Friday, July 23, 2010

CISSP - Physical Security

Types of Motion Detectors:
Wave pattern: think microwave, if the frequency bouncing back changes from norm then there is motion.
Capacitance: monitors an eletrical field for change - used for small area - think of an area surrounding an object in a museum.
Audio: listens for noise
Photoelectric: think grid of light (visible or not)

Types of fire suppression systems
Water Sprinklers
Wet Pipe: Pipe is full of water to the sprinkler head - quit to get water to fire - but if it was a false alarm, can cause equipment damage for no reason
Dry Pipe: Pipe is not full of water - providing a little bit of time to react to a false alarm - pipes could have leaks that aren't realized until a fire forces water into the pipes.
Deluge: Similar to dry pipe - but for high volumes of water - which is why they are not used around computer equipment
Preaction: dry until heat sensor primes it (now wet pipe) - then another heat sensor releases the water

Classes of Fire
A - Common combustibles - like wood
B - Burnable fules - like gas
C - Electrical - like a data center
D - Grease or chemical - like a kitchen

Halon 1301 (1211 - portable) above 10% and >900 degrees it degrades into hydrogen flouride, hydrogen bromide, and bromine which is toxic. For this reason, it has been replaced (via Environmental Protection Act of 1990) by FM-200 (Argon and Inergen are also options but not as effective). If a Halon system is in place - it CAN continue to be used, but extra measures must be taken when it is used

CCTV: Closed Circuit Television - Decrease Focal Length to widen view larger iris for less light areas

CPTED: Crime Prevention Through Environmental Design

2 inch - Normal
1 inch - High
3/8 inch - Extremely high
Gauge - smaller gauge = bigger diameter (tougher fence)
3-4 feet - Deter casual
8 feet - deter determined

Piezoelectric: think kinetic energy - not really related but it was thrown in as a decoy answer and I didn't know what it was

Exterior Lighting: 2 feet of candlepower at 8 feet above the fence so as to blind intruders from seeing past the fence and illuminating them for the cameras

Glare Protection: pointing lights towards potential intruders and away from guards.

Fixed lighting = Fixed Iris as it doesn't need to adjust for changes in light

Classes of Gates:
1 - Residential
2 - Commercial
3 - Industrial
4 - Restricted

Static Electricity
1500 static volts can damage a HDD and as little as 10 static volts can damage some electrical components. Humans cannot perceive until 1500 and the typical scuff on the carpet produces closer to 12,000.

Access to Server room - the technician side of me says that admins need access. The CISSP side of me (needs to) says that the server room should be highly controlled. Admins should be able to do most everything remotely.

Must have positive pressurization - meaning if the doors are opened - air rushes out as opposed to pulling dusty dirty air in.
Too much moisture = corrosion
Too little moisture = static electricity
Too much heat = over heat
Too little heat = slowed performance

Fail-safe - doors are open
Fail-secure - doors are closed with an emergency bar(or other method) to keep people from being trapped in

Warder < Pin&Tumbler
Bump key is cut to number 9 position (not sure what that means) - and allows the lock picker to bump the key while applying pressure to the lock to open the lock

Annunciation System verbally alerts guards so that they can take action

Bollard - blocks a vehicle from passing - usually metal or cement and arranged in a line of columns.

Mantrap is two sets of doors - like in castles where you go through two sets of gates and in between they are ready to poor boiling oil on you!!

CISSP - System Architecture and Design

Evaluation Criteria

TCSEC: US Based - Trusted Computer System Evaluation Criteria AKA Orange Book superseded by Common Criteria. A is higher then D. B3 is higher than B1.
A -> Verified - A1 = Configuration Management
B -> Mandatory Access Control - B1 = Labeled - B2 = Structured, B3 = Security Domains, Covert Channels
C -> Discretionary Access Control
D -> Minimal Security

ITSEC (1980s) - Europe Based - Seven Assurance (Effectiveness) levels: E0 - E6 and 10 Functionaly levels: F1 - F10

CTCPEC - Canada Based

Common Criteria - ISO around 1990 - Bridge gap between national versions - 7 Assurance Levels: EAL1 < EAL2 (structurally tested) < EAL4 (methodically designed, tested, and reviewed) < EAL6 (semi-formally verified, designed, and tested) < EAL7 (formally verified, designed, and tested)

Covert Channel Analysis: Finding channels being hidden inside of other channels - HTTP is very common for this as people are doing all sorts of things over HTTP that the system may not have been intended to do. DOD has an entire book (Light Pink Book) dedicated to this.

