CISSP - Legal, Regulations, Investigations, and Compliance

Due Care - doing what is reasonably expected

Witness: has direct personal knowledge of the event

Expert Witness: opinion based on facts and expertise (not personal knowledge of the event)

Enticement: Getting a criminal to do something that can be tracked (think - making a file appear to be valuable and monitoring it, so that you will have evidence of the intruder)
Entrapment: Telling someone that they should try and get this file when they weren't already thinking about it.

FISMA: Federal Information Security Management Act -basically forces government agencies to have an information security program. Measures include inventory, assign risk level to systems, and implement pre-defined minimum security measures (FIPS 200). Process = System Documentation + Risk Assesment -> Reviewed -> Accredited -> Continous Monitoring + Change Management. Downside to FISMA is that it has turned into a checklist, which by itself isn't enough. The US Computer Security Act of 1987 was the first attempt to do this and was superceded by FISMA.

Computer Security Act: see FISMA

CFAA: Computer Fraud and Abuse Act of 1986 - makes it so that accessing a 'federal interest computer' is illegal. Must be across state boundaries and includes financial computers. This was part of the hacker crackdown.

FCPA: Foreign Corrupt Practices Act - civil / criminal if fail to maintain sufficient controls - think private organizations vs FISMA - which targets government

Gramm-Leach-Bliley - financial

HIPAA (1996) - AKA US Kennedy-Kassenbaum Act - Health Care

Federal Privacy Act (1996) - safeguards for Personally Identifiable Information

US National Information Infrastructure Protection Act (1996) - amendment to the Computer Fraud and Abuse Act - meant to clear up interpretation of government interest computer...

Habeas Corpus - unlawful detention

Data Diddling - changing records before / after transaction - charge the customer 99 cents but then record it as 50 cents and pocket the remainder

NIST: National Institute of Standards and Technology

Espionage: Getting secret information without permission.

Criminal, Civil/Tort (fines), Administrative

NSA is responsible for sensitive / classified systems, otherwise NIST (National Institute of Standards and Technology)

Event - noticeable occurrence

Incident - event that violates security policy or law

Forensics

Acquisition, Authentication, Analysis

Evidence lifecycle - collection, analysis, storage, presentation, return to victim

Locard's Exchange principle - when two object come into contact there is at least trace evidence of this contact

Evidence - Real, Direct(witness), demonstrative (not quite real - pictures, most computer evidence), documentary (letters, contracts)

Best Evidence is usual contract like

admissible evidence must be reliable, sufficient, and relevant

RFC 1087 - Ethics and the Internet (short read)

(a) seeks to gain unauthorized access to the resources of the Internet,
(b) disrupts the intended use of the Internet,
(c) wastes resources (people, capacity, computer) through such actions,
(d) destroys the integrity of computer-based information,
(e) compromises the privacy of users.

Morris Worm is a great example of why this was written

(ISC)2 code of ethics

Canons

protect society, commonwealth, and the infrastructure

act honorably, honestly, justly, responsibly, and legally

provide diligent and competent service to principals

advance and protect the profession




Incident Response

Identify, coordinate, mitigate, investigate, educate

Phreaking

Red Box - simulates sound of coins

Blue Box - simulates control tones

Black Box - manipulate voltage (signal)

and tons more

CISSP - Business Continuity and Disaster Recovery Planning

RPO vs RTO
Recovery Point Objective = How old is the recovery point - ie backup every 24 hours.
Recovery Time Objective = How long will it take to recover the system / data.

RPO & RTO = How long it will take to get the system back up and how much data entry will need to be duplicated to account for what was not backed up.

Software Escrow is software-protection mechanism. If the software vendor goes under - you can get the source code to the software so that your information system doesn't go under with the vendor.

Diverse Routing - using multiple service providers - be careful that the providers themselves don't share a single point of failure

Last Mile Protection - redundant connection to a single service provider

BCP - Business Continuity Plan

1. Scope and Plan Initiation
2. Business Impact Assessment (vulnerability assessment, downtime estimation - RTO/RPOs, resource requirements, criticality prioritization, documenting the strategy)
3. Business Continuity Development
4. Plan Approval and Implementation

Processes can be broken down into core (revenue generating, see the mission statement), discretionary (non essential), and supporting

DRP - Disaster Recovery Plan

reduce the complexity of the recovery
minimize the length and impact of the disaster's effects
develop an effective recovery team

Backups

GFS - Grandfather - Father - Son - hierarchical in design - for example 7 tapes for daily (son) are rotated, every sunday the son is promoted to a father (weekly), on the last day of the month, the father is promoted to a grand-father (monthly)

Electronic Vaulting - periodic bulk transfer of records - think full/differential/incremental backups - only they are sent to someone else to store - usually geographically isolated from you

Remote Journaling - change by change log - requires a full backup and then a complete journal since the backup was created

