How to Pass the CISSP

The Evil Geniuses

Edition..
bawahahaha
The CBK

 Divided into 10 Sections

 The test is 250 questions
 Ethics questions are guaranteed to be there
 Every test is different
 Expect 20 questions from each section
 These slides are based on the notes from
someone who took the class
Security Management Practices
 The concept of due diligence
– Due Diligence – the idea that everything that could be done has.
Mgt anything…. If you see management as part of an answer
consider it VERY seriously. Seems like it is always the right answer.
 Remember…. C-I-A Confidentiality, Integrity, Availability. Same as
above. If you see one of these as a possible answer, it is probably the
correct answer.
 User is primarily responsible for security of data,
this means that management may create controls to secure data
but ultimately the user is the one who decides to follow them.
Security Management Practices
  Least privilege “need to know” basis
  Standards, Baselines & Procedures, Guidelines
 Standards think HW, SW Mechanism like Norton is standard for

Anti-virus
 Baseline think Platform unique
 Procedures think Required
 Guidelines think Recommended
Security Management Practices

 The Books
  Red Book = Trusted Network Interpretation (orange book for
networks)
  Orange book = Trusted Computer security evaluation criteria
  Confidentiality only….
 Government based
Security Management Practices

 The Certifications
 ·ITSEC = international community attempt to “harmonization” – more
commercial flavor
– ·Adds Integrity and availabilty issues
 Common criteria = new effort to bring all together
– Replaces previous scheme
 C1, C2, B1, B2, A
Security Management Practices

 Types of classification
Object/subject
object = passive (files, data, sometimes program)
subject = active (usually people)
 SUI = sensitive but unclassified information
Security Management Practices

 Who is responsible for what controls

  Owner has responsibility for physical/admin controls
 · Custodian has responsibility for logical controls
 Separation of duties tends to deter inside jobs
– Once your start working in an environment, the line between owner and
custodian fades are you need access to perform tasks.
Security Management Practices
 Business Continuity Planning (BCP) Vs
Disaster Recover Planning (DRP)

BCP tends to be enterprise driven down, Disaster Recovery

tends to be functional driven up….. (more here later)
BCP – How to keep businesses running after an incident
DRP – How to keep your systems running after a disaster
Security Management Practices

 The ISC2 way of defining virus/trojans

 Virus think seed, replication
  Worm think self-replicating program
  Trojan horse think “hidden code”.
  Trap door think undocumented access path.
– Know boot infectors, system infectors (aka kernel virus), and
application infectors
Security Management Practices

 The Foundations for Risk Formulas

 Threat = unfortunate event or activity
 Exposure = probability
 Vulnerability = weakness
 Countermeasure = safeguard
Security Management Practices
 How to find the value of risk
 · ALE = annualized lost expectancy = single loss expectancy x asset
value x annualized loss rate (like three times per year)
 · Quantitative versus qualitative risk analysis.
 · Compartmentalization = contain threat and prevent spread
 · Worth of information = cost to acquire + value to owners + what
others are willing to pay
 Remember that countermeasure cost should never exceed worth of
information
Law, Ethics, investigations
 · Masquerading = pretending to be someone who is authorized to access
system, data, etc.
 · 414 Gang and Sloan Kettering Cancer facility led to Medical computer
Crime Act of 1984
 · hackers = tinkerers to fix
 crackers = bad guys
– - Looks like even ISC2 decided to get into this
 · Ideal = security built in (versus security added on)
 Owners have requirement to take action to secure systems, etc.
– If there is no access control (I.e. a password) there is no crime
Laws, Ethics and Investigations
 The Laws:
 Privacy act of 1974…. Federal Govt must use data only for why it was collected and must
protect it.
 Federal interest computers = anything connected to federal use or interstate computer usage
 · Title 18 or Computer Fraud and Abuse Act of 1986 = felony
 · Protection of intangible = primary reason why prosecution so difficult
 · Computer Security Act of 1987 = NIST, SUI, NSA/encryption
 · Electronic Communication Privacy Act of 1986 = email privacy protection and wiretapping
controls
 · Federal Sentencing Guidelines of 1991 provides federal judges consistent guidelines and
requires organizations to report computer crimes. Added provision of computer related crime in
1997.
 · National Infrastructure Protection Act of 1996 amended Computer Fraud And Abuse Act of
1986 ….
– · Protects all govt computers.
 · 49 states have computer laws (VT is coming…)
Laws, Ethics and Investigations
 The ISC2 View of Evidence Collection
 Concept of “due care” mgt is responsible.
 · Computer crime impacts…… Shift from physical to intangible
electronic environment
 · Chain of Custody and Evidence…. Collection, storage, presentation
and return to owner.
 · Computer generated evidence considered hearsay. Some exceptions.
– ·How collected is as important as what collected……
– ·Rule (1001)3 Disk Dump and memory dumps ….. Saves state of
computer
– ·Get corroboration…..
Laws, Ethics and Investigations
 More on evidence and juristiction
 Must rely on record collection as routine part of doing business….
Cannot target individuals.
 ·Suspect must have motive, ability and opportunity
 ·Secret Service (credit card/financial/telecomm) and FBI (computers)
 ·Key point for computer evidence admissibility = relevance and
preservation (I.e. hashed images of evidence)
 ·Surveillance requires routine activity that applies equally to all
employees…. (I.e. email filtering)
 ·Know difference between enticement and entrapment
 Computer forensics = analysis
Laws, Ethics and Investigation
 Ethics know that we are not supposed to share seminar or test
content with other CISSP candidates… OOOOOPs.
 · Ethics …. Know that it is unethical to purposely….. ******
– · Gain unauthorized access to Internet resources
– · Disrupt intended use of Internet
– · Waste resources
– · Destroy integrity of computer based info
– · Perform negligently in Internet-wide experiments
– Most of the rest is common sense…… Report deviations to management..
ETC
Laws, Ethics and Investigation

