Friday, July 23, 2010
Wave pattern: think microwave, if the frequency bouncing back changes from norm then there is motion.
Capacitance: monitors an eletrical field for change - used for small area - think of an area surrounding an object in a museum.
Audio: listens for noise
Photoelectric: think grid of light (visible or not)
Types of fire suppression systems
Wet Pipe: Pipe is full of water to the sprinkler head - quit to get water to fire - but if it was a false alarm, can cause equipment damage for no reason
Dry Pipe: Pipe is not full of water - providing a little bit of time to react to a false alarm - pipes could have leaks that aren't realized until a fire forces water into the pipes.
Deluge: Similar to dry pipe - but for high volumes of water - which is why they are not used around computer equipment
Preaction: dry until heat sensor primes it (now wet pipe) - then another heat sensor releases the water
Classes of Fire
A - Common combustibles - like wood
B - Burnable fules - like gas
C - Electrical - like a data center
D - Grease or chemical - like a kitchen
Halon 1301 (1211 - portable) above 10% and >900 degrees it degrades into hydrogen flouride, hydrogen bromide, and bromine which is toxic. For this reason, it has been replaced (via Environmental Protection Act of 1990) by FM-200 (Argon and Inergen are also options but not as effective). If a Halon system is in place - it CAN continue to be used, but extra measures must be taken when it is used
CCTV: Closed Circuit Television - Decrease Focal Length to widen view larger iris for less light areas
CPTED: Crime Prevention Through Environmental Design
2 inch - Normal
1 inch - High
3/8 inch - Extremely high
Gauge - smaller gauge = bigger diameter (tougher fence)
3-4 feet - Deter casual
8 feet - deter determined
Piezoelectric: think kinetic energy - not really related but it was thrown in as a decoy answer and I didn't know what it was
Exterior Lighting: 2 feet of candlepower at 8 feet above the fence so as to blind intruders from seeing past the fence and illuminating them for the cameras
Glare Protection: pointing lights towards potential intruders and away from guards.
Fixed lighting = Fixed Iris as it doesn't need to adjust for changes in light
Classes of Gates:
1 - Residential
2 - Commercial
3 - Industrial
4 - Restricted
1500 static volts can damage a HDD and as little as 10 static volts can damage some electrical components. Humans cannot perceive until 1500 and the typical scuff on the carpet produces closer to 12,000.
Access to Server room - the technician side of me says that admins need access. The CISSP side of me (needs to) says that the server room should be highly controlled. Admins should be able to do most everything remotely.
Must have positive pressurization - meaning if the doors are opened - air rushes out as opposed to pulling dusty dirty air in.
Too much moisture = corrosion
Too little moisture = static electricity
Too much heat = over heat
Too little heat = slowed performance
Fail-safe - doors are open
Fail-secure - doors are closed with an emergency bar(or other method) to keep people from being trapped in
Warder < Pin&Tumbler
Bump key is cut to number 9 position (not sure what that means) - and allows the lock picker to bump the key while applying pressure to the lock to open the lock
Annunciation System verbally alerts guards so that they can take action
Bollard - blocks a vehicle from passing - usually metal or cement and arranged in a line of columns.
Mantrap is two sets of doors - like in castles where you go through two sets of gates and in between they are ready to poor boiling oil on you!!
TCSEC: US Based - Trusted Computer System Evaluation Criteria AKA Orange Book superseded by Common Criteria. A is higher then D. B3 is higher than B1.
A -> Verified - A1 = Configuration Management
B -> Mandatory Access Control - B1 = Labeled - B2 = Structured, B3 = Security Domains, Covert Channels
C -> Discretionary Access Control
D -> Minimal Security
ITSEC (1980s) - Europe Based - Seven Assurance (Effectiveness) levels: E0 - E6 and 10 Functionaly levels: F1 - F10
CTCPEC - Canada Based
Common Criteria - ISO around 1990 - Bridge gap between national versions - 7 Assurance Levels: EAL1 < EAL2 (structurally tested) < EAL4 (methodically designed, tested, and reviewed) < EAL6 (semi-formally verified, designed, and tested) < EAL7 (formally verified, designed, and tested)
Covert Channel Analysis: Finding channels being hidden inside of other channels - HTTP is very common for this as people are doing all sorts of things over HTTP that the system may not have been intended to do. DOD has an entire book (Light Pink Book) dedicated to this.
