CISSP Presentati

CISSP
Certified Information Systems

Security Professional
Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

1 Used with permission.
CISSP Training
• This course is based off of the book:
• (ISC)2 CISSP: Certified Information
Systems Security Professional Official
Study Guide, 8th Edition
by Mike Chapple, James Michael
Stewart, and Darril Gibson
• ISBN-13: 978-1119475934
• ISBN-10: 1119475937
• Published: May 8, 2018
2
(ISC) 2
• International Information Systems Security

Certification Consortium (ISC)2
• Missions:
• Maintain the Common Body of Knowledge
(CBK)
• Provide certification for IT/IS security
professionals and practitioners
• Conduct certification training & administer
exams
• Oversee the ongoing accreditation through
continued education.
• www.isc2.org
3
CISSP Focus
• CISSP focuses on security:
– Design
– Architecture
– Theory
– Concept
– Planning
– Managing
4
Topical Domains
• Security and Risk Management
• Asset Security
• Security Architecture and Engineering
• Communication and Network Security
• Identity and Access Management (IAM)
• Security Assessment and Testing
• Security Operations
• Software Development Security
5
Exam Topic Outline
• www.isc2.org/Certifications/CISSP
• Download the CISSP Exam Outline
– Under “2: Register and Prepare
for the Exam”
• Previously known as the Candidate
Information Bulletin
• Also, view the CISSP Ultimate Guide
6
Prequalifications
• For taking the CISSP exam:
– 5 years full-time paid work experience
– Or, 4 years experience with a recent
college degree
– Or, 4 years experience with an approved
security certification, such as CAP, CISM,
CISA, Security+, CCNA Security, MCSA,
MCSE, and GIAC
– Or, Associate of (ISC)2 if you don’t yet have
experience
– Agree to (ISC)2 Code of Ethics
7
CISSP Exam Overview
• CISSP-CAT (Computerized Adaptive
Testing)
• Minimum 100 questions
• Maximum 150 questions
• 25 unscored items mixed in
• 3 hours to take the exam
• No score issues, just pass or fail
• Must achieve “passing standard” for each
domain within the last 75 questions seen
8
Exam Retakes
• Take the exam a maximum of 3 times
per 12-month period
• Wait 30 days after your first attempt
• Wait an additional 90 days after your
second attempt
• Wait an additional 180 days after your
third attempt
• You will need to pay full price for each
additional exam attempt.
9
Question Types
• Most questions are standard multiple
choice with four answer options with a
single correct answer
• Some questions require to select two,
select three, or select all that apply
• Some questions may be based on a
provided scenario or situation
• Advanced innovative questions may
require drag-and-drop, hot-spot, or re-
order tasks
1
0
Exam Advice
• Work promptly, don’t waste time, keep
an eye on your remaining time
• It is not possible to return to a
question.
• Try to reduce/eliminate answer options
before guessing
• Pay attention to question format and
how many answers are needed
• Use the provided dry-erase board for
notes
11
Updates and Changes
• As updates, changes, and errata are
need for the book, they are posted
online at:
www.wiley.com/go/cissp8e
• Visit and write in the corrections to

your book!
12
Exam Prep Recommendations
• Read each chapter thoroughly
• Research each practice question you get
wrong
• Complete the written labs
• View the online flashcards
• Use the 6 online bonus exams to test your
knowledge across all of the domains
• Consider using: (ISC)² CISSP Official
Practice Tests, 2nd Edition (ISBN:978-1-
119-47592-7)
13
Completing Certification
• Endorsement
• A CISSP certified individual in good
standing
• Within 90 days of passing the exam
• After CISSP, consider the post-CISSP

Concentrations:
– Information Systems Security Architecture Professional (ISSAP)
– Information Systems Security Management Professional
(ISSMP)
– Information Systems Security Engineering Professional (ISSEP)
14
Book Organization 1/2
• Security and Risk Management
– Chapters 1-4
• Asset Security
– Chapter 5
• Security Architecture and Engineering
– Chapters 6-10
• Communication and Network Security
– Chapters 11-12
15
Book Organization 2/2
• Identity and Access Management
(IAM)
– Chapters 13-14
• Security Assessment and Testing
– Chapter 15
• Security Operations
– Chapters 16-19
• Software Development Security
– Chapters 20-21
16
Study Guide Elements
• Exam Essentials
• Chapter Review Questions
• Written Labs
• Real-World Scenarios
• Summaries
17
Additional Study Tools
www.wiley.com/go/cissptestprep
• Electronic flashcards
• Glossary in PDF
• Bonus Practice Exams:
– 6x 150 question practice exams
covering the full range of domain
topics
18
Chapter 1
Security Governance Through Principles and
Policies

Understand and Apply
Concepts of Confidentiality,
Integrity, and Availability
• CIA Triad
• AAA Services
• Protection Mechanisms
20 overview
CIA Triad
• Confidentiality
• Integrity
• Availability
21
Confidentiality
• Sensitivity
• Discretion
• Criticality
• Concealment
• Secrecy
• Privacy
• Seclusion
• Isolation
22
Integrity 1/3
• Preventing unauthorized subjects
from making modifications
• Preventing authorized subjects
from making unauthorized
modifications
• Maintaining the internal and
external consistency of objects
23
Integrity 2/3
• Accuracy: Being correct and precise
• Truthfulness: Being a true reflection of
reality
• Authenticity: Being authentic or
genuine
• Validity: Being factually or logically
sound
• Nonrepudiation: Not being able to deny
having performed an action or activity
or being able to verify the origin of a
communication or event
24
Integrity 3/3
• Accountability: Being responsible or
obligated for actions and results
• Responsibility: Being in charge or
having control over something or
someone
• Completeness: Having all needed and
necessary components or parts
• Comprehensiveness: Being complete in
scope; the full inclusion of all needed
elements
25
Availability
• Usability: The state of being easy to use
or learn or being able to be understood
and controlled by a subject
• Accessibility: The assurance that the
widest range of subjects can interact
with a resource regardless of their
capabilities or limitations
• Timeliness: Being prompt, on time,
within a reasonable time frame, or
providing low latency response
26
AAA Services
• Identification
• Authentication
• Authorization
• Auditing
• Accounting/
Accountability
27
Protection Mechanisms
• Layering/Defense in Depth
• Abstraction
• Data Hiding
• Security through obscurity
• Encryption
28
Evaluate and Apply Security
Governance Principles
• Alignment of Security Function
• Security Management Plans
• Organizational Processes
• Change Control/Management
• Data Classification
• Organizational Roles and
Responsibilities
• Security Control Frameworks
• Due Care and Due Diligence
29
overview
Alignment of Security Function
• Alignment to Strategy, Goals,

Mission, and Objectives
• Security Policy
• Based on business case
• Top-Down Approach
• Senior Management Approval
• Security Management:
• InfoSec team, CISO, CSO, ISO
30
Security Management Plans
• Strategic
• Tactical
• Operational
31
Organizational Processes
• Security governance
• Acquisitions and divestitures risks:
• Inappropriate information disclosure
• Data loss
• Downtime
• Failure to achieve sufficient return on
investment (ROI)
32
Change Control/
Management 1/2
• Implement changes in a monitored and
orderly manner. Changes are always
controlled.
• A formalized testing process is included to
verify that a change produces expected
results.
• All changes can be reversed (also known as
backout or rollback plans/procedures).
• Users are informed of changes before they
occur to prevent loss of productivity.
33
Change Control/
Management 2/2
• The effects of changes are systematically
analyzed to determine whether security
or business processes are negatively
affected.
• The negative impact of changes on
capabilities, functionality, and
performance is minimized.
• Changes are reviewed and approved by a
change approval board (CAB).
34
Data Classification 1/2
• Determines: effort, money, and
resources
• Government/military vs.
commercial/private sector
• Declassification
35
Data Classification 2/2
1. Identify the custodian, define
responsibilities.
2. Specify the evaluation criteria.
3. Classify and label each resource.
4. Document any exceptions.
5. Select the security controls for each level.
6. Specify declassification and external
transfer.
7. Create an enterprise-wide awareness
program.
36
Organizational Roles and
Responsibilities
• Senior Manager
• Security Professional
• Data Owner
• Data Custodian
• User
• Auditor
37
Security Control Frameworks
• COBIT (see next slide)
• Used to plan the IT security of an
organization and as a guideline for auditors
• Information Systems Audit and Control
Association (ISACA)
• Open Source Security Testing
Methodology Manual (OSSTMM)
• ISO/IEC 27001 and 27002
• Information Technology Infrastructure
Library (ITIL)
38
Control Objectives for Information and
Related Technologies (COBIT)
• Principle 1: Meeting Stakeholder Needs

• Principle 2: Covering the Enterprise
End-to-End
• Principle 3: Applying a Single,
Integrated Framework
• Principle 4: Enabling a Holistic
Approach
• Principle 5: Separating Governance
From Management
39
Due Care and Due Diligence
• Due care is using reasonable care to
protect the interests of an
organization.
• Due diligence is practicing the
activities that maintain the due care
effort.
40
Develop, Document, and
Implement Security Policy,
Standards, Procedures, and
Guidelines
• Security Policies
• Security Standards, Baselines, and
Guidelines
• Security Procedures
41 overview
Security Policies
• Defines the scope of security
needed by the organization
• Organizational, issue-specific,
system-specific
• Regulatory, advisory, informative
42
Security Standards, Baselines, and
Guidelines
• Standards define compulsory
requirements
• Baselines define a minimum level of
security
• Guidelines offer recommendations
on how standards and baselines are
implemented
43
Security Procedures
• Standard operating procedure (SOP)
• A detailed, step-by-step how-to
• To ensure the integrity of business
processes
44
Understand and Apply Threat
Modeling Concepts and
Methodologies
• Threat Modeling
• Identifying Threats
• Threat Categorization Schemes
• Determining and Diagramming
Potential Attacks
• Performing Reduction Analysis
• Prioritization and Response
45 overview
Threat Modeling
• Microsoft’s Security Development
Lifecycle (SDL)
• “Secure by Design, Secure by Default,
Secure in Deployment and
Communication”
(also known as SD3+C)
• Proactive vs. reactive approach
46
Identifying Threats
• Focused on Assets
• Focused on Attackers
• Focused on Software
47
Threat Categorization Schemes
• STRIDE (next slide)
• Process for Attack Simulation and

Threat Analysis (PASTA)(later slide)
• Trike
• Visual, Agile, and Simple Threat
(VAST)
48
STRIDE
• Spoofing
• Tampering
• Repudiation
• Information disclosure
• Denial of service
• Elevation of privilege
49
PASTA 1/2
• Stage I: Definition of the Objectives (DO) for the
Analysis of Risks
• Stage II: Definition of the Technical Scope (DTS)
• Stage III: Application Decomposition and Analysis
(ADA)
• Stage IV: Threat Analysis (TA)
• Stage V: Weakness and Vulnerability Analysis
(WVA)
• Stage VI: Attack Modeling and Simulation (AMS)
• Stage VII: Risk Analysis and Management (RAM)
50
PASTA 2/2
51
Determining and Diagramming
Potential Attacks
• Diagram the infrastructure
• Identify data flow
• Identify privilege boundaries
• Identify attacks for each
diagrammed element
52
Diagramming to Reveal Threat
Concerns
53
Performing Reduction Analysis
• Decomposing
• Trust boundaries
• Data flow paths
• Input points
• Privileged operations
• Details about security stance and
approach
54
Prioritization and Response
• Probability × Damage Potential
ranking
• High/medium/low rating
• DREAD system
– Damage potential
– Reproducibility
– Exploitability
– Affected users
– Discoverability
55
Apply Risk-Based Management
Concepts to the Supply Chain
• Resilient integrated security
• Cost of ownership
• Outsourcing
• Integrated security assessments
• Monitoring and management
– On-site assessment
– Document exchange and review
– Process/policy review
– Third-party audit (AICPA SOC1 and SOC2)
56
Conclusion
• Read the Exam Essentials
• Review the Chapter
• Perform the Written Labs
• Answer the Review Questions
57
Chapter 2
Personnel Security and Risk Management
Concepts

Personnel Security Policies
and Procedures
• Personnel Management
• Candidate Screening and Hiring
• Employment Agreements and Policies
• Onboarding and Termination Processes
• Vendor, Consultant, and Contractor
Agreements and Controls
• Compliance Policy Requirements
• Privacy Policy Requirements
59 overview
Personnel Management
• Job descriptions, position
descriptions
• Separation of duties
• Job responsibilities
• Job rotation
• Cross-training
• Collusion
60
Candidate Screening and Hiring
• Based on job description