 The rest of the story

 ·Know what a CERT is.
 ·Know that HR should be involved if employees suspected of
wrongdoing.
Physical Security

 Two types of controls (Admin and Physical)

 Realize difference between Admin and
Physical controls
  Admin = written documents and implementation.
  Physical = locks, card swipes, motion detectors, etc.
Physical Security
 Fire is biggest threat
 Blackout = loss of power
· Brownout = prolonged below normal voltage
Fault = momentary power out
· Spike = momentary high voltage
· Surge = prolonged high voltage
· Transient = noise
UPS = uninterruptible power source to provide clean power even during
outage
Physical Security

 Residual Data Issues

 Data Remanence = stuff stays behind after erasure. Best to
overwrite completely. Next best = degaussing with magnetic field.
CDs must be destroyed
 ·Magnetics sanitize data…..
 For CBK best approach for object reuse is overwriting.
 ·Electromagnetic interference caused by wires
RFI caused by electronic components
Laptops need file encryption…
Physical Security

 Know difference between fire classes

  A – common combustibles (uses water, soda
acid)
  B – Liquid (uses CO2/soda acid/Halon)
  C – electric (uses CO2 and Halon)
  Electrical distribution causes most fires
  Training best fix
Physical Security
 Combustion MUST have (to put fire out you
must remove ONE)
· Fuel
· Oxygen
· Temperature
· Water reduces temperature
· Halon prevents chemical reaction
· CO2 removes oxygen
Physical Security
  Dry pipe sprinkler favor saving equipment
  NFPA National Fire Protection Associaton.
Safety driven
  Montreal Protocol
  No new installs of Halon
  Recommends refill with alternatives
 CO2 potentially lethal. Best for facilities without
people
Physical Security
 Types of Physical Authentication
  Card Badge readers…. Embedded wire most
secure because of construction.
  Transponders = sender and receiver
  Mantraps = 2-door system
  Biometrics
 Always remember three things to identify yourself:
What you have, What you are and What you know
Physical Security
 Types of Biometrics
  Phyiscal = Access Control
  Authentication device = something you are.
  Crossover rate – where false rejections equal false
acceptances… Lower the better.
  Best of breed is iris scan (0.5%) then retina (1.5%), then
hand geometry (2%), fingerprint (5%), voice (10%)
  3 unique… Fingerprint, retina, and iris.
 Retina uses vein patterns in back of eye
Operations Security
  Shoulder surfing
  Security perimeter = boundary where security features protect
assets
  System high sec mode = highest security level
  Clipping level – establishes baseline for filtering out normal
behaviors
  Change control is important
Operations Security

 3 copies for backups

 one at off site, one at on-site, and original
 Secondary storage is disks, tapes, etc.
 Primary is storage routinely accessed by
system.
 Dual control = separate entities operating in
parallel to accomplish task
Operations Security

 Know some problem areas like spamming,

brute force attacks, Pseudo userid,
salami = clipping 2cents off a lot of
transactions.
 Closed shop = limiting access
Business Continuity Planning
 BCPthink recovering business functionality
(especially critical functions)
- Key element of Recovery planning is Business
Impact Analysis

 DRP think emergency response

– Disaster recovery plan = comprehensive statement
of actions to be taken before, during and after a
disaster
Business Continuity Planning

 BIA includes financial and operational data.

– Also identifies acceptable level of outage
Mgt commitment ESSENTIAL
  Testing is important

– - Ok to identify problems during testing….