Security Models

Bell-LaPadula - Confidentiality Model - Simple = No read up, Star = no write down

Biba - Integrity Model - Simple = No read down, Star = no write up

Clark Wilson (1987) - Security Labels (MAC) - meets all goals of integrity. IVP (Integrity Verification Procedure) confirms integrity. Constrained Data Item is being protected, Unconstrained is not yet protected. Transformational Procedure...

Take-Grant - Create, revoke, grant, take

Brewer-Nash - Conflict of Interest

Sutherland - Inference



Low Level

Memory Management - requirements - relocation, protection, sharing, physical organization, logical organization

CPU States - Ready, Supervisor (privileged), Problem (user - processing - not really a problem), Wait

Process States - New (to be loaded into memory), Blocked (waiting for input), ready (waiting to give to cpu), running (waiting for CPU to finish)

PLC - Programmable Logic Controller - think micro controller

PSW - Program Status Word register - holds applications operating state

Rings of Protection - 0 is Security Kernel - home of the Reference Monitor

Bus Interface Unit - Managing access from Bus Resources (PCI, serial, etc) to CPU


NIACAP - National Information Assurance Certification and Accreditation Process - types: site, type, system

DITSCAP - Defense Information Technology Security Certification and Accreditation Process - 4 phases - replaced by DIACAP - Defense Information Assurance Certification and Accreditation Process

The Books

Neon Orange - NCSC-TG-003 - A Guide to Understanding Discretionary Access Control in Trusted Systems

Purple - Guidelines for formal Verification System

Tan - A Guide to Understanding Audit in Trusted Systems

Green - DOD 5220.22-M - DOD Password Management Guidelines

Orange - TCSEC

Light Pink - Covert Channels

Light Yellow - CSC-STD-003-85


TOC / TOU - Time of Check / Time of Use - Asynchronous attack against the timing of when something was checked vs when it is actually used - ie. if a user had admin rights taken away, but hasn't logged off

Van Ecks Phreaking - NOT phones - early version of TEMPEST - project to sniff CRT / VGA emissions

Trusted Computing Base: all of the protection mechanisms in a computer system (hardware, firmware, software). Trusted Path - user / process <-> kernel. Trusted shell AKA sandbox.

CISC: Complex Instruction Set Computing - each instruction can perform multiple low level operations. Meant to bridge the gap between simple low level instructions (1+1 = 2) and high level programming logic / loops. Think x86

RISC: Reduced Instruction Set Computing - based on the philosophy that the CPU can be more efficient if it focuses on the simple operations (contrary to CISC) - modern development has been a balance between the two. SPARC.

CISSP - Legal, Regulations, Investigations, and Compliance

Due Care - doing what is reasonably expected

Witness: has direct personal knowledge of the event

Expert Witness: opinion based on facts and expertise (not personal knowledge of the event)

Enticement: Getting a criminal to do something that can be tracked (think - making a file appear to be valuable and monitoring it, so that you will have evidence of the intruder)
Entrapment: Telling someone that they should try and get this file when they weren't already thinking about it.

FISMA: Federal Information Security Management Act -basically forces government agencies to have an information security program. Measures include inventory, assign risk level to systems, and implement pre-defined minimum security measures (FIPS 200). Process = System Documentation + Risk Assesment -> Reviewed -> Accredited -> Continous Monitoring + Change Management. Downside to FISMA is that it has turned into a checklist, which by itself isn't enough. The US Computer Security Act of 1987 was the first attempt to do this and was superceded by FISMA.

Computer Security Act: see FISMA

CFAA: Computer Fraud and Abuse Act of 1986 - makes it so that accessing a 'federal interest computer' is illegal. Must be across state boundaries and includes financial computers. This was part of the hacker crackdown.

FCPA: Foreign Corrupt Practices Act - civil / criminal if fail to maintain sufficient controls - think private organizations vs FISMA - which targets government

Gramm-Leach-Bliley - financial

HIPAA (1996) - AKA US Kennedy-Kassenbaum Act - Health Care

Federal Privacy Act (1996) - safeguards for Personally Identifiable Information

US National Information Infrastructure Protection Act (1996) - amendment to the Computer Fraud and Abuse Act - meant to clear up interpretation of government interest computer...