• Background checks
• Reference checks
• Education verification
• Security clearance validation
• Online background checks
61
Employment
Agreements and Policies
• Non-disclosure agreement
• Non-compete agreement
• Audit job descriptions, work tasks,
privileges, and responsibilities
• Mandatory vacations
62
Onboarding and
Termination Processes
• Onboarding vs. offboarding
• Maintain control and minimize risks
• Exit interview
• Terminate access
• Return company property
63
Vendor, Consultant, and Contractor
Agreements and Controls
• Define the levels of performance,

expectation, compensation, and
consequences
• Service-level agreement (SLA)
• Risk reduction and risk avoidance
64
Compliance Policy Requirements
• Conforming to or adhering to rules,

policies, regulations, standards, or
requirements
• Maintain high levels of quality,
consistency, efficiency, and cost
savings
65
Privacy Policy Requirements
• Active prevention of unauthorized access to
information that is personally identifiable
• Freedom from unauthorized access to information
deemed personal or confidential
• Freedom from being observed, monitored, or
examined without consent or knowledge
• Legislative and regulatory compliance issues
• HIPAA, SOX, FERPA, GLB, DPD, and GDPR
• PCI-DSS
66
Security Governance
• Maintain business processes while

striving toward growth and resiliency
• Third-party governance
• Auditing security objectives,
requirements, regulations, and
contractual obligations
• Compliance
• Documentation review
• Authorization to operate (ATO)
67
Understand and Apply Risk
Management Concepts
• Risk Terminology
• Identify Threats and Vulnerabilities
• Risk Assessment/Analysis
• Risk Responses
• Countermeasure Selection and
Implementation
• Types of Controls
• Security Control Assessment
• Monitoring and Measurement
• Asset Valuation and Reporting
• Continuous Improvement
• Risk Frameworks
68 overview
Risk Terminology
• Asset
• Asset valuation
• Threats
• Vulnerability
• Exposure
• Risk
• Safeguard, security control,
countermeasure
• Attack, breach
69
Identify Threats and Vulnerabilities
• Inventory all threats for each asset

• Threat agents
• Threat events
• Include non-IT sources
70
Risk Assessment/Analysis
• Quantitative analysis
• Qualitative analysis
71 overview
Quantitative Analysis
• AV
• EF
• SLE = AV * EF
• ARO
• ALE = SLE * ARO
• Cost benefit:
– ALE before – ALE after – annual cost
safeguard (ACS) = value of the safeguard to
the company
72
Qualitative Analysis
• Brainstorming
• Delphi technique
• Storyboarding, scenarios
• Focus groups
• Surveys
• Questionnaires
• Checklists
• One-on-one meetings
• Interviews
73
Risk Responses
• Reduce or mitigate
• Assign or transfer
• Accept
• Deter
• Avoid
• Reject or ignore
• Total risk vs. residual risk
• threats × vulnerabilities × asset value =
total risk
• total risk – controls gap = residual risk
74
Countermeasure Selection
• Costs and benefits
• Reduce attack benefit
• Solve a real problem
• Not dependent upon secrecy
• Testable
• Uniform protection
• No dependencies
• Tamperproof
75
Countermeasure Implementation
• Administrative
• Logical/technical
• Physical
• Defense in depth
76
Types of Controls
• Deterrent
• Preventive
• Detective
• Compensating
• Corrective
• Recovery
• Directive
77
Security Control Assessment
• Formal evaluation of a security
infrastructure’s individual mechanisms
against a baseline or reliability expectation
• Ensure the effectiveness
• Evaluate the quality and thoroughness
• Identify relative strengths and weaknesses
of security infrastructures
• NIST SP 800-53A “Guide for Assessing the
Security Controls in Federal Information Systems”
78
Monitoring and Measurement
• Quantified, evaluated, or
compared
• Native/internal monitoring or
external monitoring
• Measuring the effectiveness
79
Asset Valuation and Reporting
• Used to justify protections
• Tangible value
• Intangible value
• Used in cost/benefit analysis
• Helps select safeguards
• Defines level of risk
• Risk reporting
• Internal or to relevant/interested third
parties
80
Continuous Improvement
• Security is always changing
• Needs to be integrated into
deployed security solutions
• Risk analysis is a “point in time”
metric
• As threats change, so must security
81
Risk Frameworks 1/3
• Guideline or recipe for how risk is to be
assessed, resolved, and monitored
• NIST SP 800-37
• Risk Management Framework (RMF)
– 1. Categorize 2. Select
– 3. Implement 4. Assess
– 5. Authorize 6. Monitor
82
Risk Frameworks 2/3
83
Risk Frameworks 3/3
• Operationally Critical Threat, Asset,
And Vulnerability Evaluation
(OCTAVE)
• Factor Analysis Of Information Risk
(FAIR)
• Threat Agent Risk Assessment
(TARA)
84
Establish and Maintain a Security
Awareness, Education, and Training Program
• Security requires changes in user

behavior
• Seek policy compliance
• Awareness
• Training
• Education
85
Manage the Security Function
• Security governance
• Risk assessment
• Craft security policy
• Cost effective
• Measurable security
• Resource management
86
Conclusion
87
Chapter 3
Business Continuity Planning

Planning for Business Continuity
• Assessing risks to business processes

• Minimize impact from disruptions
• Maintain continuity of being able to
perform mission critical business tasks
• Main steps:
– Project scope and planning
– Business impact assessment
– Continuity planning
– Approval and implementation
89
Project Scope and Planning
• Business Organization Analysis
• BCP Team Selection
• Resource Requirements
• Legal and Regulatory Requirements
overview
90
Business Organization Analysis
• Identify all departments

• Identify critical services
• Identify corporate security teams
• Identify senior executives and key
individuals
91
BCP Team Selection
• Needs members from every
department/division
• Include members from:
– IT
– Cybersecurity
– Senior management
– Physical security and facilities
– Legal and PR
92
Resource Requirements
• BCP Development
• BCP Testing, Training, and
Maintenance
• BCP Implementation
• Mostly personnel, but may include
IT and physical resource allocation
93
Legal and Regulatory
Requirements
• Federal, state, and local laws or
regulations
• Emergency services
• Industry regulations
• Country-specific laws
• Service level agreements
94
Business Impact Assessment
• Quantitative Decision Making vs.
Qualitative Decision Making
• Identify Priorities
• Risk Identification
• Likelihood Assessment
• Impact Assessment
• Resource Prioritization
95 overview
Identify Priorities
• Critical prioritization of business processes
• Assess by department, then organization
• Assign an AV (asset value) to each process
• Determine:
• MTD (maximum tolerable downtime)
• MTO (maximum tolerable outage)
• Choose a RTO (recovery time objective)
96
Risk Identification
• Inventory-specific risks
• Natural and man-made
• Logical and physical and social
• Don’t overlook the cloud
• Get input from all departments
97
Likelihood Assessment
• Determine frequency of occurrence
• Establish an ARO (annualized rate of
occurrence)
• Based on history, experience, and
experts
98
Impact Assessment
• Evaluate consequences of a breach
• EF (exposure factor)
• SLE (single loss expectancy)
– SLE = AV x EF
• ALE (annualized loss expectancy)
– ALE = SLE x ARO
• Consider non-monetary impacts
99
Resource Prioritization
• Biggest ALE is biggest risk concern
• Combine qualitative priorities with
quantitative priorities
• Work at addressing each item from
largest ALE value first
100
Continuity Planning
• Strategy Development
• Provisions and Processes
• Plan Approval
• Plan Implementation
• Training and Education
101 overview
Strategy Development
• Bridge between BIA and BCP
crafting
• Determine which risks to address in
this BCP crafting time frame
• Determine acceptable risks vs. those
that require mitigation
• Commit sufficient resources to
resolve priorities
102
Provisions and Processes
• People
• Building and facilities
– Hardening provisions
– Alternate sites
• Infrastructure
– Physically hardening systems
– Alternative systems
103
Plan Approval
• Top-level management
endorsement
• Educate top executives about plan
concepts and details
• Senior executive approval
establishes plan credibility
throughout organization
104
Plan Implementation
• Define an implementation
schedule
• Use allocated implementation
resources
• Achieve process and provisioning
goals
• Implement BCP maintenance
program
105
Training and Education
• Assign responsibilities
• Plan overview briefing
• Dedicated training for those with
assigned responsibilities
• A backup or replacement person
for each position
106
BCP Documentation
• Continuity Planning Goals
• Statement of Importance
• Statement of Priorities
• Statement of Organizational Responsibility
• Statement of Urgency and Timing
• Risk Assessment
• Risk Acceptance/Mitigation
• Vital Records Program
• Emergency-Response Guidelines
• Maintenance
• Testing and Exercises
107 overview
Continuity Planning Goals
• Set goals
• Ensure the continuous operation of
the business in the face of an
emergency situation
• Meet organizational needs
108
Statement of Importance
• Reflects criticality of BCP
• Disclosed in a memo to all
employees
• Should be signed by CEO to avoid
compliance resistance
109
Statement of Priorities
• Directly reflects designed BCP
priorities
• Include evaluation of priorities
• Focus on importance to the
continued operation of business
functions in the event of an
emergency
110
Statement of
Organizational Responsibility
• Business continuity is everyone’s

responsibility
• Reinforces organization's
commitment to BCP
• Informs individuals of the
expectation to assist and support
111
Statement of Urgency and Timing
• Stresses priority of implementation

• Defines the roll-out timetable
112
Risk Assessment
• A recap of the BCP decision-making
process
• Summary of BIA
• Discloses quantitative and
qualitative analysis results
113
Risk Acceptance/Mitigation
• Identifies those risks deemed
acceptable
• Identifies those risks deemed
unacceptable
– List risk management provisions
– Define processes and responses
– Define how the risk is reduced or
managed
114
Vital Records Program
• Determine where critical records will
be stored
• Set procedures for backing up critical
records
• Identity critical records
• Digital and paper should be considered
• Vital records are those needed to
reconstruct the organization in the
event of a disaster
115
Emergency-Response Guidelines
• Define responsibilities in an
emergency
• Details activation of BCP elements
• Immediate response procedures
• Individuals to notify of the incident
• Secondary response procedures
• Goal is to minimize response time
116
Maintenance
• BCP is a living document
• BCP should be periodically updated
• Drastic changes may require a
complete re-design and re-crafting
• Practice good version control
• Include BCP in job
descriptions/responsibilities
117
Testing and Exercises
• Establish a formalized testing
program
• Train personnel on their tasks and
responsibilities
• See disaster recovery testing in
Chapter 18
118
Conclusion
119
Chapter 4
Laws, Regulations, and Compliance

Categories of Laws
• Criminal Law
• Civil Law
• Administrative Law
121 overview
Criminal Law
• Preserve peace
• Keep society safe
• Penalties include:
– Community service
– Fines
– Prison
• Enacted through legislation
122
Civil Law
• Provide for orderly society
• Govern matters that are not crimes
• Enacted through legislation
• Punishment can include financial
penalties
123
Administrative Law
• Policies, procedures, and
regulations
• Govern the daily operations of an
entity
• Enacted by government agencies,
not the legislature
124
Laws
• Computer Crime
• Intellectual Property
• Licensing
• Import/Export
• Privacy
125 overview
Computer Crime 1/2
• Computer Fraud and Abuse Act (CFAA)
• Federal interest computer
• Accessing classified information, accessing system,
fraud, malicious damage, modify medical records,
traffic passwords
• Any computer in use by the government, financial
institutions, and interstate offenses
• Amendments
• Creating malware code, interstate commerce,
imprisonment, and civil action from victims
• Federal Sentencing Guidelines
• Prudent man rule
• Burden of proof: negligence, compliance, causal
126
Computer Crime 2/2
• National Information Infrastructure Protection
Act
• CFAA – international, national infrastructure
• Federal Information Security Management Act
(FISMA)
• Risk assessment, planning, training, testing, incident
management
• Federal Information Systems Modernization Act
(FISMA)
• Centralizing under DHS
• Cybersecurity Enhancement Act
• NIST establishing voluntary cybersecurity standards
127
Intellectual Property 1/2
• Copyrights
• Original works of authorship
• Digital Millennium Copyright Act
• Trademarks
• Words, slogans, logos, etc., which identify
a company, its products, and its services
• Patents
• Intellectual property rights of inventors
128
Intellectual Property 2/2
• Trade Secrets
• Intellectual property of an
organization
• Non-disclosure agreement (NDA)
• Economic Espionage Act
• Stealing trade secrets to benefit a
foreign government
• Stealing trade secrets
129
Licensing
• Contractual license agreements
• Shrink‐wrap license agreements
• Click‐through license agreements
• Cloud services license agreements
130
Import/Export
• Trans‐border data flow of new
technologies, intellectual property, and
personally identifying information
• International Traffic in Arms Regulations
(ITAR)
• United States Munitions List (USML)
• Export Administration Regulations (EAR)
• Commerce Control List (CCL)
• Computer Export Controls
• Encryption Export Controls
131
Privacy 1/5
• U.S. Privacy Law (1/2)
– Fourth Amendment
– Privacy Act
– Electronic Communications Privacy
Act
– Communications Assistance for Law
Enforcement Act (CALEA)
– Economic Espionage Act
– Health Insurance Portability and
Accountability Act (HIPAA)
132
Privacy 2/5
• U.S. Privacy Law (2/2)
– Health Information Technology for
Economic and Clinical Health Act (HITECH)
– Data Breach Notification Laws
– Children’s Online Privacy Protection Act
(COPPA)
– Gramm‐Leach‐Bliley Act
– USA PATRIOT Act
– Family Educational Rights and Privacy Act
(FERPA)
– Identity Theft and Assumption Deterrence
Act
133
Privacy 3/5
• European Union Privacy Law (1/3)
– Consent
– Contract
– Legal obligation
– Vital interest of the data subject
– Balance between the interests of the
data holder and the interests of the
data subject
– Key rights of individuals
– Privacy Shield agreement
134
Privacy 4/5
– Privacy Shield agreement
– Informing Individuals About Data Processing
– Providing Free and Accessible Dispute Resolution
– Cooperating with the Department of Commerce
– Maintaining Data Integrity and Purpose Limitation
– Ensuring Accountability for Data Transferred to
Third Parties
– Transparency Related to Enforcement Actions
– Ensuring Commitments Are Kept As Long As Data
Is Held
135
Privacy 5/5
– European Union General Data
Protection Regulation (GDPR)
– Applies to organizations that are not
based in the EU
– 24-hour data breach notification
requirement
– Centralized data protection authorities in
each EU member state
– Individuals will have access to their own
data
– Data portability provisions
– The “right to be forgotten”
136
Compliance
• Security regulation as become complex
• Issues with regulatory agencies and
contractual obligations
• Overlapping and often contradictory
requirements
• May require full-time compliance staff
• Compliance audits and reporting
• Payment Card Industry Data Security
Standard (PCI DSS)
137
Contracting and Procurement
• Use of cloud and service vendors

require contract scrutiny
• Perform security review and
vendor governance
• Tailor the contract and review to
your specific concerns
138
Conclusion
139
Chapter 5
Protecting Security of Assets