Business Continuity Planning

 Emergency reaction team == first responders

  Recovery team – goes to alternative site to
get critical functions going
  Emergency repair team – original site fixers
(starting with least critical support functions
first)
Business Continuity Planning
 Cold site = AC and wiring ready for equipment
  Advantage = less expensive
  Disadvantage = not immediately available
  Warm site = hot site without expensive equipment
(no computers but drives, controllers, etc.)
  Hot site = fully configured (HW & SW) Available in
hours
  Advantage = availability and testable
  Disadvantage = costly
Business Continuity Planning

 Multiple In-house centers = testable, quick

response, minimally disruptive recovery
  But,,,,, Configuration management important.
And need formalized agreements to “share disaster”
 Service Bureaus = They run the ops.
  Advantages = quick response and testable
  Disadvantages = cost like hot sites. May be more
than one client.
Business Continuity Planning
 Electronic Vaulting = massive electronic
transfer of backup data (batch job)
  Remote journaling = real-time transmission of
journal or transaction logs to off-site
  Database shadowing = uses remotely
journaled data to create database
 Emergency response think Safety first then
equipment
Business Continuity Planning

 Testing types (*** once a year)

  Structure walk through
  Checklist
  Simulation
  Parallel
  Full-interruption
Business Continuity Planning

 Mitigatethe emergency….
Avoid the DRP !!!
Application & Systems Security
  Important to build in security versus adding on.
  Aggregation = situation where combining info creates
greater sensitivity than individual parts.
  Inference = ability to derive information not explicitly
available
  Object reuse = media must contain no residual data
 Overwriting is best approach followed by degausser
Application & Systems Security
  Trap Door versus Back Door….. Back Door built in by
designers.
  Covert channels = Comm channel that violates policy by
communicating info
  Covert storage channel = write by one channel, read by another at
lower security level
  Covert timing channel = one process signals to other by
modulating own system use
  Applet = small program downloaded to client computer….
Represent risk
  Java = Sun
  ActiveX = Microsoft
Application & Systems Security
 Data Mining = analysis of databases with
tools without knowledge of meaning of data
  Closed environment = not connected to
network
  Granularity = fineness of security mechanism
  Work factor = measure of amount of effort
required to overcome protective measure
 Assurance = confidence in security measures
Application & Systems Security
  Controls
  Input controls = Validity, completeness controls such
as limit tests, logical checks, control totals
  Output controls = i.e., reconciliation procedures,
physical handling procedures, authorization controls
 Transaction controls = validity of transactions; limit
controls, verification with expected results
Application & Systems Security

 System Life Cycle = foundation of security

architecture
  Project initiation = Concept defining/proposal
  Functional design analysis & planning
  System design specification
  Software development
  Installation
  Maintenance support
– Revisions and replacement
Application & Systems Security
  Certification = operationally and technically Complete
 Accreditation = approval to operate
  Separation of duties …… requires collusion to
perform bad things.
  Role-based access makes change management
easier….. easier to add/remove individuals
  Checkpoint restart = ability to restart process under
control if hiccup occurs.
  Redundant array of inexpensive disks = RAID
Application & Systems Security

 Object oriented programming provides for:

  Structure, discipline and modularity (reuse)
  Efficiency
  Better security mechanism implementation
Application & Systems Security
  Polyinstantiation (goal is lower cleared people) =
iteratively producing a more defined version of an
object by replacing variables with values or other
variables.
  Polymorphism = different objects responding to the
same command in different ways.
  Inheritance = object deriving data and functionality
automatically from another object
 Association mechanism = building larger class from
set of smaller classes.
Application & Systems Security
  Encapsulation = object protects private data from
outside access
  OLTP = On-Line transaction processing (allows for
recovery from errors) supports AVAILABILITY objective
  Database Management System (DBMS) supports
Multi-level security through a trusted front end….
  Testing of controls…… TEST ALL CHANGES.
  Disadvantage of content dependent protection is
increase in process overhead.
– Xmas virus affected availability
Security Architecture & Models
 Trust = meets specification… Therefore, can
be trusted without security….
  Security relevant means not part of security
but RELATED or Supports.
  Process isolation = ensures that multiple
processes run concurrently without
interference (availability)
 Least privilege = need to know
Security Architecture & Models