Habeas Corpus - unlawful detention

Data Diddling - changing records before / after transaction - charge the customer 99 cents but then record it as 50 cents and pocket the remainder

NIST: National Institute of Standards and Technology

Espionage: Getting secret information without permission.

Criminal, Civil/Tort (fines), Administrative

NSA is responsible for sensitive / classified systems, otherwise NIST (National Institute of Standards and Technology)

Event - noticeable occurrence

Incident - event that violates security policy or law


Acquisition, Authentication, Analysis

Evidence lifecycle - collection, analysis, storage, presentation, return to victim

Locard's Exchange principle - when two object come into contact there is at least trace evidence of this contact

Evidence - Real, Direct(witness), demonstrative (not quite real - pictures, most computer evidence), documentary (letters, contracts)

Best Evidence is usual contract like

admissible evidence must be reliable, sufficient, and relevant

RFC 1087 - Ethics and the Internet (short read)

(a) seeks to gain unauthorized access to the resources of the Internet,
(b) disrupts the intended use of the Internet,
(c) wastes resources (people, capacity, computer) through such actions,
(d) destroys the integrity of computer-based information,
(e) compromises the privacy of users.
Morris Worm is a great example of why this was written

(ISC)2 code of ethics


protect society, commonwealth, and the infrastructure

act honorably, honestly, justly, responsibly, and legally

provide diligent and competent service to principals

advance and protect the profession

Incident Response

Identify, coordinate, mitigate, investigate, educate


Red Box - simulates sound of coins

Blue Box - simulates control tones

Black Box - manipulate voltage (signal)

and tons more

Thursday, July 22, 2010

CISSP - Business Continuity and Disaster Recovery Planning

Recovery Point Objective = How old is the recovery point - ie backup every 24 hours.
Recovery Time Objective = How long will it take to recover the system / data.

RPO & RTO = How long it will take to get the system back up and how much data entry will need to be duplicated to account for what was not backed up.

Software Escrow is software-protection mechanism. If the software vendor goes under - you can get the source code to the software so that your information system doesn't go under with the vendor.

Diverse Routing - using multiple service providers - be careful that the providers themselves don't share a single point of failure

Last Mile Protection - redundant connection to a single service provider

BCP - Business Continuity Plan

1. Scope and Plan Initiation
2. Business Impact Assessment (vulnerability assessment, downtime estimation - RTO/RPOs, resource requirements, criticality prioritization, documenting the strategy)
3. Business Continuity Development
4. Plan Approval and Implementation

Processes can be broken down into core (revenue generating, see the mission statement), discretionary (non essential), and supporting

DRP - Disaster Recovery Plan

reduce the complexity of the recovery
minimize the length and impact of the disaster's effects
develop an effective recovery team


GFS - Grandfather - Father - Son - hierarchical in design - for example 7 tapes for daily (son) are rotated, every sunday the son is promoted to a father (weekly), on the last day of the month, the father is promoted to a grand-father (monthly)

Electronic Vaulting - periodic bulk transfer of records - think full/differential/incremental backups - only they are sent to someone else to store - usually geographically isolated from you

Remote Journaling - change by change log - requires a full backup and then a complete journal since the backup was created


Reciprocal - aka mutual aid agreement - partner with another organization - not usually feasible

Redundant - hot site with same equipment as opposed to similar equipment

Hot - similar equipment on and ready to go - only thing missing is data

Warm - some equipment is ready (critical processes) but most are not

Cold - facility missing equipment and data

MTO - maximum tolerable outage - maximum time services can be provided at site

Sunday, July 18, 2010

CISSP - Cryptography



Cryptograhpy - secret message between two parties

Crytanalysis - breaking cryptography - think - analysis - which is to remove complexity

Cryptology - cryptography and crytptanalysis

Block Ciphers:

ECB - Electronic Code Book - Does not involve chaining - so input will always yield the same output. This makes it only good for small, short sensitivity-life data.

CBC - Cipher Block Chaining - Solves the problem with ECB about always producing the same output by introducing an IV (initialization vector).

CFB - Cipher Feedback Mode - Similiar to CBC but for streaming instead of block. It uses the ciphertext from the last block to XOR with this block - hiding the plain text.