Bell-LaPadula - Confidentiality Model - Simple = No read up, Star = no write down
Biba - Integrity Model - Simple = No read down, Star = no write up
Clark Wilson (1987) - Security Labels (MAC) - meets all goals of integrity. IVP (Integrity Verification Procedure) confirms integrity. Constrained Data Item is being protected, Unconstrained is not yet protected. Transformational Procedure...
Take-Grant - Create, revoke, grant, take
Brewer-Nash - Conflict of Interest
Sutherland - Inference
Memory Management - requirements - relocation, protection, sharing, physical organization, logical organization
CPU States - Ready, Supervisor (privileged), Problem (user - processing - not really a problem), Wait
Process States - New (to be loaded into memory), Blocked (waiting for input), ready (waiting to give to cpu), running (waiting for CPU to finish)
PLC - Programmable Logic Controller - think micro controller
PSW - Program Status Word register - holds applications operating state
Rings of Protection - 0 is Security Kernel - home of the Reference Monitor
Bus Interface Unit - Managing access from Bus Resources (PCI, serial, etc) to CPU
NIACAP - National Information Assurance Certification and Accreditation Process - types: site, type, system
DITSCAP - Defense Information Technology Security Certification and Accreditation Process - 4 phases - replaced by DIACAP - Defense Information Assurance Certification and Accreditation Process
Neon Orange - NCSC-TG-003 - A Guide to Understanding Discretionary Access Control in Trusted Systems
Purple - Guidelines for formal Verification System
Tan - A Guide to Understanding Audit in Trusted Systems
Green - DOD 5220.22-M - DOD Password Management Guidelines
Orange - TCSEC
Light Pink - Covert Channels
Light Yellow - CSC-STD-003-85
TOC / TOU - Time of Check / Time of Use - Asynchronous attack against the timing of when something was checked vs when it is actually used - ie. if a user had admin rights taken away, but hasn't logged off
Van Ecks Phreaking - NOT phones - early version of TEMPEST - project to sniff CRT / VGA emissions
Trusted Computing Base: all of the protection mechanisms in a computer system (hardware, firmware, software). Trusted Path - user / process <-> kernel. Trusted shell AKA sandbox.
CISC: Complex Instruction Set Computing - each instruction can perform multiple low level operations. Meant to bridge the gap between simple low level instructions (1+1 = 2) and high level programming logic / loops. Think x86
RISC: Reduced Instruction Set Computing - based on the philosophy that the CPU can be more efficient if it focuses on the simple operations (contrary to CISC) - modern development has been a balance between the two. SPARC.
Witness: has direct personal knowledge of the event
Expert Witness: opinion based on facts and expertise (not personal knowledge of the event)
Enticement: Getting a criminal to do something that can be tracked (think - making a file appear to be valuable and monitoring it, so that you will have evidence of the intruder)
Entrapment: Telling someone that they should try and get this file when they weren't already thinking about it.
FISMA: Federal Information Security Management Act -basically forces government agencies to have an information security program. Measures include inventory, assign risk level to systems, and implement pre-defined minimum security measures (FIPS 200). Process = System Documentation + Risk Assesment -> Reviewed -> Accredited -> Continous Monitoring + Change Management. Downside to FISMA is that it has turned into a checklist, which by itself isn't enough. The US Computer Security Act of 1987 was the first attempt to do this and was superceded by FISMA.
Computer Security Act: see FISMA
CFAA: Computer Fraud and Abuse Act of 1986 - makes it so that accessing a 'federal interest computer' is illegal. Must be across state boundaries and includes financial computers. This was part of the hacker crackdown.
FCPA: Foreign Corrupt Practices Act - civil / criminal if fail to maintain sufficient controls - think private organizations vs FISMA - which targets government
Gramm-Leach-Bliley - financial
HIPAA (1996) - AKA US Kennedy-Kassenbaum Act - Health Care
Federal Privacy Act (1996) - safeguards for Personally Identifiable Information
US National Information Infrastructure Protection Act (1996) - amendment to the Computer Fraud and Abuse Act - meant to clear up interpretation of government interest computer...