Sites

Reciprocal - aka mutual aid agreement - partner with another organization - not usually feasible

Redundant - hot site with same equipment as opposed to similar equipment

Hot - similar equipment on and ready to go - only thing missing is data

Warm - some equipment is ready (critical processes) but most are not

Cold - facility missing equipment and data

MTO - maximum tolerable outage - maximum time services can be provided at site

CISSP - Cryptography

Cryptography

Theory

Cryptograhpy - secret message between two parties

Crytanalysis - breaking cryptography - think - analysis - which is to remove complexity

Cryptology - cryptography and crytptanalysis

Block Ciphers: http://www.youtube.com/watch?v=OJuWOPSOOK4&feature=related

ECB - Electronic Code Book - Does not involve chaining - so input will always yield the same output. This makes it only good for small, short sensitivity-life data.

CBC - Cipher Block Chaining - Solves the problem with ECB about always producing the same output by introducing an IV (initialization vector).

CFB - Cipher Feedback Mode - Similiar to CBC but for streaming instead of block. It uses the ciphertext from the last block to XOR with this block - hiding the plain text.

OFB - Output Feedback Mode - Improvement of CFB

CTR - Counter Mode - Improvement of OFB

XOR - 1(true) if bits are different

Running Key - when the key is not as long as the message (which is usual), the key is repeated until it is

One time pad -> Vernam Cipher - key must be protected, >= message, resulting pad cannot be reused, random key gen

Stream ciphers do not alter the length of the message - block ciphers do as they pad the message to conform to block sizes

Clipper Chip: used the skipjack cipher. Was meant to give the government the ability to wiretap phones but didn't take.

Morris worm of 1988: While going to Cornell, Morris deployed the worm from MIT. He only meant to 'measure' the internet, but the worm reinfected computers over and over again, causing a DOS attack. He is now a professor at MIT.

Symmetric - Skytale (Spartans)-> Ceasar's Cipher -> Enigma (Germans WWI) -> Purple Machine (Japanese WWII) -> DES (32 rounds) -> IDEA(64 bit blocks, 128 bit key, used in PGP) -> MARS (IBM entrance for AES)-> Blowfish(64 bit blocks, 448bit key entrance for AES) -> AES (Rinjdael 128, 10 rounds)

Assymetric - LUC (Lucas Functions, discrete logarithms) -> RSA -> ElGamal (used in PGP)-> ECC

Diffie-Hellman is just for key exchange -> used by ElGamal

Collision - when two files produce the same hash.

Clustering - different keys yield the same result

Transposition -> Diffusion - moving things around

Substitution -> Confusion

PKI

4 Components - certificate and registration authorities, repository and archive

Revoked -> Revocation List, and online certification status protocol

SET - Secure Electronic Transaction - x.509 derivative that didn't gain traction

Integrity (Hasing)

HAVAL (variable bit), RIPEMD (europe version of MD4), MD Series(MD5 = 128 bit), SHA (>160 bit), TIGER (designed for 64 bit systems)

MD4 is for high-speed computations, MD5 is standard

DSS - Digital Signature Standard - 160 bits

Securing Email

S/MIME, PGP, PEM (uses AES or RSA), MSP

UUencode - encoding for email - to add support for binaries (attachments)

X.400 - standard for email (exchange)

Securing Wireless

WEP - RC4 - stream cipher - used because it was fast and exportable

Attacks

Side Channel - attack the encryption device itself

Remote Desktop slowness fixed

I was surprised to find that remote desktop was running very slowly to my directly connected server.

I came across the following link which discusses the issue. http://blog.tmcnet.com/blog/tom-keating/microsoft/remote-desktop-slow-problem-solved.asp

I entered the following command on my client computer and the problem was resolved.
netsh interface tcp set global autotuninglevel=highlyrestricted

Server 2008 - Wireless Feature Disabled

I recently found myself trying to set up a server to act as a bridge to get wireless from the hotel into my room and to a switch. I already had Server 2008 installed on a box running HyperV and thought it should be no trouble to plug in my wireless card and bridge the network.

Long story short: Wireless LAN 'Feature' is disabled by default. To enable it, go to Server Manager > Features > Wireless Lan Service.

Here is the link that led me to this: http://vspug.com/yazan/2008/02/21/windows-server-2008-wirless-connection/

Note the consistent inconsistency by Microsoft as this is called a service in the list of features.

CISSP - Access Control

Access Control

Role Based(Non-discretionary) vs Discretionary Access Control

Discretionary Access Control allows the owner to manage permissions of their resources. In theory this was a good idea but most owners aren't proficient enough to manage the security of their resources effectively. This also isn't usually a priority for them. A good example of this would be giving new users permission but never removing any of the old users.