OFB - Output Feedback Mode - Improvement of CFB

CTR - Counter Mode - Improvement of OFB

XOR - 1(true) if bits are different

Running Key - when the key is not as long as the message (which is usual), the key is repeated until it is

One time pad -> Vernam Cipher - key must be protected, >= message, resulting pad cannot be reused, random key gen

Stream ciphers do not alter the length of the message - block ciphers do as they pad the message to conform to block sizes

Clipper Chip: used the skipjack cipher. Was meant to give the government the ability to wiretap phones but didn't take.

Morris worm of 1988: While going to Cornell, Morris deployed the worm from MIT. He only meant to 'measure' the internet, but the worm reinfected computers over and over again, causing a DOS attack. He is now a professor at MIT.

Symmetric - Skytale (Spartans)-> Ceasar's Cipher -> Enigma (Germans WWI) -> Purple Machine (Japanese WWII) -> DES (32 rounds) -> IDEA(64 bit blocks, 128 bit key, used in PGP) -> MARS (IBM entrance for AES)-> Blowfish(64 bit blocks, 448bit key entrance for AES) -> AES (Rinjdael 128, 10 rounds)

Assymetric - LUC (Lucas Functions, discrete logarithms) -> RSA -> ElGamal (used in PGP)-> ECC

Diffie-Hellman is just for key exchange -> used by ElGamal

Collision - when two files produce the same hash.

Clustering - different keys yield the same result

Transposition -> Diffusion - moving things around

Substitution -> Confusion


4 Components - certificate and registration authorities, repository and archive

Revoked -> Revocation List, and online certification status protocol

SET - Secure Electronic Transaction - x.509 derivative that didn't gain traction

Integrity (Hasing)

HAVAL (variable bit), RIPEMD (europe version of MD4), MD Series(MD5 = 128 bit), SHA (>160 bit), TIGER (designed for 64 bit systems)

MD4 is for high-speed computations, MD5 is standard

DSS - Digital Signature Standard - 160 bits

Securing Email


UUencode - encoding for email - to add support for binaries (attachments)

X.400 - standard for email (exchange)

Securing Wireless

WEP - RC4 - stream cipher - used because it was fast and exportable


Side Channel - attack the encryption device itself

Remote Desktop slowness fixed

I was surprised to find that remote desktop was running very slowly to my directly connected server.

I came across the following link which discusses the issue.

I entered the following command on my client computer and the problem was resolved.
netsh interface tcp set global autotuninglevel=highlyrestricted

Server 2008 - Wireless Feature Disabled

I recently found myself trying to set up a server to act as a bridge to get wireless from the hotel into my room and to a switch. I already had Server 2008 installed on a box running HyperV and thought it should be no trouble to plug in my wireless card and bridge the network.

Long story short: Wireless LAN 'Feature' is disabled by default. To enable it, go to Server Manager > Features > Wireless Lan Service.

Here is the link that led me to this:

Note the consistent inconsistency by Microsoft as this is called a service in the list of features.

Thursday, July 15, 2010

CISSP - Access Control

Access Control

Role Based(Non-discretionary) vs Discretionary Access Control

Discretionary Access Control allows the owner to manage permissions of their resources. In theory this was a good idea but most owners aren't proficient enough to manage the security of their resources effectively. This also isn't usually a priority for them. A good example of this would be giving new users permission but never removing any of the old users.

Role Based Access Control is very similiar but permissions are based on a role. Now an administrator can manage the security by assigning users to their appropriate roles and giving that role the necessary permissions. The key distinction besides the obvious is that in the DAC, only the owner can make the changes.

Detective Access Control

CRC is a Detective Access Control because it detects that the integrity has been breached.

Preventive vs Deterrent: 4 foot fence is deterrent - and 8 foot fence is preventive. I would argue that deterrent is a subset of preventive.

Types of Authentication

Type 1 -> 3 - Something you know, have, are


Accuracy of Bio-Metrics: Fingerprint > Palm Scan > Hand Geometry > Retina Scan > Iris Scan

Zephyr Chart is used to compare different bio metric systems (by factoring in acceptance, etc.) When comparing like systems - use the CER (Cross Over Erorr Rate - where FRR meets FAR) AKA EER (Equal Error Rate)

Lower CER the Better.