Habeas Corpus - unlawful detention
Data Diddling - changing records before / after transaction - charge the customer 99 cents but then record it as 50 cents and pocket the remainder
NIST: National Institute of Standards and Technology
Espionage: Getting secret information without permission.
Criminal, Civil/Tort (fines), Administrative
NSA is responsible for sensitive / classified systems, otherwise NIST (National Institute of Standards and Technology)
Event - noticeable occurrence
Incident - event that violates security policy or law
Acquisition, Authentication, Analysis
Evidence lifecycle - collection, analysis, storage, presentation, return to victim
Locard's Exchange principle - when two object come into contact there is at least trace evidence of this contact
Evidence - Real, Direct(witness), demonstrative (not quite real - pictures, most computer evidence), documentary (letters, contracts)
Best Evidence is usual contract like
admissible evidence must be reliable, sufficient, and relevant
RFC 1087 - Ethics and the Internet (short read)
(a) seeks to gain unauthorized access to the resources of the Internet,Morris Worm is a great example of why this was written
(b) disrupts the intended use of the Internet,
(c) wastes resources (people, capacity, computer) through such actions,
(d) destroys the integrity of computer-based information,
(e) compromises the privacy of users.
(ISC)2 code of ethics
protect society, commonwealth, and the infrastructure
act honorably, honestly, justly, responsibly, and legally
provide diligent and competent service to principals
advance and protect the profession
Identify, coordinate, mitigate, investigate, educate
Red Box - simulates sound of coins
Blue Box - simulates control tones
Black Box - manipulate voltage (signal)
and tons more
Thursday, July 22, 2010
Recovery Point Objective = How old is the recovery point - ie backup every 24 hours.
Recovery Time Objective = How long will it take to recover the system / data.
RPO & RTO = How long it will take to get the system back up and how much data entry will need to be duplicated to account for what was not backed up.
Software Escrow is software-protection mechanism. If the software vendor goes under - you can get the source code to the software so that your information system doesn't go under with the vendor.
Diverse Routing - using multiple service providers - be careful that the providers themselves don't share a single point of failure
Last Mile Protection - redundant connection to a single service provider
BCP - Business Continuity Plan
1. Scope and Plan Initiation
2. Business Impact Assessment (vulnerability assessment, downtime estimation - RTO/RPOs, resource requirements, criticality prioritization, documenting the strategy)
3. Business Continuity Development
4. Plan Approval and Implementation
Processes can be broken down into core (revenue generating, see the mission statement), discretionary (non essential), and supporting
DRP - Disaster Recovery Plan
reduce the complexity of the recovery
minimize the length and impact of the disaster's effects
develop an effective recovery team
GFS - Grandfather - Father - Son - hierarchical in design - for example 7 tapes for daily (son) are rotated, every sunday the son is promoted to a father (weekly), on the last day of the month, the father is promoted to a grand-father (monthly)
Electronic Vaulting - periodic bulk transfer of records - think full/differential/incremental backups - only they are sent to someone else to store - usually geographically isolated from you
Remote Journaling - change by change log - requires a full backup and then a complete journal since the backup was created
Reciprocal - aka mutual aid agreement - partner with another organization - not usually feasible
Redundant - hot site with same equipment as opposed to similar equipment
Hot - similar equipment on and ready to go - only thing missing is data
Warm - some equipment is ready (critical processes) but most are not
Cold - facility missing equipment and data
MTO - maximum tolerable outage - maximum time services can be provided at site
Sunday, July 18, 2010
Cryptograhpy - secret message between two parties
Crytanalysis - breaking cryptography - think - analysis - which is to remove complexity
Cryptology - cryptography and crytptanalysis
Block Ciphers: http://www.youtube.com/watch?v=OJuWOPSOOK4&feature=related
ECB - Electronic Code Book - Does not involve chaining - so input will always yield the same output. This makes it only good for small, short sensitivity-life data.
CBC - Cipher Block Chaining - Solves the problem with ECB about always producing the same output by introducing an IV (initialization vector).