 3 ways to protect HW & SW

  Layering = each layer has specific activities.
Usually layers can communicate only one layer
above or below.
  Abstraction = process kept hidden
– Data hiding = like abstraction but deals with data.
Layer has no access to data in other layers
and data handled by other layers is hidden
Security Architecture & Models
  Sequential memory = computer sequentially
accesses memory storage.
  Volatile memory = complete loss of information when
shutoff.
  Compiler = translater to machine language
  Interpreter = interprets and EXECUTES.
  Open systems = interoperability
 Closed systems = lacks interchangeability (e.g., Apple
Security Architecture & Models
  State = set of values of all entity attributes in a
system
  Multistate processes data of 2 or more security levels
  Supervisor state = program can access entire system
  Problem state = only nonprivileged instructions executed
(application programs)
  Masked/Interruptible state = Interupt implies mask bit
set.
Security Architecture & Models
  Abstract data types (precise definition of semantics of
data) = provides confidentiality protection
  Strong typing = robust enforcement of abstract data typing.
  TOCTOU = time of check, time of use = class of
asynchronous attacks that take advantage of timelag
between permission checking and actual use. Also
known as a race condition.  dave
  Binding = tying active entity to specific course of
authorized actions
  Handshaking = dialogue used to identify and authenticate
each other (modems)
Security Architecture & Models
  Fault tolerance (availability) = ability to continue after
equipment failure
  Accountability and audit trails = keeping track of who
does what and when.
  Modes of Operation
  System high mode = All personnel have clearance and
formal access approval BUT NOT NECESSARILY need to know.
  Partitioned or Compartmented mode = All people have
clearance and need to know.
  Multi-level secure = not everyone has clearance or formal
access approval or need to know for all info in the system
Security Architecture & Models
  Security perimeter = imaginary boundary around
Trusted computing base = all protection mechanisms
(HW, SW, and firmware)
  Security kernel = reference monitor = ALWAYS
INVOKED = mechanism
  3 characteristics
 Mediates ALL access
 Verifiably correct
– And protected from modification
Security Architecture & Models
  System integrity requires that undocumented
capabilities should be minimized.
  Browsing = searching through storage without
necessarily knowing existence or format
  Spoofing = acting as authorized user
  Exhaustive = brute force “pounding on the door”
  Inference = human deduction of information from
something known or assumed
 Traffic analysis = inference based on observation of
traffic flows
Security Architecture & Models

 Security Models
  Bell-LaPadula
  Biba
 Clark-Wilson
Security Architecture & Models
  Bell-LaPadual (B-L hereafter) Sponsored by Govt.
Deals with confidentiality ONLY>>>>>>
  Subjects have clearances, objects have classifications.
  Subjects can read from their clearance level DOWN = Read
down
  Subjects can write from their clearance level UP = Write up
(Star property aka *-property means NO write down)
For example, TS person cannot write down to SECRET)
 SUMMARY!!!! NO, NO, NO Read UP, Write Down
Security Architecture & Models

Biba = Think INTEGRITY and OPPOSITE

approach from B-L
 No, NO, NO Read down or Write up……
Because of integrity….
– Integrity *-property means NO write up
Security Architecture & Models

Clark-Wilson adds users to the equation.

Represents continuation of Biba.
  Addresses all three C-I-A
  Prevents unauthorized from making improper
modifications
  Users can make modifications only in ways that
ensure internal consistency
– Access triple = subject – program – object
Security Architecture & Models
  Trusted system = system that by virtue of having
undergone sufficient benchmarking testing and
validation, can be expected to meet the user’s
requirements for reliability, security and operational
effectiveness with specified performance
characteristics.
  Trusted Computing base = totality of protection
mechanisms that are responsible for enforcing security
policy
– Usually implemented following the reference monitor concept
(AKA security kernel)
Security Architecture & Models
  System security policy = rules enforced by security
features
  System assurance = trust that can be placed in a
system to be delivered as developed.
  TCSEC = Orange book DoD confidentiality
  ITSEC = European harmonization (adds integrity and
availability)
  Common Criteria = new development to bring global
approaches to global problem
  Note history kind of follows DoD
> European > Private > International
Security Architecture & Models
 Know the Classes of trust within TCSEC (orange book)
  D (minimal protection)
  C (discretionary protection)
  C1 (discretionary security protection)
  C2 (controlled access prot)
  B (mandatory protection)
  B1 (labels) ********
  B2 (structured protection)
  B3 (security domains)
 A (verified protection)
  A1 (formal verified)
Security Architecture & Models
  DAC = discretionary access control =
owner derives access, machine enforces
  MAC = mandatory access control = labels =
system determines all access to enforce policy
  Categories of requirements for TCSEC (think SAAD)
 Security policy
 Accountability
 Assurance
 Documentation
  Each class builds on the class before it D to A
Security Architecture & Models
 ITSEC has evaluation classes as well
  Functionality (security features) and Effectiveness
(Assurance)
  E1 to E6 where E1 = C1
  Certification = comprehensive analysis to determine if
security features and safeguards meet specifications
of security requirements.
 Accreditation = management approval to operate
system
Security Architecture & Models
 Theft of memory and microchips is a rising problem.
  Vulnerabilities for LAN/WAN
  Between the lines entry = tap into comm line of inactive user
  Line disconnect = taking advantage of lag before system
disconnect
 NAK/ACK attack = attempt to exploit asynchronous interrupt
  Piggyback = unauthorized access via authorized connection
Security Architecture & Models