Type 1 = FRR = Annoying

Type 2 = FAR = Breach

Leap: Cisco Proprietary version of EAP

CVE: Common Vulnerabilities and Exposures

Policies are high level and do not say how.

MITM: Man in the Middle

ACLs are used in Discretionary Access Controls. On CISSP - think decentralized workgroup file ACLS (NOT AD centralized ACLS)

Enticement vs Entrapment: You entice someone that is committing a crime to do something that you can record to catch them. Entrapment is 'enticing' someone to commit the crime in the first place. The line can get gray quickly - entrapment is illegal/unethical and serves as a defense for the criminal.

Sesame is an Assymetric version of SSO (Kerberos)

Biba (Integrity - no write down)


Rainbow Table: precomputed password hashes - big file instead of computing time

SATAN is the first vulnerability scanner - renamed SANTA

Superzapping - program that bypasses normal security

Smurf - ping users across a network with spoofed source so that the spoofed source (victim) gets overwhelmed

LAND - SYN packet with source and destination ip and port as the target (most NICs are no longer vulnerable to this)

TRINOO - sort of bot net that was part of the yahoo DDOS attack of 2000.

SYN attack - AKA half open attack - target runs out of memory while trying to keep track of an infinite number of TCP sessions.

Chargen - Character Generator - can be used to cause systems to go into an infinite loop talking to themselves.

Ping of Death - icmp packets that are larger than allowed

Fraggle - wrote by the same author as Smurf - this attack is similiar to smurf only it uses echo instead of ping

Teardrop - crashes a victim by sending malformed IP fragments that are over sized and/or overlapping

MEME - hoax - usually a chain letter looking for victims to forward it throughout the internet

EICAR - is used to verify the functionaly of antivirus software. Simply an innocent signature that all vendors flag for test purposes

Tuesday, July 6, 2010


In preparation for my CISSP I will collect sources and notes here.

I am reading CISSP for Dummies. I originally bought a much denser book but after learning that the CISSP certification is 50 miles wide and 10 inches deep, I figured a less dense book would suffice, and more importantly save me some time.

I went into CISSP for Dummies knowing that it would probably only go about 5 inches deep and that I would need to identify my areas of weakness and do more research to complement what I am reading. What follows is the other 5 inches addressing the areas I needed more work in.

Rainbow Books

Kerberos: I found this video to be very helpful. It is easy to get lost in all the keys and exchanges, especially when trying to read it in text format. In summary and from a higher more memorable level:

A secure connection between the client and authentication server is established by encrypting the traffic with the client's secret key. This secret key is based on the password that is stored in the authentication server. The user on the client computer enters a password and it is used to decrypt the messages from the authentication server. If it is not the right password then the messages will not be decipherable and the process halts. Over this secure connection, the Authentication Server sends the client it's Ticket Generating Service Session Key. It also sends it an encrypted message that only the Ticket Generating Service can decrypt. The client simply forwards this message along to the Ticket Generating Service.

When the Ticket Generating Service receives the message from the Authentication Server via the client it decrypts it using a secret key that only the Authentication Server and the Ticket Generating Service know. This reveals the Ticket Generating Service Session key and client associated with the key.

Next the Client establishes a secure connection with the Ticket Generating Service by using the Ticket Generating Service Session key that only Ticket Generating Service and the Client know. This is a dynamic key that was generated by the Authentication Server and not only establishes a secure connection between the Ticket Generating Service and the Client but also limits the time the connection can last.

Over this secure connection, the Ticket Generating Service sends the client a Client/Server Session key. It also sends an encrypted message to be sent to the Server that includes the Client/Server Session key and Client ID and time limit associated with the key.

Now the Server and Client can establish mutual trust.

In layman's terms:

You go to the security gate of a building and ask to go to the accounting department. The security guard verifies your identity and gives you a document that he signs stating that you are who you say you are and that you are allowed to go to the receptionist.

You arrive at the receptionist and she takes the document, verifies the signature, verifies that you are the person identified in the document and gives you a new signed document stating that you can go to the accounting department.

Upon arriving at the accounting department, they take the document, verify the signature, verify that you are the person identified in the document, and then asks, "so what can we do for you?"

And after all that, now imagine that this makes Single Sign On possible - in other words this is supposed to reduce complexity by reducing the number of logons needed to enter various systems.