CFB - Cipher Feedback Mode - Similiar to CBC but for streaming instead of block. It uses the ciphertext from the last block to XOR with this block - hiding the plain text.
OFB - Output Feedback Mode - Improvement of CFB
CTR - Counter Mode - Improvement of OFB
XOR - 1(true) if bits are different
Running Key - when the key is not as long as the message (which is usual), the key is repeated until it is
One time pad -> Vernam Cipher - key must be protected, >= message, resulting pad cannot be reused, random key gen
Stream ciphers do not alter the length of the message - block ciphers do as they pad the message to conform to block sizes
Clipper Chip: used the skipjack cipher. Was meant to give the government the ability to wiretap phones but didn't take.
Morris worm of 1988: While going to Cornell, Morris deployed the worm from MIT. He only meant to 'measure' the internet, but the worm reinfected computers over and over again, causing a DOS attack. He is now a professor at MIT.
Symmetric - Skytale (Spartans)-> Ceasar's Cipher -> Enigma (Germans WWI) -> Purple Machine (Japanese WWII) -> DES (32 rounds) -> IDEA(64 bit blocks, 128 bit key, used in PGP) -> MARS (IBM entrance for AES)-> Blowfish(64 bit blocks, 448bit key entrance for AES) -> AES (Rinjdael 128, 10 rounds)
Diffie-Hellman is just for key exchange -> used by ElGamal
Collision - when two files produce the same hash.
Clustering - different keys yield the same result
Transposition -> Diffusion - moving things around
Substitution -> Confusion
4 Components - certificate and registration authorities, repository and archive
Revoked -> Revocation List, and online certification status protocol
SET - Secure Electronic Transaction - x.509 derivative that didn't gain traction
HAVAL (variable bit), RIPEMD (europe version of MD4), MD Series(MD5 = 128 bit), SHA (>160 bit), TIGER (designed for 64 bit systems)
MD4 is for high-speed computations, MD5 is standard
DSS - Digital Signature Standard - 160 bits
S/MIME, PGP, PEM (uses AES or RSA), MSP
UUencode - encoding for email - to add support for binaries (attachments)
X.400 - standard for email (exchange)
WEP - RC4 - stream cipher - used because it was fast and exportable
Side Channel - attack the encryption device itself
I came across the following link which discusses the issue. http://blog.tmcnet.com/blog/tom-keating/microsoft/remote-desktop-slow-problem-solved.asp
I entered the following command on my client computer and the problem was resolved.
netsh interface tcp set global autotuninglevel=highlyrestricted
Long story short: Wireless LAN 'Feature' is disabled by default. To enable it, go to Server Manager > Features > Wireless Lan Service.
Here is the link that led me to this: http://vspug.com/yazan/2008/02/21/windows-server-2008-wirless-connection/
Note the consistent inconsistency by Microsoft as this is called a service in the list of features.
Thursday, July 15, 2010
Role Based(Non-discretionary) vs Discretionary Access Control
Discretionary Access Control allows the owner to manage permissions of their resources. In theory this was a good idea but most owners aren't proficient enough to manage the security of their resources effectively. This also isn't usually a priority for them. A good example of this would be giving new users permission but never removing any of the old users.
Role Based Access Control is very similiar but permissions are based on a role. Now an administrator can manage the security by assigning users to their appropriate roles and giving that role the necessary permissions. The key distinction besides the obvious is that in the DAC, only the owner can make the changes.
Detective Access Control
CRC is a Detective Access Control because it detects that the integrity has been breached.
Preventive vs Deterrent: 4 foot fence is deterrent - and 8 foot fence is preventive. I would argue that deterrent is a subset of preventive.
Types of Authentication
Type 1 -> 3 - Something you know, have, are
Accuracy of Bio-Metrics: Fingerprint > Palm Scan > Hand Geometry > Retina Scan > Iris Scan
Zephyr Chart is used to compare different bio metric systems (by factoring in acceptance, etc.) When comparing like systems - use the CER (Cross Over Erorr Rate - where FRR meets FAR) AKA EER (Equal Error Rate)
Lower CER the Better.
Type 1 = FRR = Annoying
Type 2 = FAR = Breach
Leap: Cisco Proprietary version of EAP
CVE: Common Vulnerabilities and Exposures
Policies are high level and do not say how.