 2 levels of LAN security

  access and use of micros
  access and use of network system
 Audit deficiencies
  Usually lack of record of network connections
Security Architecture & Models
 § Ring and Bus topology = everyone sees all traffic
 § Bridges = protocol independent, building knowledge of
network, filtering, connects two networks.
 § Routers = more sophisticated than bridges, protocol
dependent, efficient traffic routing.. SECURITY
implementation.
 § Switches = network devices that select a path/circuit for
sending data to next destination.
– § Circuit switching = exclusive use for 2 or more parties for certain
duration. (like phones)
– § Packet switching = like IP. Small bits of info flowing all over the place.
Many users. Each node evaluates each packet for routing, destination address
where it “snatches” its packets.
Security Architecture & Models
 § Gateways = connect different systems. Operate at all OSI layers. Can
enhance security (i.e., firewalls)
– § Can prevent specific data from leaving network or others from entering.
 Fiber optic vs. twisted pair vs. coaxial cable. Fiber optic is very
difficult to tap covertly.
Security Architecture & Models

 Guideline… Provide operating systems

security for LANs that include sensitive info.
Expect “Red Herring” kind of question. Not
sure what this meant.
  Logical access controls
  File protection
  Resource security
– Audit trails.
Security Architecture & Models

 IPSec (Internet Engineering Task Force

IETF) ------ New stuff…. Therefore, expect
some questions here.
  Internet Protocol…… Gateway to gateway,
host to host, host to gateway….
YadeYadeYa
 Services offering protection for IP and upper
layer protocols (TCP/UDP, ICMP
Security Architecture & Models
  Goal Interoperable, high quality, cryptographically
based security for IPv4 and Ipv6
  Access control
  Connectionless integrity
  Data origin authentication
  Protection against replays (partial sequence integrity)
  Confidentiality (encryption)
– Limited traffic flow (confidentiality)
Security Architecture & Models

 IP traffic security protocols (techniques for

security via IPSec) ***** I would know these
concepts ************
  IP Authentication Header (AH) = provides
authentication
  Encapsulated Security Payload (ESP) = provides
confidentiality
Security Architecture & Models
 Security Association (SA) = one-way (directionally)
association containing either AH or ESP (but not
both)
  Identified by unique triple (security parameter index, IP
destination address and protocol either AH or ESP
  Security Parameter Index = pointer describing where in
database the Security Association exists
 SA bundling = combining SAs
  Transport adjacency = multiple security protocols without tunneling
 Iterated tunneling = same except using IP tunneling.

IPSec imposes computational performance costs on the hosts or

security gateways
Access Control
  Controls = policy (admin), logical (technology), and
physical
  Network manager controls = access to network and
hardware
  Users control = access to applications, files, and data
fields
  Principles of control
  Data protection = unauthorized disclosure, modification, or
destruction
– Systems protection = unauthorized use, modification, or denial
of servic
Access Control

 Types of controls
  Preventive = avoid occurrence
  Detective = identify occurrence
  Deterrent = discourage violations
  Corrective = remedy circumstances
– Recovery = restore resources, capability
Access Control
  Audit trails = individual accountability (has legal
ramifications)
  Analysis tools (humans miss about 80% versus
automated approach***)
  Audit reduction tools = less data for manual review
  Trends/variance detection = monitor trends and detect major
variations
  E-mail *** legal precedents trail technology
  Don’t promise email privacy
  Elec Communication Privacy Act of 1986 = prohibits
phone and dataline taps
  Except: Law enforcement and employers…..
Access Control
  Secure reassignment = write over or degauss tapes
Magnetic remanence issue
  Government = classified Private = sensitive
  TEMPEST = countermeasure is shielding or white
noise
  Biometrics
  Physical arena = identification purposes
  Access control = authentication purposes
Access Control

 Authentication
  something you have (token, smart cards, etc.)
  something you know (PIN, password) ** most
common **
  something you are (biometrics)
 Onetime passwords
  Synchronous = more precise timing involved
  Asynchronous = time lapse allowed
Access Control

 2 factor authentication = combinations of

above (something you have with something
you know, like SecureID and password)
  Eye stuff most effective yet least attractive
because of perceived danger and eyes….
 Authorization = level of privilege
Access Control
  Single Sign on (SSO) = method for user to be
identified and present credentials once to a
system.
  Benefits = More efficient user log on >>>> stronger
passwords and easier maintenance loads (fewer passwords
to age)
  Kerberos - centralized authentication protocol
  Athena project
  Private key
  Requires application to be “Kerberized”