Identify and Classify Assets
• Defining Sensitive Data
• Defining Classifications
• Determining Data Security Controls
• Understanding Data States
• Handling Information and Assets
• Data Protection Methods
• Determining Ownership
• Data Processors
• Using Security Baselines
141 overview
Defining Sensitive Data
●
Personally Identifiable Information
(PII)
●
NIST SP 800-122
●
Protected Health Information
(PHI)
●
HIPAA
●
Proprietary Data
142
Defining Classifications 1/3
●
Government/Military
●
Top Secret
●
Secret
●
Confidential
●
Unclassified
●
For Official Use Only (FOUO)
●
Sensitive but Unclassified (SBU)
●
Non-government
●
Class 3, 2, 1, 0
143
144
●
Civilian
●
Confidential or Proprietary
●
Private
●
Sensitive
●
Public
●
Defining Asset Classifications
●
Asset classification should match
system classifications for
use/access
145
Determining Data Security
Controls
●
Define a policy for all forms and
locations of data
●
Encrypt all the things
●
Consider the value of data
●
Use labels and enforcement
●
Use data loss prevention (DLP)
●
Set requirements for:
●
Communications, Storage, and
Backups
146
Understanding Data States
●
Data at rest
●
Data in motion
●
Data in use
●
Encryption
●
Authentication
●
Authorization
147
Handling Information and Assets
1/4
●
Marking Sensitive Data and Assets
●
Physical and logical labeling
●
Assists with DLP and human handling
●
Address downgrading
●
Handling Sensitive Information and
Assets
●
Be aware of common loss of control
situations, such as backups and cloud
storage
148
2/4
●
Storing Sensitive Data
●
Use storage encryption
●
Manage the environment
●
Provide quality storage devices for
long term retention
●
Destroying Sensitive Data
●
NIST SP 800-88r1, “Guidelines for
Media Sanitization”
149
Handling Information and Assets 3/4
●
Eliminating Data Remanence
●
HDD vs. SSD/flash
●
Sanitization
●
Erasing
●
Clearing
●
Purging
●
Degaussing
●
Destruction
●
Declassification
150
4/4
●
Ensuring Appropriate Asset
Retention
●
Record retention
●
Media, system retention
●
Employees and NDAs
●
A necessary element of a security
policy
151
Data Protection Methods
●
Protecting Data with Symmetric
Encryption
●
AES
●
Triple DES
●
Blowfish
●
Protecting Data with Transport
Encryption
●
TLS
●
VPN
●
IPSec
●
SSH
152
Determining Ownership
1/4
• Data Owners
• Asset Owners/System Owners
• Business/Mission Owners
• Data Processors (next slide)
153
Determining Ownership 2/4
• Data Processors
• The person or entity that
controls processing of the data
• GDPR
• EU-US Privacy Shield
• Notice; Choice; Accountability for
Onward Transfer; Security; Data
Integrity and Purpose Limitation;
Access; Recourse, Enforcement,
154
and Liability
Determining Ownership
3/4
• Pseudonymization
• Artificial identifiers
• Anonymization
• Inferencing
• Data masking and
randomization
• Administrators
155
Determining Ownership 4/4
• Custodians
• Users
• Protecting Privacy
• HIPAA
• California Online Privacy Protection
Act of 2003 (CalOPPA)
• Personal Information Protection
and Electronic Documents Act
(Canada)
• GDPR
156
Using Security Baselines
• NIST SP 800-53
• Scoping
• Selecting controls that specifically
apply to the protected target
• Tailoring
• Adjust security control baseline to
align with organization mission
• Selecting Standards
• Contractual vs.
regulation/legislation
157
Conclusion
158
Chapter 6
Cryptography and
Symmetric Key Algorithms

Historical Milestones in
Cryptography
• Caesar Cipher
– Substitution
– ROT3
• American Civil War
– Substitution and transposition
– Flag signals
• Ultra vs. Enigma
– Purple Machine
160
Cryptographic Basics
• Goals of Cryptography
• Cryptography Concepts
• Cryptographic Mathematics
• Ciphers
161 overview
Goals of Cryptography
• Confidentiality
– Symmetric and asymmetrics
– Data at rest
– Data in motion
– Data in use
• Integrity
• Authentication
• Nonrepudiation
162
Cryptography Concepts
• Plaintext
• Encrypt/decrypt
• Ciphertext
• Keys, cryptovariable
• Keyspace, bit size
• Kerckhoffs’s Principle
• Cryptography, cryptanalysis, cryptology,
cryptosystem
• FIPS 140-2
163
Cryptographic Mathematics
• Boolean mathematics/logical
operations
– AND, OR, NOT, XOR
• Modulo function
• One-way functions
• Nonce
• Zero-knowledge proof
• Split knowledge
• Work function
164
Ciphers 1/2
• Codes vs. ciphers
• Transposition ciphers
• Substitution ciphers
– Ceaser cipher
– ROT3
– Vigenere cipher
• One-time pads
• Running key ciphers
165
Ciphers 2/2
• Block ciphers
• Stream ciphers
• Confusion and diffusion
166
Modern Cryptography
• Cryptographic Keys
• Symmetric Key Algorithms
• Asymmetric Key Algorithms
• Hashing Algorithms
167 overview
Cryptographic Keys
• Security through obscurity
• Algorithms
• Keys
• Longer keys = better security
168
Symmetric Key Algorithms 1/2
• Shared secret
• Secret key cryptography/
private key cryptography
• Key distribution
• Lack of non-repudiation
• Not scalable
• Keys must be regenerated often
• Fast
169
Symmetric Key Algorithms 2/2
170
Asymmetric Key Algorithms 1/3
• Aka public key algorithms

• Key pair sets: public key and private key
• Digital signatures
• Scalable
– # of keys = n(n-1)/2 (sym) vs 2n (asymm)
• Key cancellation
• Regeneration only required at
compromise or expiration
171
172
• Supports integrity (via hashing in

digital signatures), authentication,
and nonrepudiation
• Simple key generation
• No preexisting secure
communication link needs to exist
for key exchange
• Slow
173
Hashing Algorithms
• Message digests
• Deriving original from hash is
difficult or impossible
• Collisions
• Chapter 7 includes hashing
algorithms
174
Symmetric Cryptography 1/3
• Data Encryption Standard
– 56-bit key, 64-bit blocks, 16 rounds
– Electronic code book
– Cipher block chaining
– Cipher feedback
– Output feedback
– Counter mode
• Triple DES
– 168/112-bit key, 64-bit blocks, 48 rounds
– Modes: -EEE3, EEE2, EDE3, EDE2
175
• International Data Encryption
Algorithm (IDEA)
– 128-bit key, 64-bit blocks
• Blowfish
– 32 to 448-bit key, 64-bit blocks
• Skipjack
– 80-bit key, 64-bit blocks
• RC5
– 0 to 2040-bit keys, 32/64/128-bit blocks
176
• Advanced Encryption Standard

– Rijndael block cipher
– 128-bit blocks
– 128-bit key, 10 rounds
• TwoFish
– 1 to 256-bit keys, 128-bit blocks
177
Symmetric Key Management
• Creation and distribution
– Offline
– Public key encryption
– Diffie-Hellman
• Storage and destruction
• Key escrow and recovery
– Fair Cryptosystem
– Escrowed Encryption Standard
178
Cryptographic Life Cycle
• Limited life span based on Moore’s
law
• Sufficient to provide sufficient
protection for as long as the data is
valuable
• Governance controls:
– Algorithms
– Key lengths
– Security transaction protocols
179
Conclusion
180
Chapter 7
PKI and Cryptographic Applications

Asymmetric Cryptography
• Public and Private Keys
• RSA
– Based on factoring difficulty
• Merkle-Hellman Knapsack
• El Gamal
– An extension of the math from Diffie-
Hellman
• Elliptic Curve
182
Hash Functions 1/2
• Message digest
• Detects differences and/or collisions
• Parity, checksum
• Variable-length input
• Fixed-length output
• Hash is easy to compute
• Hash is one-way
• Hash is collision resistant
183
Hash Functions 2/2
• SHA
– SHA-1 – 160 bit hash output
– SHA-2: SHA-256, -224, -512, -384
– SHA-3: SHA3-256, -224, -512, -384
• MD2 – 128-bit hash output
• Hash of Variable Length (HAVAL)
• Hash Message Authenticating Code
(HMAC)
184
Digital Signatures
• Integrity, authentication, non-repudiation
• Sender encrypts hash of data with private key
• Recipient verifies with sender’s public key and
hash comparison
• HMAC
– Hashing with symmetric keys used for entropy
• Digital Signature Standard
– DSA – FIPS186-4
– RSA – ANSI X9.31
– ECDSA – ANSI X9.62
185
Public Key Infrastructure
• Certificates
• Certificate Authorities
• Certificate Generation and
Destruction
186 overview
Certificates
• X.509 version 3
• Serial number
• Signature algorithm identifier
• Issuer name
• Validity period
• Subject’s name
• Subject’s public key
187
Certificate Authorities
• Neutral organizations offering
notarization services for digital
certificates
• Public commercial or internal
private
• Registration authorities
• Certificate path validation
188
Certificate Generation and
Destruction
• Enrollment
• Verification
• Revocation
– Compromise, erroneously issued,
subject’s details changed, or security
association changed
• Certificate revocation list (CRL)
• Online Certificate Status Protocol (OCSP)
189
Asymmetric Key Management
• Choose encryption scheme wisely

• Random key selection
• Long length
• Keep private keys private
• Retire keys after useful lifetime
• Back up keys for recovery options
190
Applied Cryptography 1/3
• Portable devices
– TPM
• Email
– PGP
– S/MIME
• Web applications
– SSL / TLS
• Steganography and watermarking
191
• Digital Rights Management
– Music DRM
– Movie DRM
– E-book DRM
– Video Game DRM
– Document DRM
192
• Networking
– Circuit encryption – link (tunnel mode)
or end-to-end (transport mode)
– Secure Shell (SSH)
– IPSec
• AH, ESP, HMAC, ISAKMP
– Wireless networking
• WEP, WPA, WPA2
• IEEE 802.1x
193
Cryptographic Attacks 1/2
• Analytic attack
• Implementation attack
• Statistical attack
• Brute force
• Rainbow tables
• Scalable computing hardware
• Salting
• Frequency analysis and ciphertext only
attack
194
Cryptographic Attacks 2/2
• Known plaintext
• Chosen ciphertext
• Chosen plaintext
• Meet in the middle
• Man in the middle
• Birthday attack
– Collision attack or reverse hash matching
• Replay
195
Conclusion
• Review the chapter
196
Chapter 8
Principles of Security Models, Design, and Capabilities

Implement and Manage Engineering
Processes Using Secure Design Principles
• Objects and Subjects

