the industry in which the organization perates.
Regulatory polices commonly have two main purposes:

1. To ensure that an organization is following the standard procedures or base practices of operation in its specific industry
2. To give an organization the confidence that it is following the standard and accepted industry policy

Informative
Informative policies are policies that exist simply to inform the reader. There are no implied or specified requirements, and the audience for this information could be certain internal (within the organization) or external parties. This does not mean that the policies are authorized for public consumption but that they are general enough to be distributed to external parties (vendors accessing an extranet, for example) without a loss of confidentiality.
Computer security should be first and foremost cost-effective.

Access to facilities by is not considered as a personnel security control, but as a Physical/environmental control.

threats × vulnerability × asset value = total risk
(threats × vulnerability × asset value) × controls gap = residual risk

The Sec policy should not dictate business objectives
Isssue Specific Policy (email usage policy)
system-specific policy (approved SW list, Hos IDS and FW are deployed

**standards, guidelines, and procedures are the tactical (short term Goal) tools used to achieve and support the directives in the security policy, which is considered the strategic goal (long term end point Goal)

security policy says customer information should be protected standard says data stored in DB should be AES and If in transit should be IPSEC and Procedure explains how to setup AES encryption, guidelines cover how to handle cases when data is accidentally corrupted or compromised during transmission

Due Diligence = Do Detect (understand risk company faces)
Due Care = Do Correct (steps taken do identify the risk)

Confidential
Private
Sensitive
Public

and now Military

Top Secret
Secret
Confidential
sensitive but unclassified
unclassified

commercial sector is described next:

For official use only Financially sensitive
Proprietary Protects competitive edge
Privileged Ensures conformance with business standards and laws
Private Contains records about individuals

Sensitive : Requires special precautions to ensure the integrity and confidentiality of the data by protecting it from unauthorized modification or deletion. b) Requires higher than normal assurance of accuracy and completeness.
Examples : Financial Information , Details Of Projects , Profit Earnings and Forecasts
Organization : Commercial Businesses
Private : a) Personal information for use within a company b) Unauthorized disclosure could adversely affect personnel or company.
Examples : Work History , Human resources information , Medical information
Organization : Commercial Businesses
Secret : a) If disclosed , it could cause serious damage to national security.
Examples : Deployment plans for troops , Nuclear bomb placement