MITM: Man in the Middle
ACLs are used in Discretionary Access Controls. On CISSP - think decentralized workgroup file ACLS (NOT AD centralized ACLS)
Enticement vs Entrapment: You entice someone that is committing a crime to do something that you can record to catch them. Entrapment is 'enticing' someone to commit the crime in the first place. The line can get gray quickly - entrapment is illegal/unethical and serves as a defense for the criminal.
Sesame is an Assymetric version of SSO (Kerberos)
Biba (Integrity - no write down)
Rainbow Table: precomputed password hashes - big file instead of computing time
SATAN is the first vulnerability scanner - renamed SANTA
Superzapping - program that bypasses normal security
Smurf - ping users across a network with spoofed source so that the spoofed source (victim) gets overwhelmed
LAND - SYN packet with source and destination ip and port as the target (most NICs are no longer vulnerable to this)
TRINOO - sort of bot net that was part of the yahoo DDOS attack of 2000.
SYN attack - AKA half open attack - target runs out of memory while trying to keep track of an infinite number of TCP sessions.
Chargen - Character Generator - can be used to cause systems to go into an infinite loop talking to themselves.
Ping of Death - icmp packets that are larger than allowed
Fraggle - wrote by the same author as Smurf - this attack is similiar to smurf only it uses echo instead of ping
Teardrop - crashes a victim by sending malformed IP fragments that are over sized and/or overlapping
MEME - hoax - usually a chain letter looking for victims to forward it throughout the internet
EICAR - is used to verify the functionaly of antivirus software. Simply an innocent signature that all vendors flag for test purposes
Tuesday, July 6, 2010
I am reading CISSP for Dummies. I originally bought a much denser book but after learning that the CISSP certification is 50 miles wide and 10 inches deep, I figured a less dense book would suffice, and more importantly save me some time.
I went into CISSP for Dummies knowing that it would probably only go about 5 inches deep and that I would need to identify my areas of weakness and do more research to complement what I am reading. What follows is the other 5 inches addressing the areas I needed more work in.
Kerberos: http://www.youtube.com/watch?v=7-LjpO2nTJo&feature=related. I found this video to be very helpful. It is easy to get lost in all the keys and exchanges, especially when trying to read it in text format. In summary and from a higher more memorable level:
A secure connection between the client and authentication server is established by encrypting the traffic with the client's secret key. This secret key is based on the password that is stored in the authentication server. The user on the client computer enters a password and it is used to decrypt the messages from the authentication server. If it is not the right password then the messages will not be decipherable and the process halts. Over this secure connection, the Authentication Server sends the client it's Ticket Generating Service Session Key. It also sends it an encrypted message that only the Ticket Generating Service can decrypt. The client simply forwards this message along to the Ticket Generating Service.
When the Ticket Generating Service receives the message from the Authentication Server via the client it decrypts it using a secret key that only the Authentication Server and the Ticket Generating Service know. This reveals the Ticket Generating Service Session key and client associated with the key.
Next the Client establishes a secure connection with the Ticket Generating Service by using the Ticket Generating Service Session key that only Ticket Generating Service and the Client know. This is a dynamic key that was generated by the Authentication Server and not only establishes a secure connection between the Ticket Generating Service and the Client but also limits the time the connection can last.
Over this secure connection, the Ticket Generating Service sends the client a Client/Server Session key. It also sends an encrypted message to be sent to the Server that includes the Client/Server Session key and Client ID and time limit associated with the key.
Now the Server and Client can establish mutual trust.
In layman's terms:
You go to the security gate of a building and ask to go to the accounting department. The security guard verifies your identity and gives you a document that he signs stating that you are who you say you are and that you are allowed to go to the receptionist.
You arrive at the receptionist and she takes the document, verifies the signature, verifies that you are the person identified in the document and gives you a new signed document stating that you can go to the accounting department.
Upon arriving at the accounting department, they take the document, verify the signature, verify that you are the person identified in the document, and then asks, "so what can we do for you?"
And after all that, now imagine that this makes Single Sign On possible - in other words this is supposed to reduce complexity by reducing the number of logons needed to enter various systems.