• Closed and Open Systems
• Techniques for Ensuring
Confidentiality, Integrity, and
Availability
• Controls
• Trust and Assurance
198 overview
Objects and Subjects
• Subject – often a user
• Object – a resource
• Managing relationship between
subject and object is access control
• Transitive trust
199
Closed and Open Systems
• Closed system
– Proprietary standards
– Hard to integrate
– Possibly more secure
• Open system
– Open or industry standards
– Easier to integrate
• Open source vs. closed source
200
Techniques for Ensuring Confidentiality,
Integrity, and Availability
• Confinement
– Sandboxing
• Bounds
• Isolation
201
Controls
• Discretionary access control
• Mandatory access control
• Rule-based access control
202
Trust and Assurance
• Integrated before and during design
• Security must be:
– Engineered, implemented, tested, audited,
evaluated, certified, and accredited
• Trusted system
– Security mechanisms work together to provide
a secure computing environment
• Assurance
– Degree of confidence in satisfaction of security
needs
203
Understand the Fundamental
Concepts of Security Models
• Trusted Computing Base
• State Machine Model
• Information Flow Model
• Noninterference Model
• Take-Grant Model
• Access Control Matrix
• Bell-LaPadula Model
• Biba Model
• Clark-Wilson Model
• Brewer and Nash Model (aka Chinese Wall)
• Goguen-Meseguer Model
• Sutherland Model
• Graham-Denning Model
204 overview
Trusted Computing Base
• Defined in DoD 5200.28 Orange Book
– Trusted Computer System Evaluation
Criteria (TCSEC)
• Security
perimeter
• Trusted paths
• Reference
Monitor
• Security kernel
205
State Machine Model
• Always secure no matter what state
it is in
• Finite state machine (FSM)
• State transition
• Secure state machine
• The basis for most other security
models
206
Information Flow Model
• Based on the state machine model
• Prevent unauthorized, insecure, or
restricted information flow
• Controls flow between security
levels
• Can be used to manage state
transitions
207
Noninterference Model
• Based on information flow model
• Separates actions of subjects at
different security levels
• Composition theories
– Cascading
– Feedback
– Hookup
208
Take-Grant Model
• Dictates how rights can be passed
between subjects
• Take rule
• Grant rule
• Create rule
• Remove rule
209
Access Control Matrix
• A table of subjects, objects, and
access
• Columns are ACLs
• Rows are capability lists
• Can be used in DAC, MAC, or RBAC
210
Bell-LaPadula Model 1/2
• Based on DoD multilevel security policy
• Focuses only on confidentiality
• Lattice based access control
• Simple security property
– No read up
• * (star) security property
– No write down
• Discretionary security property
– Access control matrix for DAC
211
Bell-LaPadula Model 2/2
212
Biba Model 1/2
• Based on the inverse of Bell-LaPadula
• Focuses only on integrity
• Simple integrity property
– No read up
• * (star) integrity property
– No write down
• Prevent modification by unauthorized
subjects
• Prevent unauthorized modifications
• Protect internal and external consistency
213
Biba Model 2/2
214
Clark-Wilson Model 1/2
• Focuses on integrity
• Access control triplet
• Controls access through an
intermediary program or restricted
interface
• Well-formed transactions
215
Clark-Wilson Model 2/2
• Constrained data item (CDI)
– Any data item whose integrity is
protected
• Unconstrained data item (UDI)
– Any data item that is not
controlled/protected
• Integrity verification procedure (IVP)
– A procedure that scans data items and
confirms their integrity
• Transformation procedures (TPs)
– The only procedures allowed to modify a
CDI
216
Brewer and Nash Model
(aka Chinese Wall)
• Prevents conflicts of interest
• Based on dynamic access changes
based on user activity
• Access to conflicting data is
temporarily blocked
217
Goguen-Meseguer Model
• The basis of the noninterference
model
• Based on a predetermined set/
domain of objects a subject can
access
• Based on automation theory and
domain separation
218
Sutherland Model
• Prevent interference in support of
integrity
• Defines a set of system states, initial
states, and state transitions
• Commonly used to prevent covert
channels from influencing processes
219
Graham-Denning Model
• Secure management of objects and
subjects
• Securely create object/subject
• Securely delete object/subject
• Securely provide read access right
• Securely provide grant access right
• Securely provide delete access right
• Securely provide transfer access right
220
Select Controls and Countermeasures
Based on Systems Security Evaluation
Models
• Rainbow Series
• ITSEC Classes and Required
Assurance and Functionality
• Common Criteria
• Industry and International Security
Implementation Guidelines
• Certification and Accreditation
221 overview
Rainbow Series
• TCSEC – Orange Book
– Confidentiality
– D, C1, C2, B1, B2, B3, A1
• Red Book
– Trusted Network Interpretation of TCSEC
– Confidentiality and Integrity
– None, C1, C2, B2
• Green Book
– Password management guidelines
222
ITSEC Classes and Required
Assurance and Functionality
• Rates functionality (F) and
assurance (E)
• F-D through F-B3
• E0 through E6
• Confidentiality, integrity, and
availability
223
Common Criteria
• Designed to replace prior systems
• ISO 15408
• Protection profiles
• Security targets
• Evaluation Assurance Level (EAL)
• Part 1: Introduction and General Model
• Part 2: Security Functional
Requirements
• Part 3: Security Assurance
224
Industry and International Security
Implementation Guidelines
• Payment Card Industry – Data

Security Standards (PCI-DSS)
• International Organization for
Standardization (ISO)
225
Certification and Accreditation
• Certification
– Comprehensive evaluation of security
against security requirements
• Accreditation
– Formal designation by DAA that system
meets organizational security needs
• Risk Management Framework (RMF)
• Committee on National Security Systems
Policy (CNSSP)
– Phase 1: Definition, 2: Verification, 3:
Validation, 4: Post Accreditation
226
Understand Security Capabilities of
Information Systems
• Memory Protection
– Meltdown and Spectre
• Virtualization
• Trusted Platform Module
– Hardware security module (HSM)
• Interfaces
– Constrained or restricted
• Fault Tolerance
227
Conclusion
228
Chapter 9
Security Vulnerabilities, Threats,
and Countermeasures

Assess and Mitigate Security
Vulnerabilities
• Hardware
– Hardware Components
– Protection Mechanisms
– Memory
– Memory Addressing
– Secondary Memory
– Input/Output Devices
• Firmware
230 overview
Hardware Components
• Processor / central processing unit
(CPU)
• Execution types:
– Multitasking
– Multicore
– Multiprocessing: SMP and MPP
– Multiprogramming
– Multithreading
• Processing types:
– Singles state
– Multistate
231
Protection Mechanisms 1/3
• Protection rings
– Kernel mode or
privileged mode
– User mode
– Mediated access/
system call
232
• Process states/Operating states
– OS: supervisory or problem
– Processes: Ready, Waiting, Running,
Supervisory, Stopped
– Process scheduler or program
executive
233
• Security Modes
– Requirements:
• MAC
• Physical control over who can access console
• Physical control over who can enter room
– Dedicated
– System high
– Compartmented
– Multilevel
234
Memory
• Read only memory (ROM)
– Programmable Read-Only Memory (PROM)
– Erasable Programmable Read-Only Memory
(EPROM)
– Electronically Erasable Programmable Read-
Only Memory (EEPROM)
– Flash
• Random access memory (RAM)
– Real
– Cache
– Registers
235
Memory Addressing
• Register
• Immediate
– Related to a register or as part of an instruction
• Direct
– Actual address of memory location
• Indirect
– An address of memory location which holds the
address of the target data
• Base plus Offset
– Base address stored in a register, offset is relative
location
236
Secondary Memory 1/2
• Magnetic, optical, or flash media
• Not immediately available to CPU
• Virtual memory
– Paging
• Security issues
– Theft, purging, physical access
• Primary vs. secondary
• Volatile vs. nonvolatile
• Random vs. sequential
237
Secondary Memory 2/2
• Data remanence
• SSD wear leveling
• Theft – encryption
• Device access control
• Data retention over use lifetime -
availaibility
238
Input/Output Devices
• Monitors
• Printers
• Keyboards and mice
• Modems
239
Firmware
• Microcode
• Basic Input/Output System (BIOS)
• Unified Extensible Firmware
Interface (UEFI)
• Phlashing
• Device firmware
– EEPROM
240
Client-Based Systems 1/2
• Applets
– Java and JVM
– ActiveX
• Local Caches 1/2
– ARP
• ARP cache poisoning
241
Client-Based Systems 2/2
• Local Caches 2/2
– DNS
• DNS cache poisoning:
– HOSTS file
– Authorized DNS
– Caching DNS
– DNS lookup address change
– DNS query spoofing
• Defence: split DNS, IDS
– Internet files
• Temporary Internet files and cache
242
Server Based Systems
• Data flow control
• Load balancing
• Management between processes,
devices, networks, or communication
channels
• Efficient transmission with minimal
delays or latency
• Reliable throughput using hashing and
confidentiality protection with
encryption
243
Database Systems Security
• Aggregation
• Inference
• Data Mining and Data Warehousing
– Data dictionary
– Meta data
– Data mart
• Data Analytics
– Big Data
• Large-Scale Parallel Data Systems
– AMP, SMP, MPP
244
Distributed Systems and
Endpoint Security
• Host/terminal model  Client-server
model
• Distributed architectures
• Endpoint security
– Screening/filtering email
– Download/upload policies
– Robust access controls
– Restricted user-interfaces
– File encryption
– (see list in book)
245
Cloud-Based Systems and
Cloud Computing 1/3
• Hypervisor, virtual machine monitor
(VMM)
– Type I hypervisor (native or bare-metal
hypervisor)
– Type II hypervisor (hosted hypervisor)
• Cloud storage
• Elasticity
• Cloud computing
– PaaS
– SaaS
– IaaS
246
Cloud Computing 2/3
• On-premise vs. hosted vs. cloud
• Private, public, hybrid, community
• Issues:
– Privacy concerns
– Regulation compliance difficulties
– Use of open/closed-source solutions
– Adoption of open standards
– Whether or not cloud-based data is
actually secured (or even securable)
247
Cloud Computing 3/3
• Cloud access security broker (CASB)
• Security as a service (SECaaS)
• Cloud shared responsibility model
248
Grid and Peer to Peer
• Grid Computing
– Parallel distributed processing
– Members can enter and leave at will
– Work content is potentially exposed publicly
– Work packets are sometimes not returned,
returned late, or returned corrupted
• Peer to Peer
– No central management system
– Services provided are usually real time
– VoIP, file distribution, A/V
streaming/distribution
249
Internet of Things
• Smart devices
• Automation, remote control, or AI
processing
• Extensions or replacements of existing
devices, equipment, or systems
• Security may not be integrated
– Top concerns: access and encryption
• Consider deploying in isolated subnet
250
Industrial Control Systems
• Distributed Control Systems (DCS)
– Manage/control industrial processes over a
large-scale deployment from a single location
• Programmable Logic Controllers (PLC)
– Single-purpose or focused-purpose digital
computers
• Supervisory Control and Data Acquisition
(SCADA)
– Stand-alone or internetworked
• Does not always properly address security
251
Assess and Mitigate Vulnerabilities in
Web-Based Systems 1/2
• eXtensible Markup Language (XML)

• Security Association Markup Language (SAML)
– Web-based authentication
– Singe sign-on
• Open Web Application Security Project (OWASP)
• Secure Sockets Layer (SSL)/
Transport Layer Security (TLS)
• Injections (SQL, LDAP, XML), XML exploitation,
Cross-site scripting (XSS),
Cross-site request forgery (XSRF)
252
Web-Based Systems 2/2
• Static vs. dynamic content

• Web applications
– Server side executables, scripts, databases
• Publicly accessed Web servers should be
hosted outside of LAN
– DMZ [or cloud hosting]
• Input validation
– Length, patterns, metacharacters
• Limit account privileges
253
Assess and Mitigate Vulnerabilities
in Mobile Systems
• Device Security
• Application Security
• BYOD Concerns
254 overview
Device Security 1/2
• Full device encryption
• Remote wiping
• Lockout
• Screen locks
• GPS
• Application control
• Storage segmentation
• Asset tracking
255
Device Security 2/2
• Inventory control
• Mobile Device Management (MDM)
• Device access control
• Removable storage
• Disabling unused features
256
Application Security
• Key management
• Credential management
• Authentication
• Geotagging
• Encryption
• Application whitelisting
257
BYOD Concerns 1/3
• Bring your own device (BYOD)
• Company owned, personally enabled
(COPE)
• Choose your own device (CYOD)
• Corporate-owned mobile strategy
• Virtual desktop infrastructure (VDI)
virtual mobile infrastructure (VMI)
258
BYOD Concerns 2/3
• Data ownership
• Support ownership
• Patch management
• Antivirus management
• Forensics
• Privacy
• Onboarding/offboarding
• Adherence to corporate policies
259
BYOD Concerns 3/3
• User acceptance
• Architecture/infrastructure
considerations
• Legal concerns
• Acceptable use policy
• Onboard camera/video
260
Embedded Devices and Cyber-Physical
Systems
• Embedded system
• Stand system, static environment
• Examples of embedded and static
systems
• Methods of securing
261 overview
Examples of
Embedded and Static Systems
• Network-enabled devices
• Cyber-physical systems
• Internet of Things (IoT)
• Mainframes
• Game consoles
• In-vehicle computing systems
262
Methods of Securing
• Network segmentation
• Security layers
• Application firewalls
• Manual updates
• Firmware version control
• Wrappers
• Monitoring
• Control redundancy and diversity
263
Essential
Security Protection Mechanisms
• Technical Mechanisms
• Security Policy and Computer
Architecture
• Policy Mechanisms
264 overview
Technical Mechanisms
• Layering
• Abstraction
• Data hiding
• Process isolation
• Hardware segmentation
265
Security Policy and
Computer Architecture
• Informs and guides design,
development, implementation,
testing, and maintenance
• Define rules and practices
• Addresses hardware and software
266
Policy Mechanisms
• Principle of least privilege
• Separation of privilege
• Accountability
267
Common Architecture Flaws and
Security Issues 1/2
• Covert Channels
– Covert timing channels
– Covert storage channels
• Attacks Based on Design or Coding
Flaws and Security Issues
– Trusted recovery
– Input and parameter checking
– Maintenance hooks and privileged
programs
– Incremental attacks
• Data diddling, salami (aggregation) attack
268
Common Architecture Flaws and
Security Issues 2/2
• Programming
– Sanitize input, buffer overflow, exceptions,
testing
• Timing, State Changes, and Communication
Disconnects
– Time of check to time of use (TOCTOU) attacks
• Technology and Process Integration
– Service-oriented architecture (SOA)
• Electromagnetic Radiation
– TEMPEST
– Faraday cage
– Jamming, noise generators, control zones
269
Conclusion
270
Chapter 10
Physical Security Requirements