– SESAME = European approach that uses two types of

certificates. (authentication, authorization)
Access Control
  Security Domain = set of objects a subject can
access
  Simple security property = user cannot read higher
level classified data
  *-property = user cannot write lower level classified
data
  Rule based access = policy based
  Role based access ==== Assign privileges to roles.
Assign users to roles and they inherit the privilege.
Access Control

 ACL = access control list (need to know)

  Constrained user interface = when user
access is restricted to certain functions by
not allowing them to request it. Like
buttons being blacked out on a GUI.
Access Control
 Automated realtime intrusion detection = uses profiles
of expected or normal behavior (but you probably
would not know anything about that….)
  Statistical Intrusion detection = profiles based. Detects
anomalies
  Rule based = operating system specific
  Adaptive real time anomaly detection
  Time based induction machine
  Observes temporal process
  Determines patterns
  Set of hypotheses
  Input episodes (event representation)
  User profile
Access Control

 Bell LaPadula is a lattice based access model.

Cryptography
 Some names:
  Herbert Yardley = headed first crypto unit 1917
  William Friedman = Dean of American crypto, built
Core Body of Knowledge
  Laurance Safford = developed naval comm intel
team during WWII (Underwood machine)
  Joseph Wenger = pioneered development of
crytoanalysis machines, NSA spook
– Venona project = helped crack Rosenberg spy case
Cryptography
  Definitions
  Plaintext = unscrambled data
  Ciphertext = scrambled data
  Encipher = act of scrambling
  Decipher = descrambling with secret key
  Cryptoanalysis = descrambling without secret key
  Key = secret sequence that governs en/decrypt
  Key clustering = two keys produce same ciphertext from
same plaintext
– Work factor = amount of effort/time it takes to crack code
Cryptography
  Some attacks
  Ciphertext only = uses statistical analysis (frequency and
language knowledge)
  Known plaintext = some plaintext and MATCHING ciphertext
known
  Chosen text attack = crypto device with HIDDEN key
provided & input of plaintext OR ciphertext outputs the
other….. (concept is to determine the key)
  Algorithm classes
  Stream ciphers = HW based approach
– Block ciphers = SW based approach (Best Known is DES
Cryptography
  Permutation and transposition = changing around
characters
  Concept of crypto is to meet confidentiality requirements
  Everything is breakable
  Designed to make compromise too costly
  Digital signature provides source verification and non-
repudiation
  Symmetric versus Asymmetric
  Symmetric = secret key, same or single key (DES)
– Asymmetric = public key, computational key pair (one encrypts, other
decrypts) (RSA)
Cryptography
  One-time pad = unbreakable by brute force/used only
once
  Digital Encryption Standard – IBM developed,
Government sponsored
  56-bit true key (64 with 8 parity)
  16 rounds of simple operations to encrypt (transposition and
substitution)
  Algorithm modes (should be able to recognize as such)
  Electronic code book
  Output feedback
  Cipher feedback
  Cipher block chaining
Cryptography
  Double/Triple DES
  Double DES (No more secure than single)
  Triple DES (Work factor high)
  Key Escrow - National effort
  Clipper chip (Skipjack algorithm)****
  80 bit key
  Escrow (separate agency maintains keys, both needed to
construct chip unique key and decrypt)
  Law Enforcement Access Field (LEAF allows LE boys to
decrypt without session key)
  DES operating modes
Cryptography
  Public Key algorithm Bases
  Factoring large prime numbers (RSA)
  Discrete log problem
  El Gamal (first public key with encryption & digital signature)
  Diffie-Heilmann (first public key)
  Elliptic Curve Crypto (new approach that includes digital
signature) Maybe where industry is headed…. *** May be
incorporated into small tokens, smart cards, etc. *****
  Schnorr’s signature algorithm
  Nybergrueppel’s signature algorithm
  Station to station (STS) protocol for key agreeement
 Digital Signature Algorithm (more below)
Cryptography
 Key management is critical part of cryptography and
secure/signed messages (Resource requirements
also)
  Privacy enhanced email
  Proposed by the Internet Engineering Task Force
  SMIME
  Symmetric keys involved
  Pretty Good Privacy (PGP)
– Associate with International Data Encryption Algorithm
(IDEA)****
Cryptography
  Digital Signature = verified message origin and
sender identity
  Be able to distinguish between digitized and digital
  Uses Public/private key pair
  Should never be escrowed
  Never recoverable
  Lasts forever
  Diffie Heilmann proposed
  RSA (Rivest-Shamir-Adleman)
  Private key computes signature
  Public key verifies
Cryptography
  Digital Signature Standard (DSS) AAE… Acronyms,
Acronyms Everywhere
  Secure Hash Algorithm = US standard that condenses
message to 160 bits digest (always)
  Signature attached to digest
  Digest provides checksum for message integrity = change
message, change checksum
  Hashing message saves expense of encrypting whole message
  Non-repudiation
  RSA message hashing algorithms = MD2 and MD5
(which includes 4 rounds of transformation)
– MD5 produces 128 bit hash (message digest
Cryptography
  Certificate authority = binds you and your public key
  Attacks
  Brute force
  Analytic
  Implementation = attacks against how algorithms are used.
 Commercial COMSEC Endorsement Program (CCEP)
= way to deal with dilemma of NSA for Commercial
entities requiring cryptoservice
Telecommunications
  Availability
  Communication security services are usable when needed
  Interoperability of network security mechanisms
  Confidentiality
  No unauthorized disclosure of message contents
  Integrity
  Message content complete and unaltered
  Non-repudiation
Telecommunications
Essential elements of Network security
management
  Network authentication service
  VPN/encryption
  PKI (key management)
  Firewall mechanisms
  Intrusion detection system
  CERT
– Network audit logs
Telecommunications