Apply Secure Principles to
Site and Facility Design
• Secure Facility Plan
• Site Selection
• Visibility
• Natural Disasters
• Facility Design
272 overview
Secure Facility Plan
• Critical path analysis
• Security for basic requirements
• Technology convergence
• Include security staff in design
considerations
273
Site Selection
• Cost
• Location
• Size
• Security requirements
• Pre-existing structure or custom
construction
• Proximity to others
• Weather conditions
274
Visibility
• Surrounding terrain
• Vehicle and foot traffic
• Residential, business, or industrial
area
• Line of sight
• Crime rate
• Emergency services
• Unique local hazards
275
Natural Disasters
• Common local natural disasters
• Severe weather patterns
• Protection for workers and assets
276
Facility Design
• Based on level of security needs
• Combustibility, fire rating
• Construction materials
• Load rating
• Intrusion, emergency access, resistance
to entry
• Security architecture
• Crime Prevention through
Environmental Design (CPTED)
277
Implement Site and Facility
Security Controls
• Design concepts
• Equipment failure
• Wiring closets
• Cable plant management policy
• Server rooms/data centers
• Media storage facilities
• Evidence storage
• Restricted and work area security
• Utilities and HVAC considerations
• Water issues
• Fire prevention, detection, and suppression
278 overview
Design Concepts
• Administrative physical security
controls
• Technical physical security controls
• Physical controls for physical security
• Corporate vs. personal property
• Deterrence
• Denial
• Detection
• Delay
279
Equipment Failure
• Failure is inevitible
• Purchase replacement parts as
needed
• Onsite replacement warehousing
• SLA with vendors
• MTTF
• MTTR
• MTBF
280
Wiring Closets
• Premises wire distribution room
• Intermediate distribution facilities (IDF)
• Prevent physical unauthorized access
• Do not use as general storage
• Do not store flammable materials
• Use video surveillance
• Perform regular physical inspections
281
Cable Plant Management Policy
• Entrance facility
• Equipment room
• Backbone distribution system
• Telecommunications room
• Horizontal distribution system
282
Server Rooms/Data Centers
• Need not be human compatible
• Locate in core of building
• One hour minimum fire rating for walls
• Physical access control:
– Smartcards, proximity readers, IDS
• Access abuses:
– Masquerade, piggyback
• Emanation security
– Faraday cages, white noise, and control zones
283
Media Storage Facilities
• Store blank, reusable, and
installation media
• Data remnants
• Use a locked cabinet
• Have a librarian or custodian
• Check-in/check-out process
• Sanitization, zeroization
284
Evidence Storage
• Becoming important business task
• Drive images and virtual machine
snapshots
• Distinct from production
• Block Internet access
• Track all activities
• Calculate hashes of all files
• Limit access
• Encrypt stored data
285
Restricted and Work Area Security
• Operations centers
• Distinct and controlled area access
• Walls or partitions
• Shoulder surfing
• Assign classifications
• Track assets with RFID
• Sensitive Compartmented
Information Facility (SCIF)
286
Utilities and HVAC Considerations
• UPSes
– Double conversion UPS
– Line-interactive UPS
• Surge protectors
• Generators
• Fault, blackout, sag, brownout, spike,
surge, inrush, noise, transient, clean,
ground
• EMI vs. RFI
• Temperature, humidity, static
287
Water Issues
• Leakage
• Flooding
• Electrocution
• Water detection circuits
• Shutoff values
• Drainage locations
288
Fire Prevention, Detection, and
Suppression 1/3
• Fire triangle: fire, heat, oxygen,
combustion
• Stages: Incipient, smoke, flame,
heat
289
Suppression 2/3
• Fire extinguisher classes:
Class Type Suppression

Material
A Common Water, soda acid
combustibles
B Liquids CO2, halon*, soda
acid
C Electrical CO2, halon*
D Metal Dry powder
290
Suppression 3/3
• Fire detection systems:
– Fixed temperature, rate-of-rise, flame-
actuated, smoke-actuated
• Water suppression
– Wet pipe, dry pipe, pre-action, deluge
• Gas suppression
– CO2, Halon, FM-200, alternatives
• Damage
– Smoke, heat, suppression media
291
Implement and
Manage Physical Security
• Perimeter Security Controls
• Internal Security Controls
292 overview
Perimeter Security Controls
• Fences
• Gates
• Turnstiles
• Mantraps
• Lighting
• Security guards and dogs
293
Internal Security Controls 1/2
• Keys and combination locks
• Electronic access control (EAC) locks
• Badges
• Motion detectors
– Infrared, heat, wave pattern, capacitance,
photoelectric, passive audio
• Intrusion alarms
– Deterrent alarms, repellant alarms,
notification alarms
– Local alarm, central station, auxiliary station
294
Internal Security Controls 2/2
• Secondary verification mechanisms

• Environment and life safety
• Privacy responsibilities and legal
requirements
• Regulatory requirements
295
Conclusion
296
Chapter 11
Secure Network Architecture and
Securing Network Components

OSI Model
• History of the OSI Model
• OSI Functionality
• Encapsulation/Deencapsulation
• OSI Layers
298 overview
History of the OSI Model
• Developed after TCP/IP was created
• Abstract framework
• Theoretical model
• Common reference point
299
OSI Functionality
• Seven layers
• Manages information
flow
• Layers communicate
with layers directly
above and below
• Supports peer-layer
communication
300
Encapsulation/ Deencapsulation
• Flow of information up or down

protocol stack
• Adding of headers and footers
• Removing of headers and footers
• Calculations of
checksums
301
OSI Layers
1 – Physical
2 – Data link
3 – Network
4 – Transport
5 – Session
6 – Presentation
7 – Application
302 Layer summaries

Network Facts
• Bits, frame, packet, segment,
datagram, protocol data unit (PDU)
• MAC, OUI, EUI
• Hub, switch, router
• Routing
– Distance vector, link state
• Simplex, half-duplex, full-duplex
303
TCP/IP Model
• DoD or DARPA
model
• 4 layers
– Application/
Process
– Transport/Host-to-
host
– Internet/
Internetworking
– Link
304
TCP/IP Protocol Suite Overview 1/2
305
TCP/IP Protocol Suite Overview 2/2
• TCP and UDP

– Ports: 65,536 or 0 to 65,535
• Well-known, registered, ephemeral
– TCP header flags: SYN, ACK, FIN, RST
• IPv4 vs IPv6
• ICMP
• IGMP
• ARP
306
Common Application Protocols 1/2
• Telnet
• File Transfer Protocol (FTP)
• Trivial File Transfer Protocol (TFTP)
• Simple Mail Transfer Protocol (SMTP)
• Post Office Protocol (POP3)
• Internet Message Access Protocol
(IMAP)
• Dynamic Host Configuration Protocol
(DHCP)
307
Common Application Protocols 2/2
• Hypertext Transfer Protocol (HTTP)

• Secure Sockets Layer (SSL)/ Transport
Layer Security (TLS)
• Line Print Daemon (LPD)
• X Windows
• Network File System (NFS)
• Simple Network Management Protocol
(SNMP)
308
Implications of
Multilayer Protocols
• Encapsulation
– [ Ethernet [ IP [ TCP [ HTTP ] ]
– [ Ethernet [ IP [ TCP [ SSL [ HTTP ] ]
– [ Ethernet [ IPSec [ IP [ TCP [ SSL [ HTTP ] ]
– [ Ethernet [ IP [ TCP [ HTTP [ FTP ] ]
– [ Ethernet [ IP [ ICMP [ TCP [ HTTP ] ]
• Double encapsulation, VLAN hopping
• Encryption, flexibility, resiliency
• Covert channels, filter bypass,
segmentation violations
309
Domain Name System 1/2
• Top-level domain (TLD)
• Registered domain name
• Subdomain or hostname
• Country codes
• HOSTS
• Primary and secondary
authoritative
• Zone file
310
Domain Name System 2/2
• Resource records
– A and AAAA
– PTR
– CNAME
– MX
– NS
– SOA
• Domain Name System Security
Extensions (DNSSEC)
311
DNS Poisoning
• Falsifying DNS
• Rogue DNS server, DNS spoofing, DNS
pharming
• Query ID (QID)
• Altering HOSTS file
• Corrupt IP configuration
• Proxy falsification
• Defense: filter TCP/UDP 53, NIDS,
DNSSEC
312
Domain Hijacking
• Domain theft
• Credential theft
• Registration of expired domain
313
Converged Protocols
• Merging of specialty or proprietary
protocols with standard protocols
• Fibre Channel over Ethernet (FCoE)
• MPLS (Multiprotocol Label Switching)
• Internet Small Computer System Interface
(iSCSI)
• Voice over IP (VoIP)
• Software-Defined Networking (SDN)
• Content Distribution Networks
314
Wireless Networks
• Securing Wireless Access Points
• Securing the SSID
• Conducting a Site Survey
• Using Secure Encryption Protocols
• Determining Antenna Placement
• Antenna Types
• Adjusting Power Level Controls
• Using Captive Portals
• General Wi-Fi Security Procedure
• Wireless Attacks
315 overview
Securing Wireless Access Points
• 802.11, 11a, 11b, 11g, 11n, 11ac

• 802.1x
• Infrastructure vs. ad hoc mode
• Service set identifier (SSID)
– Independent SSID (ISSID)
• Stand-alone
• Wired extension
• Bridge
316
Securing the SSID
• Basic SSID (BSSID)
• Extended SSID (ESSID)
• Disable SSID broadcast
• Beacon frame
317
Conducting a Site Survey
• Signal strength measurements
• Used to optimize deployment of
base stations
• Minimize external access
318
Using Secure Encryption Protocols
1/2
• Open system authentication (OSA) and
shared key authentication (SKA)
• Wired Equivalent Privacy (WEP)
• Wi-Fi Protected Access (WPA)
– Temporal Key Integrity Protocol (TKIP)
• W i-Fi Protected Access 2 (WPA2) or
802.11i
– Counter Mode Cipher Block Chaining Message
Authentication Code Protocol (CCMP)
– KRACK (Key Reinstallation AttaCKs)
319
Using Secure Encryption Protocols
2/2
• 802.1x/EAP
– Extensible Authentication Protocol
(EAP)
• Protected Extensible Authentication
Protocol (PEAP)
• Lightweight Extensible
Authentication Protocol (LEAP)
• MAC filter
320
Determining Antenna Placement
• Based on site survey

• Centrally located
• Avoid emanation obstructions
• Avoid emanation reflective surfaces
321
Antenna Types
• Omnidirectional
• Unidirectional
• Yagi
• Cantenna
• Panel
• Parabolic
322
Adjusting Power Level Controls
• Set by manufacturer
• May be adjustable in software
• Based on site survey results
• Maintain reliable connections
internally
• Minimize connections externally
323
WPS
• Wi-Fi Protected Setup (WPS)
• Base station button or 8-digit PIN
• Enabled by default
• Brute-force guessing possible in
under 6 hours
324
Using Captive Portals
• Authorization system
• Forced interaction with control
page
• May require payment, logon
credentials, or access code
• Displays use policies
• Often found on public access
wireless networks
325
General Wi-Fi Security Procedure
• Change default password

• Disable SSID broadcast
• Change SSID
• Enable MAC filtering
• Consider using static IP addresses
• Use WPA2
• Use 802.1x
• Use a firewall, VPN, IDS
326
Wireless Attacks
• War driving
• War chalking
• Replay
• IV
• Rogue access points
• Evil twin
327
Secure Network Components
• Intranets, extranets
• Network segmentation
• Boost performance
• Reduce communication issues
• Provide security
• VLANs, routers, firewalls
• DMZ
328
Network Access Control
• Prevent/reduce zero day attacks
• Enforce security policy
• Use identities to perform access
control
• Preadmission vs. postadmission
329
Firewalls
• Filtering between network segments
• Static packet filtering
• Application-level gateway
• Circuit-level gateway
• Stateful inspection
• Deep packet inspection firewalls
• Next-gen firewalls
• Multihomed
• Deployment architectures
330
Firewall Deployment Architectures
1/2
331
Firewall Deployment Architectures
2/2
332
Endpoint Security
• Local security on each device
• Reduce network weaknesses
• Use appropriate security measures
on every system
333
Secure Operation of Hardware
• Collisions vs. broadcasts

• Repeaters, concentrators, amplifiers
• Hubs
• Modems
• Bridges, switches
• Routers, brouters
• Gateways
• Proxies
• LAN extenders
334
Cabling, Wireless, Topology, and
Communications Technology
• Transmission media
• Network topologies
• Wireless communications and
security
• LAN technologies
335 overview
Transmission Media
• LAN vs. WAN
• Coax
• Baseband and broadband cables
• Twisted pair
– STP, UTP, categories
• Fiber optic
• Conductors
• 5-4-3 rule
336
Network Topologies
• Ring
• Bus
• Star
• Mesh
337
Wireless Communications and
Security
• Radio wave based communications
– Frequency, Hertz (Hz)
• FHSS, DSSS, OFDM
• Cell phones
• Bluetooth (IEEE 802.15)
• Radio Frequency Identification (RFID)
• Near-field communication (NFC)
• Cordless phones
• Mobile devices
338
LAN Technologies
• Ethernet
• Token Ring
• Fiber Distributed Data Interface (FDDI)
• Analog vs. Digital
• Synchronous vs. Asynchronous
• Baseband vs. Broadband
• Broadcast, Multicast, Unicast
• LAN Media Access
– CSMA, CSMA/CD, CSMA/CA, Token passing,
Polling
339
Conclusion
340
Chapter 12
Secure Communications and Network Attacks

Network and Protocol Security
Mechanisms
• Secure Communications Protocols
• Authentication Protocols
342 overview
Secure Communications Protocols
• IPSec
• Kerberos
• Secure Shell (SSH)
• Signal Protocol
• Secure Remote Procedure Call (S-
RPC)
• Secure Sockets Layer (SSL)
• Transport Layer Security (TLS)
343
Authentication Protocols
• Challenge Handshake
Authentication Protocol (CHAP)
• Password Authentication Protocol
(PAP)
• Extensible Authentication Protocol
(EAP)
344
Secure Voice Communications
• Voice over Internet Protocol (VoIP)
– Weaknesses and attacks
– Secure Real-Time Transport Protocol (SRTP)
• Social Engineering
– In person, over the phone, e-mail, IM, social
networks
• PBX Fraud and Abuse
– Direct Inward System Access (DISA)
– Phreakers
– Black box, Red box, Blue box, White box
(DTMF)
345
Multimedia Collaboration
• Remote Meeting
• Instant Messaging
346
Manage Email Security
• Email Security Goals
• Understand Email Security Issues
• Email Security Solutions
347 overview
Email Security Goals
• SMTP, POP, IMAP
• Open relay, closed relay,
authenticated relay
• Nonrepudiation
• Restrict access
• Integrity
• Verify delivery
• Confidentiality
348
Understand Email Security Issues
• Lack of encryption
• Delivery vehicle for malware
• Lack of source verification
• Flooding
• Attachments
349
Email Security Solutions
• Secure Multipurpose Internet Mail
Extensions (S/MIME)
• MIME Object Security Services (MOSS)
• Privacy Enhanced Mail (PEM)
• DomainKeys Identified Mail (DKIM)
• Pretty Good Privacy (PGP)
• Opportunistic TLS for SMTP Gateways
• Sender Policy Framework (SPF)
• Reputation filtering
350
Remote Access Security
Management
• Remote Access and Telecommuting
Techniques
• Plan Remote Access Security
• Dial-Up Protocols
• Centralized Remote Authentication
Services
351 overview
Remote Access and
Telecommuting Techniques
• Service specific
• Remote control
• Screen scraper/scraping
• Remote node operation
352
Plan Remote Access Security
• POTS/PSTN, VoIP, VPN
• Authentication, remote access
justification, encrypted for
confidentiality
• Monitor for abuses
• Remote connectivity technology
• Transmission protection
• Authentication protection
• Remote user assistance
353
Dial-Up Protocols
• Point-to-Point Protocol (PPP)
• Serial Line Internet Protocol (SLIP)
354
Centralized Remote
Authentication Services
• Remote Authentication Dial-In User
Service (RADIUS)
• Terminal Access Controller Access-
Control System (TACACS+)
– TACACS, XTACACS
355
Virtual Private Network
• Tunneling
• How VPNs Work
• Common VPN Protocols
– PPTP, L2F, L2TP, IPSec
– SSH, TLS
• Virtual LAN
356
Virtualization
• Hypervisors
– VM escaping
• Virtual Software
– Virtual applications
– Virtual desktop
• Virtual Networking
– Software Defined Network (SDN)
– Network virtualization
– Virtual SAN
357
Network Address Translation
• Private IP Addresses (RFC 1918)
– 10.0.0.0 – 10.255.255.255 (a full Class A range)
– 172.16.0.0–172.31.255.255 (16 Class B ranges)
– 192.168.0.0–192.168.255.255 (256 Class C ranges)
• Stateful NAT
• Port Address Translation (PAT)
• Static and Dynamic NAT
• Automatic Private IP Addressing (APIPA)
– 169.254.x.y
• Loopback Address
358
Switching Technologies
Circuit Switching Packet Switching
Constant traffic Bursty traffic
Fixed known delays Variable delays
Connection oriented Connectionless
Sensitive to Sensitive to
connection loss data loss
Used primarily for voice Used for any type
of traffic
• Virtual Circuits
– PVCs and SVCs
359
WAN Technologies 1/2
• WAN Connection Technologies 1/2
– Dedicated vs. Nondedicated
– DS-0, DS-1, DS-3, T1, T3
– ISDN
• BRI vs. PRI
– Channel Service Unit/Data Service Unit
(CSU/DSU)
– Data Terminal Equipment/Data Circuit-
Terminating Equipment (DTE/DCE)
– X.25
360
WAN Technologies 2/2
• WAN Connection Technologies 2/2
– Frame Relay
• Committed Information Rate (CIR)
– ATM
– Switched Multimegabit Data Service
(SMDS)
– Synchronous Digital Hierarchy (SDH)
– Synchronous Optical Network (SONET)
– SDLC, HDLC
361
Miscellaneous Security Control
Characteristics
• Transparency
• Verify Integrity
• Transmission Mechanisms
– Logging
– Error correction
362
Security Boundaries
• Areas of different security
requirements
• Classifications
• Physical vs. logical
• Should be clearly defined
363
Prevent or Mitigate Network
Attacks
• DoS and DDoS
• Eavesdropping
• Impersonation/masquerading
• Replay attacks
• Modification attacks
• Address resolution protocol spoofing
• DNS poisoning, spoofing, and hijacking
• Hyperlink spoofing
364
Conclusion
365
Chapter 13
Managing Identity and Authentication

Controlling Access to Assets
• Assets:
– Information, systems, devices, facilities,
personnel
• Comparing Subjects and Objects
• The CIA Triad
• Types of Access Control
– Preventative Detective
– Corrective Deterrent
– Recovery Directive
– Compensating
– Administrative, logical/technical, physical
367
Comparing Identification and
Authentication 1/5
• Identification and Authentication
• Registration and Proofing of Identity
• Authorization and Accountability
• Authentication Factors
– Type 1: Something you know
– Type 2: Something you have
– Type 3: Something you are
– Somewhere you are
– Context-aware authentication
368
Authentication 2/5
• Passwords
– Strong passwords
• Age, complexity, length, history
– Passphrases
– Cognitive
• Smartcards
– Common Access Card (CAC)
– Personal Identity Verification (PIV)
card
369
Authentication 3/5
• Tokens
– One-time passwords
– Synchronous Dynamic Password Tokens
– Asynchronous Dynamic Password Tokens
• Two-step authentication
– Hash message authentication code (HMAC)
– Time-based One-Time Password (TOTP)
– Email or SMS PIN challenge
370
Authentication 4/5
• Biometrics
– Fingerprints, face, retina, iris, palm, hand
geometry, heart/pulse, voice, signature,
keystroke
– Errors:
• Type 1: False Rejection Rate (FRR)
• Type 2: False Acceptance Rate (FAR)
• Crossover error rate (CER)
• Enrollment
• Reference profile/template
• Throughput rate
371
Authentication 5/5
• Multifactor Authentication
• Device Authentication
– Device fingerprinting
– 802.1x
• Service Authentication
– Application accounts
372
Implementing Identity
Management 1/2
• Centralized vs. decentralized
• Single Sign-On
– LDAP and PKI
– Kerberos
• KDC, TGT, ST
– Federated Identity Management
• Security Assertion Markup Language (SAML),
Service Provisioning Markup Language (SPML),
Extensible Access Control Markup Language
(XACML)
• OAuth 2.0, OpenID, OpenID Connect
– Scripted access
373
Implementing Identity
Management 2/2
• Credential Management Systems
• Integrating Identity Services
– Identity and access as a service (IDaaS)
• Managing Sessions
• AAA Protocols
– Remote Authentication Dial-in User Service
(RADIUS)
– Terminal Access Controller Access-Control
System (TACACS)
– Diameter
374
Managing the Identity and
Access Provisioning Lifecycle
• Provisioning
• Account Review
– Excessive privilege
– Privilege creep
• Account Revocation
375
Conclusion
376
Chapter 14
Controlling and Monitoring Access

Comparing Access Control Models
• Comparing Permissions, Rights, and
Privileges
• Understanding Authorization
Mechanisms
• Defining Requirements with a Security
Policy
• Implementing Defense in Depth
• Summarizing Access Control Models
• Discretionary Access Controls
• Nondiscretionary Access Controls
378 overview
Comparing Permissions, Rights,
and Privileges
• Permissions
– Access granted for an object
• Rights
– Ability to take action on an object
• Privileges
– Combination of rights and permissions
379
Understanding Authorization
Mechanisms
• Implicit deny
• Access control matrix
• Capability tables
• Constrained interface
• Content-dependent control
• Context-dependent control
• Need to know
• Least privilege
• Separation of duties and
responsibilities
380
Defining Requirements with a
Security Policy
• Clarifies requirements
• Shows senior leadership support
• Sets guidelines and parameters
381
Implementing Defense in Depth
• Protects against single-focused

attacks
• Document in security policy
• Personnel are key
• Uses combined
solution
approach
382
Summarizing
Access Control Models
• Discretionary Access Control (DAC)
• Role Based Access Control (RBAC)
• Rule-based access control (rule BAC)
• Attribute Based Access Control
(ABAC)
• Mandatory Access Control (MAC)
383
Discretionary Access Controls
• Owner, create, custodian define

access
• Based on identity
• Uses ACLs on each object
• Not centrally managed
• Supports change
384
Nondiscretionary Access Controls
• Centrally administered
• Changes affect entire environment
• Not based on identity, instead uses
rules
• Less flexible
385
Role Based Access Control
• Based on subject’s role or assigned
tasks
• Enforces principle of least privilege
• Related to job descriptions and work
functions
• Useful in dynamic environments
• Often implemented using groups (via
DAC)
• Task based access control (TBAC)
386
Rule-Based Access Controls
• Rules, restrictions, filters
• Global rules apply to all subjects
• Firewall and router rules/filters
387
Attribute Based Access Controls
• Characteristics are used to

determine rule applications
• Can relate to users, groups,
network, or devices
388
Mandatory Access Control
• Based on classifications
• Top Secret, Secret, Confidential
• Confidential/Proprietary, Private,
Sensitive, Public
• Need to know
• Prohibitive rather than permissive
• Hierarchical
• Compartmentalization
• Hybrid
389
Understanding Access Control
Attacks
• Risk Elements
• Identifying Assets
• Identifying Threats
• Threat Modeling Approaches
• Identifying Vulnerabilities
• Common Access Control Attacks
• Summary of Protection Methods
390 overview
Risk Elements
• Risk
• Assets
• Threat
• Vulnerability
• Risk Management
391
Identifying Assets
• Asset valuation
• Tangible value
• Intangible value
• Cost-benefit analysis
392
Identifying Threats
• Threat modeling
• Secure by Design, Secure by Default,
Secure in Deployment and
Communication (SD3+C)
• Goals:
– Reduce number of defects
– Reduce severity of remaining defects
• Advanced Persistent Threat (APT)
393
Threat Modeling Approaches
• Focused on assets
• Focused on attackers
• Focused on software
394
Identifying Vulnerabilities
• Vulnerability analysis
• Weakness to threat
• Technical and administrative
• Vulnerability scans
395
Common Access Control
Attacks 1/2
• Impersonation
• Access aggregation
• Password
– Dictionary
– Brute force
– Birthday
– Rainbow table
• Sniffer
396
Common Access Control
Attacks 2/2
• Spoofing
• Social engineering
– Phishing
• Drive-by download
– Spear phishing
– Whaling
– Vishing
• Smartcard
– Side-channel attack
397
Summary of Protection Methods
• Control physical access and electronic

access
• Create a strong password policy
• Hash and salt passwords
• Use password masking
• Deploy multifactor authentication
• Use account lockout controls
• Use last logon notification
• Educate users about security
398
Conclusion
399
Chapter 15
Security Assessment and Testing