 Remote Access Management

  User account administration
  Resource security manager
 Security server
  Remote node authentication
 Network security architecture design and review
Telecommunications
  Network communication protocols
  TCP/IP = Transport Control Protocol and Internet protocol =
allows systems on different networks to communicate
(even globally)
  Open Systems Interconnect Model (7 layers) ISO
sponsored
  TCP/IP does not accurately map to OSI model
  IP = unreliable datagram
  No guarantee of delivery
  Delivery only once
  Packets delivered in order
 Sent from given source address
Telecommunications
 Hop = path between two addressable devices
 Address Resolution Protocol (ARP) = provides IP to
Ethernet address mapping
 TCP provides reliable “virtual circuits” to user packets
 Every TCP message marked
From particular host and port
To a destination host and port
User Datagram Protocol = substitute for TCP (one or the other used
by IP)
  Application based best effort delivery
 Easier to spoof UDP packets than TCP *****
Telecommunications
  Internet Control Message Protocol (ICMP)
  Mechanism used to influence behavior of TCP and UDP
connections
  Ping = are you there?
  Reports trouble on the route.
  Informs host of better route to destination
  Terminates connections if network problem
  Can be used to attack…..
  Domain Name System (DNS) = translates IP to
host name or vice versa
Telecommunications
 OSI MODEL ****
  Permit heterogeneous computer systems to
interconnect and communicate
  Application to Application communications
  End systems = contains application process
  Intermediate system = connects 2 or more
subnetworks
  Open system = capable of communication
with other open systems using protocols
Telecommunications
  7 layer model = each layer provides function
and requires input from layer above.
 I use this to remember “All People Seem To Need
Data Period!!!!
  Application - 7
  Presentation - 6
  System - 5
  Transport - 4
  Network - 3
  Data - 2
  Physical – 1
Telecommunications

 Identification & Authentication

  Who is attempting to establish the connection
  Network audit trails
  2-factor is best (token with PIN, password)
  Next generation will include encryption on smart
cards
Telecommunications
 Node Authentication = I/A between 2 communicating
addressable entities (hosts, servers, etc.)
 Sum of entities = network
  Warning….. Node authentication, by itself, is not sufficient to
establish the trustworthiness or privacy of the
individual network user (ONLY the network link)
 Password Authentication Protocol (PAP) ******Know
association with Node Auth
– Challenge Handshake Auth Protocol (CHAP) *****Know
association with Node Auth
Telecommunications
  Filtering (or screening by service) accomplished by
Access Control Lists
  Encapsulated tunneling = Provides equivalent of
private path, occurs “inside” other routable protocol
  Remote Access Control = because remote access is
FAVORITE target of hackers.
  War dialers.
  War rooms (like NORAD. Usually serve as training rooms
until you get a big gig. Kidding!)
Telecommunications
  Suggested safeguards
  Consolidate facilities when possible
  Implement 2-factor authentication
  Use TACACS+/RADIUS on routers
 TACACS = username and password
 TACACS+ = adds 2-factor capability
 Remote Access Dial-in User Service (RADIUS)
  Standard by IETF
  Bundled in Network operating systems
  Use VPN for sensitive data comms
– Use PAP/CHAP for node authentication
Telecommunications
  Network segment/subdomain isolation = strategy to
constrain traffic with networks by segments
  Firewalls
  1st generation – filtering using ACLs
  2nd generaion – proxy services (telnet, ftp, http, etc.)
  problem = need a new proxy for each service
  3rd generation – adds various services such as data inspection,
anti-virus, stateful inspection, content inspection (like mobile codes
such as Java applets, VB scripts, etc.)
  More expensive
  Harder to understand
  Stateful inspection = aware of “expected” transmission” and responds
to unexpected responses
Telecommunications
  VPN = usually between firewall #1 and firewall #2.
  Popular techniques (be able to associate with VPN)\
  Point-to-point tunneling protocol (PPTP)
  Layer 2 forwarding (L2F)
  Layer 2 Tunneling Protocol (L2TP)