Building a Security Assessment and
Testing Program
• Security Testing
– Verify controls are functioning
properly
• Security Assessments
– Comprehensive review of security
infrastructure
• Security Audits
– Independent assessment of security
by third party
401
Review Security Controls 1/2
• Availability of security testing resources
• Criticality of the systems and applications
protected by the tested controls
• Sensitivity of information contained on
tested systems and applications
• Likelihood of a technical failure of the
mechanism implementing the control
• Likelihood of a misconfiguration of the
control that would jeopardize security
402
Review Security Controls 2/2
• Risk that the system will come under
attack
• Rate of change of the control
configuration
• Other changes in the technical
environment that may affect the
control performance
• Difficulty and time required to perform
a control test
• Impact of the test on normal business
operations
403
Security Audits 1/2
• Internal audits
• External audits
• Third-party audits
– American Institute of Certified Public
Accountants (AICPA): Statement on
Standards for Attestation Engagements
document 16 ( SSAE 16 ), “Reporting on
Controls”
• Type I reports provide a description of
the controls
• Type II reports address effectiveness of
controls
404
Security Audits 2/2
• Auditing Standards
– Control Objectives for Information and
related Technologies (COBIT)
– International Organization for
Standardization (ISO) ISO 27001
405
Performing Vulnerability
Assessments 1/3
• Describing Vulnerabilities: Security
Content Automation Protocol (SCAP)
– Common Vulnerabilities and Exposures (CVE)
– Common Vulnerability Scoring System (CVSS)
– Common Configuration Enumeration (CCE)
– Common Platform Enumeration (CPE)
– Extensible Configuration Checklist Description
Format (XCCDF)
– Open Vulnerability and Assessment Language
(OVAL)
406
Assessments 2/3
• Vulnerability Scans
– Network discovery scans
• TCP SYN, TCP Connect, TCP ACK, XMAS
– Network vulnerability scans
• False positive vs. false negative
– Web application vulnerability scans
– Database vulnerability scanning
– Vulnerability Management Workflow
• Detection, validation, remediation
407
Assessments 3/3
• Penetration Testing
– Phases:
• Planning, information gathering and
discovery, vulnerability scanning,
exploitation, reporting
– Forms:
• White box
• Gray box
• Black box
408
Testing Your Software
• Code Review and Testing
• Interface Testing
• Misuse Case Testing
• Test Coverage Analysis
• Website Monitoring
409 overview
Code Review and Testing
• Code review
• Peer review
• Fagan inspections
– When code flaws may have catastrophic
impact
– Planning, overview, preparation,
inspection, rework, follow-up
• Static testing vs. dynamic testing
• Fuzz testing
– Mutation, generational, bit flipping
410
Interface Testing
• Needed with complex software
• Application programming interfaces
(APIs)
• User interfaces
• Physical interfaces
• Design flexible interfaces without
introducing more security risks
411
Misuse Case Testing
• User activity prediction
• Abuse case testing
• Known misuses
• Manual and automated misuse
attacks
412
Test Coverage Analysis
• Impossible to completely test software
• Too many ways to malfunction or
undergo attack
• Estimate the degree of testing
conducted
• Test coverage analysis:
– Branch, condition, function, loop,

statement
413
Website Monitoring
• Performance management,
troubleshooting, identification of
potential security issues
• Passive monitoring
– Real user monitoring (RUM)
– Detect issues after occurrence
• Synthetic monitoring (active
monitoring)
– Detect issues before occurrence
414
Implementing
Security Management Processes
• Log Reviews
– Security information and event management
(SIEM)
• Account Management
– Review/audit of accounts and privileges
• Backup Verification
• Key Performance and Risk Indicators
– Open vulnerabilities, time to resolve,
reoccurrence, number of compromised
accounts, number of flaws, repeated
findings, visits of malicious sites
415
Conclusion
416
Chapter 16
Managing Security Operations

Applying Security Operations
Concepts
• Need to Know and Least Privilege
• Separation of Duties and
Responsibilities
• Job Rotation
• Mandatory Vacations
• Privileged Account Management
• Managing the Information Life Cycle
• Service-Level Agreements
• Addressing Personnel Safety and
Security
418 overview
Need to Know and Least Privilege
• Need to Know
– Work task related access
– Often related to clearance
• The Principle of Least Privilege
• Entitlement
• Aggregation
• Transitive Trust
419
Separation of Duties and
Responsibilities
• No single person with total control
• Separation of privilege
– Applications and processes
• Segregation of duties
– Avoids conflicts of interest
– See Figure 16.1
• Two-person control
420
Job Rotation
• Related to privilege management
• Rotation of duties
• Peer review
• Reduce fraud
• Cross-training
421
Mandatory Vacations
• One or two week increments
• No local or remote access
• Peer review
• Detect fraud
• Deterrent and detection
422
Privileged Account Management
• Special access or elevated rights

• Administrative and sensitive job
tasks
• Privileged entities
• Monitoring is essential
• Trusted employees
423
Managing the
Information Lifecycle
• Creation or capture
• Classification
• Storage
• Usage
• Archive
• Destruction or purging
424
Service-Level Agreements
• SLAs
• Memorandum of understanding
(MOU)
• Interconnection Security
Agreement (ISA)
• NIST SP 800-47
– “Security Guide for Interconnecting
Information Technology Systems”
425
Addressing Personnel
Safety and Security
• Exit doors
– Fail-safe vs. fail-secure doors
• Duress systems and code phrases
• Travel safety
– Sensitive data
– Malware and monitoring devices
– Free WiFi and VPNs
• Emergency management
• Security training and awareness
426
Securely Provisioning Resources
• Managing Hardware and Software

Assets
• Protecting Physical Assets
• Managing Virtual Assets
• Managing Cloud-Based Assets
• Media Management
427 overview
Managing Hardware and
Software Assets
• Hardware inventories
• RFID tracking
• Sanitize before disposal
• Portable media management
• Software licensing
428
Protecting Physical Assets
• Includes building and contents
• Fences
• Barricades
• Locked doors
• Guards
• Security cameras / CCTV
• Building design and layout
429
Managing Virtual Assets
• Virtualization
• Software-defined assets
• Virtual machines (VMs)
• Virtual desktop infrastructure (VDI)
• Software-defined networks (SDN)
• Virtual storage area networks
(VSAN)
• Hypervisor
430
Managing Cloud-based Assets
• Resources are located outside of direct
control
• DoD Cloud Computing Security
Requirements Guide
• Cloud service provider (CSP)
• Software as a service (SaaS)
• Platform as a service (PaaS)
• Infrastructure as a service (IaaS)
• Public, private, hybrid, community
431
Media Management
• Protect media itself and data stored on
media
• Tape media
• USB flash drives
• Mobile devices
– Choose your own device (CYOD)
– Bring your own device (BYOD)
– Mobile device management (MDM)
• Media life cycle
– Mean time to failure (MTTF)
432
Managing Configuration
• Baselining
• Using Images for Baselining
433
Managing Change
• Change management helps reduce
unanticipated outages caused by
unauthorized changes
• Security impact analysis
– Request, review, approve/reject, test,
schedule/implement, document
– Security assurance requirements (SAR)
• Versioning
• Configuration documentation
434
Managing Patches and
Reducing Vulnerabilities
• Systems to Manage
– End devices, servers, network devices,
embedded devices, IoT
• Patch Management
– Evaluate, Test, Approve, Deploy, Verify
• Vulnerability Management
– Scanners and assessments
– Vulnerability assessments
• Common Vulnerabilities and Exposures
(CVE)
435
Conclusion
436
Chapter 17
Preventing and Responding to Incidents

Managing Incident Response
• Defining an Incident
• Incident Response Steps
438 overview
Defining an Incident 1/2
• Any negative effect on CIA
• Unplanned interruption to IT
• Computer security incident
• RFC 2350 “Expectations for Computer
Security Incident Response”
– “Any adverse event which compromises
some aspect of computer or network
security.”
• NIST SP 800-61
– Computer Security Incident Handling
Guide
439
Defining an Incident 2/2
• Any attempted network intrusion
• Any attempted denial-of-service
attack
• Any detection of malicious software
• Any unauthorized access of data
• Any violation of security policies
440
Incident Response Steps
• Detection
• Response
• Mitigation
• Reporting
• Recovery
• Remediation
• Lessons Learned
441 overview
IR Step: Detection
• Detecting actual or potential
incidents
• IDSes, AV, audits, automated tools,
end users
• First responders
442
IR Step: Response
• Based on severity of incident
• Computer incident response team
(CIRT)/computer security incident
response team (CSIRT)
• Faster response limits damage
443
IR Step: Mitigation
• Contain the incident
• Limit the effect or scope
• May involve disconnecting from the
network
• Actions in this step may be noticed
by an attacker
444
IR Step: Reporting
• Internal and external notification
• May be mandated by regulation
• PII violations are of critical concern
in many jurisdictions
• Relevant training is need to
properly recognize and report
incidents
445
IR Step: Recovery
• Evidence collection should be
completed before recovery efforts
• Recovery is to return the
environment to a normal state or
condition
• Security should be restored to an
equal or greater level than before
the incident
446
IR Step: Remediation
• Analyze the incident to determine
the cause
• Implement countermeasures to
prevent a recurrence
• Root-cause analysis
447
IR Step: Lessons Learned
• Determine what can be learned from
the incident and the response
• Focus on improving future reponse
• May highlight need for additional
training
• May require adjustment of security
infrastructure
• CIRT submits analysis and
recommendations report to
management
448
Implementing Detective and
Preventive Measures
• Basic Preventive Measures
• Understanding Attacks
• Intrusion Detection and Prevention
Systems
• Specific Preventive Measures
449 overview
Basic Preventive Measures
• Keep systems and applications up-to-date
• Remove or disable unneeded services and
protocols
• Use intrusion detection and prevention
systems
• Use up-to-date anti-malware software
• Use firewalls
• Implement configuration and system
management processes
450
Understanding Attacks 1/2
• Botnets
• Denial of service
– Distributed denial-of-service (DDoS)
– Distributed reflective denial-of-service
(DRDoS)
• SYN flood attack
• Smurf and Fraggle attacks
• Ping flood
• Ping of Death
• Teardrop
451
Understanding Attacks 2/2
• LAND attack
• Zero-day exploit
• Malicious code
– Drive-by download
– Malvertising
• Man-in-the-middle
• War dialing
• Sabotage
• Espionage
452
Intrusion Detection and
Prevention Systems
• IDS, IPS, IDPS
• NIST SP 800-94 Guide to Intrusion
Detection and Prevention Systems
• Knowledge and behavior-based
detection
• SIEM systems
• IDS response
– Active vs. passive
• Host and network IDS
• Intrusion prevention systems
453
Specific Preventive Measures
• Honeypots/honeynets
• Pseudo flaw
• Padded cell
• Warning banners
• Anti-malware
• Whitelisting and blacklisting
• Firewalls
• Sandboxing
454
Third-Party Security Services
• Payment Card Industry Data
Security Standard (PCI DSS)
• SaaS cloud security
• Penetration testing
– Risks
– Obtaining permission
– Black box, white box, gray box
– Reports
– Ethical hacking
455
Logging, Monitoring, and Auditing
• Logging and Monitoring

• Monitoring Techniques
• Egress Monitoring
• Auditing to Assess Effectiveness
• Security Audits and Reviews
• Reporting Audit Results
456 overview
Logging and Monitoring
• Security logs, system logs, application logs,
firewall logs, proxy logs, change logs
• Protecting log data
• FIPS 200, audit log security requirements
• Audit trails
• Monitoring and accountability
• Monitoring and investigations
• Monitoring and problem identification
457
Monitoring Techniques
• Log analysis
• Security Information and Event
Management (SIEM)
• Security Event Management (SEM)
• Security Information Management
(SIM)
• Sampling or data extration
• Clipping levels
• Keystroke monitoring
• Traffic and trend analysis
458
Egress Monitoring
• Data loss prevention (DLP)
– Network-based DLP
– Endpoint-based DLP
• Steganography
• Watermarking
459
Auditing to Assess Effectiveness
• Auditing, auditors
• Methodical examination
• Compliance
• Inspection audits
• Access review audits
• User entitlement audits
• Audits of privileged groups
– High-level administrators
– Dual administrator accounts
460
Security Audits and Reviews
• Patch management
• Vulnerability management
• Configuration management
• Change management
461
Reporting Audit Results
• Purpose, scope, results
• Problems, events, and conditions
• Standards, criteria, and baselines
• Causes, reasons, impact, and effect
• Recommended solutions and
safeguards
• Protecting audit results
• Distributing audit reports
• Using external auditors
462
Conclusion
463
Chapter 18
Disaster Recovery Planning

The Nature of Disaster
• Natural Disasters
– Earthquakes
– Floods, storms, fires
– Regional events
• Man-Made Disasters
– Fires
– Acts of terrorism
– Bombings/explosions
– Power outages
– Network/utility/infrastructure failures
– Hardware/software failures
– Strikes/picketing
– Theft/vandalism
465
Understand System Resilience and
Fault Tolerance
• Fault Tolerance and System Resilience
• Protecting Hard Drives
• Protecting Servers
• Protecting Power Sources
• Trusted Recovery
• Quality of Service
466 overview
Fault Tolerance and
System Resilience
• Single point of failure (SPOF)
• Fault tolerance
• System resilience
467
Protecting Hard Drives
• RAID-0
• RAID-1
• RAID-5
• RAID-10
• Hardware vs. software
• Hot swapping vs. cold swapping
468
Protecting Servers
• Failover clusters
• Load balancing
• Scalability
• Replication between members
469
Protecting Power Sources
• UPS
• Spike, sag, surge, brownout
• Transient
• Generators
470
Trusted Recovery
• Assurance after failure or crash
• Fail-secure, fail-open
• Preparation
• System recovery
– Reboot into non-privileged state, restore all
affected files to pre-failure settings/values
• Manual recovery, automated recovery
• Automated recovery without undue loss
• Function recovery
471
Quality of Service
• Bandwidth
• Latency
• Jitter
• Packet loss
• Interference
• Prioritization
472
Recovery Strategy
• Business Unit and Functional
Priorities
• Crisis Management
• Emergency Communications
• Workgroup Recovery
• Alternate Processing Sites
• Mutual Assistance Agreements
• Database Recovery
473 overview
Business Unit and
Functional Priorities
• Prioritization
• Mission critical business functions/units
• Detailed ordered list of business processes
• Priority based on:
– Risk
– Cost assessment
– Mean time to recovery (MTTR)
– Maximum tolerable outage (MTO)
– Recovery objectives
474
Crisis Management
• Mitigate with disaster recovery plan
• Training on disaster recovery
procedures
• Train and document to counter
panic
• Crisis training
475
Emergency Communications
• Internal and external
• Keep outside informed of recovery
process
• Support recovery through internal
communications
• Alternatives in the event of
infrastructure collapse during major
disasters
476
Workgroup Recovery
• Each department needs to be
recovered
• Restore worker’s ability to perform
work tasks
• DRP is not IT only
• May require numerous strategies
• Independent recovery of work
divisions
477
Alternate Processing Sites
• Cold site
• Hot site
• Warm site
• Mobile site
• Service bureaus
• Cloud computing
478
Mutual Assistance Agreements
• Reciprocal agreements
• Difficult to enforce
• Requires close proximity
• Confidentiality concerns
479
Database Recovery
• Electronic vaulting
• Remote journaling
• Remote mirroring
480
Recovery Plan Development
• Emergency response
• Personnel and communications
• Assessment
• Backups and offsite storage (see next slide)
• Software escrow arrangements
• External communications
• Utilities
• Logistics and supplies
• Recovery vs. restoration
• Training, awareness, and documentation
481
Backups and Offsite Storage
• Full, incremental, differential
• Onsite and offsite
• Media rotation schemes
• Backup tape formats
• Disk to disk backup
• Best practices
• Tape rotation
482
Testing and Maintenance
• Read-through test
• Structured walk-through
• Simulation test
• Parallel test
• Full-interruption test
• Maintenance
483
Conclusion
484
Chapter 19
Investigations and Ethics

Investigations
• Investigation Types
• Evidence
• Investigation Process
486 overview
Investigation Types 1/2
• Administrative
– Operational
– Root-cause analysis
• Criminal
– Beyond a reasonable doubt
• Civil
– Preponderance of the evidence
• Regulatory
487
Investigation Types 2/2
• Electronic discovery
– Information governance
– Identification
– Preservation
– Collection
– Processing
– Review
– Analysis
– Production
– Presentation
488
Evidence 1/3
• Admissible
• Real
• Documentary
– Best evidence rule, parol evidence
rule
• Chain of evidence/chain of custody
• Testimonial
489
Evidence 2/3
• Evidence collection
– International Organization on Computer
Evidence (IOCE)
• Follow general forensic and procedural principles
• Actions taken should not change that evidence
• Only trained personnel
• All activity must be fully documented, preserved,
and available for review
• Individual is responsible for digital evidence while
in their possession
• The agency is responsible for compliance with
these principles
490
Evidence 3/3
• Forensic procedures
– Media analysis
– Network analysis
– Software analysis
– Hardware/embedded device analysis
491
Investigation Process 1/3
• Rules of engagement
• Gathering evidence
– Voluntary surrender
– Subpoena
– Search warrant
• Calling in law enforcement
492
• Conducting the investigation
– Don’t use compromised systems
– Don’t hack back
– Call in the experts for assistance
• Interviewing individuals
– Interview vs. interrogation
– Trained investigators
493
• Data Integrity and Retention
– Maintain integrity of all evidence
– Archiving policy
– Log file sanitization/destruction
– Remote logging
– Digital signatures
• Reporting and Documenting Investigations
– When to report and to whom to report
– Escalation and legal action may require
reporting
– Documentation of all incidents
494
Major Categories of Computer
Crime
• Military and intelligence attacks
• Advanced Persistent Threat (APT)
• Business attacks
– Corporate espionage or industrial espionage
• Financial attacks
• Terrorist attacks
• Grudge attacks
• Insider threats
• Thrill attacks – script kiddies, hacktivists
495
Ethics
• (ISC)2 Code of Ethics
• Ethics and the Internet
496 overview
(ISC)2 Code of Ethics
• Protect society, the common good,
necessary public trust and confidence,
and the infrastructure.
• Act honorably, honestly, justly,
responsibly, and legally.
• Provide diligent and competent
service to principals.
• Advance and protect the profession.
497
Ethics and the Internet
• RFC 1087: Activity is unacceptable and
unethical that
– Seeks to gain unauthorized access to the
resources of the Internet
– Disrupts the intended use of the Internet
– Wastes resources (people, capacity,
computer) through such actions
– Destroys the integrity of computer-based
information
– Compromises the privacy of users
498
Conclusion
499
Chapter 20
Software Development Security

Introducing Systems Development
Controls
• Software Development
• Systems Development Lifecycle
• Lifecycle Models
• Gantt Charts and PERT
• Change and Configuration Management
• The DevOps Approach
• Application Programming Interfaces
• Software Testing
• Code Repositories
• Service-Level Agreements
• Software Acquisition
501 overview
Software Development 1/2
• Programming languages
• Machine language
• Compiled code and Interpreted code
– Compiler, decompiler
• Object-oriented programming
– Message, method, behavior, class, instance,
inheritance, delegation, polymorphism,
cohesion, coupling
• Assurance
502
Software Development 2/2
• Avoiding and mitigating system
failure
– Input validation
• Limit check
– Authentication and session
Management
– Error handling
– Logging
– Fail-secure and fail-open
503
Systems Development Life Cycle
• Conceptual definition
• Functional requirements determination
– Inputs, behavior, outputs
• Control specifications development
• Design review
• Code review walk-through
• User acceptance testing
• Maintenance and change management
504
Life Cycle Models 1/3
• Waterfall model (view next slide)
– Feedback loop characteristic
• Spiral model
– Metamodel
– Prototyping
505
Waterfall Lifecycle Model
506
• Agile software development
– Agile Manifesto defines 12 principles
– Individuals and interactions over
processes and tools
– Working software over comprehensive
documentation
– Customer collaboration over contract
negotiation
– Responding to change over following a
plan
507
• Software capability maturity model
(SCMM)
– Initial
– Repeatable
– Defined
– Managed
– Optimized
• IDEAL model
– Initiating
– Diagnosing
– Establishing
– Acting
– Learning
508
Gantt Charts and PERT 1/2
• Scheduling of projects
• Gantt relates project elements and
time schedules
509
Gantt Charts and PERT 2/2
• Program Evaluation Review
Technique (PERT)
– Focuses on software size
– Goal: more efficient software
510
Change and Configuration
Management
• Request control
• Change control
• Release control
• Configuration identification
• Configuration control
• Configuration status accounting
• Configuration audit
511
The DevOps Approach
• Development and operations
• Combines: software development,
quality assurance, and technology
operations
• Aligned with Agile
512
Application Programming
Interfaces
• Balance opportunities with security
• Authentication requirements
– Public vs. limited use
• Tested for security flaws
513
Software Testing
• Reasonableness check
• Handling of types, values, bounds,
and conditions
• White-box, black-box, gray-box
• Static testing
• Dynamic testing
514
Code Repositories
• Collaboration
• Large-scale software projects
• Central storage point
• Version control
• Bug tracking
• Hosting
• Release management
• Communications functions
515
Service-Level Agreements
• Defines service requirements between
provider and customer
• Necessary for all critical outsourced
tasks/processes
• Should address:
– Uptime, downtime, peak load, average
load, diagnostics, failover/redundancy
– Financial and contractual remedies for
noncompliance
516
Software Acquisition
• On-premises deployment or cloud
• SaaS, PaaS, IaaS
• Security is top concern
517
Establishing Databases and
Data Warehousing
• Database Management System
Architecture
• Database Transactions
• Security for Multilevel Databases
• Open Database Connectivity
(ODBC)
• NoSQL
518 overview
Database Management System
Architecture
• Hierarchical
• Distributed
• Relational
– Fields, attributes, cells
– Tuple, row
– Cardinality and degree
– Domain, range of values
– Candidate keys, primary key, foreign keys
– Schema, DDL, DML
519
Database Transactions
• Atomicity
• Consistency
• Isolation
• Durability
520
Security for Multilevel Databases
• Database contamination
• Restricting access with views
• Concurrency
• Time stamps
• Granular access control, content-
dependent
• Cell suppression
• Database partitioning
• Polyinstantiation
• Noise and perturbation
521
Open Database Connectivity
• Open Database Connectivity
(ODBC)
• Proxy between database and
application
• Freedom from direct DBMS
programming
522
NoSQL
• Nonrelational databases
• Key/value stores
• Graph databases
• Document stores
– Extensible Markup Language (XML)
and JavaScript Object Notation (JSON)
523
Storing Data and Information
• Types of Storage
• Storage Threats
524 overview
Types of Storage
• Primary/real
• Secondary
• Virtual memory
• Virtual storage
• Random access storage
• Sequential access storage
• Volatile storage
• Nonvolatile storage
525
Storage Threats
• Illegitimate access
– Access controls
– Prevent OS control bypass
– Encryption
– Prevent cross-level exploitation
• Covert channel attacks
526
Understanding
Knowledge-Based Systems 1/2
• Expert Systems
– “If/then” statement knowledge base,
inference engine, fuzzy logic
• Machine Learning
– Supervised learning
– Unsupervised learning
• Neural Networks
– Deep learning or cognitive systems
– Delta rule, learning rule
527
Understanding
Knowledge-Based Systems 2/2
• Security Applications
– Capability to rapidly make consistent
decisions
– Thoroughly analyze massive amounts
of data
528
Conclusion
529
Chapter 21
Malicious Code and
Application Attacks

Malicious Code
• Sources of Malicious Code
• Viruses
• Logic Bombs
• Trojan Horses
• Worms
• Spyware and Adware
• Zero-Day Attacks
531 overview
Sources of Malicious Code
• Skilled malicious software
developers
• Script kiddies
• Amateur code developers
• Advanced persistent threat (APT)
532
Viruses 1/2
• Propagation techniques
– Master boot record
– File infector
– Macro virus
– Service injection virus
• Platforms vulnerable to viruses
– Mostly Windows
– All OSs have some malware
533
Viruses 2/2
• Antivirus mechanisms
– Signature, heuristic/behavior
• Virus technologies
– Multipartite viruses
– Stealth viruses
– Polymorphic viruses
– Encrypted viruses
• Hoax
534
Logic Bombs
• Lie dormant
• Wait for triggering event
– Time, program launch, website
logon, . . .
535
Trojan Horses
• Benign host delivers malicious
payload
• Rogue antivirus software
• Ransomware
– Cryptolocker
• Botnet
536
Worms
• Self-propagation
• Code Red
• Stuxnet
537
Spyware and Adware
• Spyware
– Monitors your actions
– Transmits details to remote system
– May include keystroke logging
• Adware
– Displays advertising
– Pop-up ads
– Monitor shopping, redirects to
competitor sites
538
Zero-Day Attacks
• Security flaws discovered by
hackers that have not been
thoroughly addressed by the
security community
• Window of vulnerability
• Defense-in-depth approach
– Overlapping security controls
539
Password Attacks
• Password Guessing
• Dictionary Attacks
– Rainbow table
– Brute force
• Social Engineering
– Spear phishing, whaling, vishing
– Dumpster diving
• Countermeasures
– Longer, more complex
540
Application Attacks
• Buffer overflows
• Time of check to time of use
(TOCTOU or TOC/TOU)
• Back doors
• Escalation of privilege and rootkits
541
Web Application Security
• Cross-site scripting (XSS)
– Input validation
• Cross-site request forgery (XSRF/
CSRF)
• SQL Injection
– Dynamic Web applications
– Use prepared statements
– Perform input validation
– Limit account privileges
542
Reconnaissance Attacks
• IP probes
– IP sweeps, ping sweeps
• Port scans
• Vulnerability scans
543
Masquerading Attacks
• IP spoofing
• Session hijacking
544
Conclusion
545

CISSP Presentati

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CISSP Presentati

Uploaded by

Copyright:

Available Formats

CISSP

Certified Information Systems

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

• International Information Systems Security

• Visit and write in the corrections to

• After CISSP, consider the post-CISSP

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

• Alignment to Strategy, Goals,

• Principle 1: Meeting Stakeholder Needs

• STRIDE (next slide)

• Process for Attack Simulation and

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

• Based on job description

• Define the levels of performance,

• Conforming to or adhering to rules,

• Maintain business processes while

• Inventory all threats for each asset

• Security requires changes in user

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

• Assessing risks to business processes

• Identify all departments

• Business continuity is everyone’s

• Stresses priority of implementation

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

• Use of cloud and service vendors

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

• Aka public key algorithms

• Supports integrity (via hashing in

• Advanced Encryption Standard

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

• Choose encryption scheme wisely

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

• Objects and Subjects

• Payment Card Industry – Data

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

• eXtensible Markup Language (XML)

• Static vs. dynamic content

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

Class Type Suppression

• Secondary verification mechanisms

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

• Flow of information up or down

302 Layer summaries

• TCP and UDP

• Hypertext Transfer Protocol (HTTP)

• 802.11, 11a, 11b, 11g, 11n, 11ac

• Based on site survey

• Change default password

• Collisions vs. broadcasts

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

• Protects against single-focused

• Owner, create, custodian define

• Characteristics are used to

• Control physical access and electronic

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

– Branch, condition, function, loop,

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

• Special access or elevated rights

• Managing Hardware and Software

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

• Logging and Monitoring