  Trusted Network Interpretation (Red Book)

  Maps Orange book approach into network arena
– Has levels as well
Telecommunications
  Attenuation = loss of signal strength
  Network switching
  Circuit switched = transparent path like telephone
  Packet switched = segmented data, buffered and
recombined
  Ethernet = high speed baseband
  Uses Carrier sense multiple access/ collision detection =
avoid failures when 2 devices transmit simultaneously
  All receive all messages (broadcast access method)
Telecommunications
  Analog = continuous signal with amplification
  Digital = 0/1 discrete
  Client/server Limitation
  Multiple points of control
  Multiple names (complicates accountability)
  Multiple logons (efficiency problems)
  Multiple administrators (redundancy)
  Suggested to use onetime passwords for end-user
authentication
Telecommunications

ISDN = Integrated Services Digital Network =

growing technology
  Puts digital/voice services through existing phone
lines.
  Somewhat costly
Telecommunications
  Backup
  Hierarchical Storage Method = appears as infintie disk
  File mirroring = two times the space requirement
  Clustering = groups of servers and storage
  Management software balances the workload
  RAID = Redundant Array Inexpensive(or Independent) Disks
  RAID Advisory Board = standard configurations
  Failure Resistant Disk System (FRDS) = protects against I/O
bus misfunctions
  FRDS+ = protection against cache failure or external power
failure
Telecommunications
  RAID levels
  RAID 0 = Striping
  RAID 1 = Mirroring
  RAID 2 = Hamming Code Parity
  Hamming code = technique to recover lost data (up to 10% loss)
  RAID 3 = Byte level Parity
  RAID 4 = Block level Parity
  RAID 5 = Interleave Parity
  RAID 7 = Single Virtual Disk (No, I did not forget 6!!)
Telecommunications

 Web Security
  Secure Hypertext Transfer Protocol (SHTTP
– Secure Socket Layer
Telecommunications
  Secure gateways (firewalls) = can have a negative
impact on network performance. Also single point of
failure.
  ACLs can be complex and difficult to maintain.
  Screened host firewall system = employs bastion host and
packet filtering router
  Provides higher level of security because it protects both network
layer (packet-filtering) and application layer (proxy services).
  Requires an intruder to penetrate two separate systems before
reaching private network.
  Dual-homed = bastion host has two network interfaces and host
capability to forward traffic around proxy is disabled.
Telecommunications
  Screened-subnet (AKA DMZ concept) = two packet
filter routers and a bastion host
  Puts limited number of services in the DMZ
  Issues: single point of failure. Maintenance and coordination
required to introduce new services. *******
  SOCKS = circuit level proxy server
  Can be resource intensive
 Network Address Translation (NAT) = tool for
resolving non-NIC registered IP addresses
Telecommunications

 Secure Socket Layer (SSL)

  Uses Message Authentication Code and
symmetric encryption
  SSL Record Protocol]
  SSL Handshake Protocol
  Exchanges Session key
Telecommunications
  Secure Electronic Transaction = Specification
sponsored by VISA and Mastercard
  Goals: *******
  WWW payment card protocol
  Authentication of sender and receiver
  Confidentiality of message content
  Reduced merchant fraud
  Protecting credit card brands

 Privacy Enhanced Mail (PEM) = confidentiality, data

origin authenticity, integrity
Telecommunications
  Network Threats *****
  Masquerading = pretending to be someone else
  Spoofing = deliberately inducing a subject or object to take
an incorrect action
  Piggy-backing = gaining unauthorized access via authorized
mean
  Large Packet Ping Attack (aka Ping of Death)
  ICMP
  Denial of service
  Countermeasure: Filter ICMP packets
Telecommunications
  Buffer overflow Attacks
  Insufficient parameter checking
  Countermeasure: Install patch
  TCP SYN flood attack
  Denial of service
  Countermeasure: TCP Wrapper
  IP Spoofing attack
  Trusted host spoofed
  CM: TCP Wrapper
Telecommunications

 CERTs = capability to mitigate impact on

productive activities while taking prompt and
appropriate action…..

 That is all there is!!!!!!!!!!!!! Good luck