Role Based Access Control is very similiar but permissions are based on a role. Now an administrator can manage the security by assigning users to their appropriate roles and giving that role the necessary permissions. The key distinction besides the obvious is that in the DAC, only the owner can make the changes.

Detective Access Control

CRC is a Detective Access Control because it detects that the integrity has been breached.

Preventive vs Deterrent: 4 foot fence is deterrent - and 8 foot fence is preventive. I would argue that deterrent is a subset of preventive.

Types of Authentication

Type 1 -> 3 - Something you know, have, are

Bio-Metrics

Accuracy of Bio-Metrics: Fingerprint > Palm Scan > Hand Geometry > Retina Scan > Iris Scan

Zephyr Chart is used to compare different bio metric systems (by factoring in acceptance, etc.) When comparing like systems - use the CER (Cross Over Erorr Rate - where FRR meets FAR) AKA EER (Equal Error Rate)

Lower CER the Better.

Type 1 = FRR = Annoying

Type 2 = FAR = Breach

Leap: Cisco Proprietary version of EAP

CVE: Common Vulnerabilities and Exposures

Policies are high level and do not say how.

MITM: Man in the Middle

ACLs are used in Discretionary Access Controls. On CISSP - think decentralized workgroup file ACLS (NOT AD centralized ACLS)

Enticement vs Entrapment: You entice someone that is committing a crime to do something that you can record to catch them. Entrapment is 'enticing' someone to commit the crime in the first place. The line can get gray quickly - entrapment is illegal/unethical and serves as a defense for the criminal.

Sesame is an Assymetric version of SSO (Kerberos)

Biba (Integrity - no write down)

Attacks

Rainbow Table: precomputed password hashes - big file instead of computing time

SATAN is the first vulnerability scanner - renamed SANTA

Superzapping - program that bypasses normal security

Smurf - ping users across a network with spoofed source so that the spoofed source (victim) gets overwhelmed

LAND - SYN packet with source and destination ip and port as the target (most NICs are no longer vulnerable to this)

TRINOO - sort of bot net that was part of the yahoo DDOS attack of 2000.

SYN attack - AKA half open attack - target runs out of memory while trying to keep track of an infinite number of TCP sessions.

Chargen - Character Generator - can be used to cause systems to go into an infinite loop talking to themselves.

Ping of Death - icmp packets that are larger than allowed

Fraggle - wrote by the same author as Smurf - this attack is similiar to smurf only it uses echo instead of ping

Teardrop - crashes a victim by sending malformed IP fragments that are over sized and/or overlapping

MEME - hoax - usually a chain letter looking for victims to forward it throughout the internet

EICAR - is used to verify the functionaly of antivirus software. Simply an innocent signature that all vendors flag for test purposes

CISSP Prep

In preparation for my CISSP I will collect sources and notes here.

I am reading CISSP for Dummies. I originally bought a much denser book but after learning that the CISSP certification is 50 miles wide and 10 inches deep, I figured a less dense book would suffice, and more importantly save me some time.

I went into CISSP for Dummies knowing that it would probably only go about 5 inches deep and that I would need to identify my areas of weakness and do more research to complement what I am reading. What follows is the other 5 inches addressing the areas I needed more work in.

Rainbow Books

Kerberos: http://www.youtube.com/watch?v=7-LjpO2nTJo&feature=related. I found this video to be very helpful. It is easy to get lost in all the keys and exchanges, especially when trying to read it in text format. In summary and from a higher more memorable level:

A secure connection between the client and authentication server is established by encrypting the traffic with the client's secret key. This secret key is based on the password that is stored in the authentication server. The user on the client computer enters a password and it is used to decrypt the messages from the authentication server. If it is not the right password then the messages will not be decipherable and the process halts. Over this secure connection, the Authentication Server sends the client it's Ticket Generating Service Session Key. It also sends it an encrypted message that only the Ticket Generating Service can decrypt. The client simply forwards this message along to the Ticket Generating Service.

When the Ticket Generating Service receives the message from the Authentication Server via the client it decrypts it using a secret key that only the Authentication Server and the Ticket Generating Service know. This reveals the Ticket Generating Service Session key and client associated with the key.

Next the Client establishes a secure connection with the Ticket Generating Service by using the Ticket Generating Service Session key that only Ticket Generating Service and the Client know. This is a dynamic key that was generated by the Authentication Server and not only establishes a secure connection between the Ticket Generating Service and the Client but also limits the time the connection can last.

Over this secure connection, the Ticket Generating Service sends the client a Client/Server Session key. It also sends an encrypted message to be sent to the Server that includes the Client/Server Session key and Client ID and time limit associated with the key.

Now the Server and Client can establish mutual trust.

In layman's terms:

You go to the security gate of a building and ask to go to the accounting department. The security guard verifies your identity and gives you a document that he signs stating that you are who you say you are and that you are allowed to go to the receptionist.

You arrive at the receptionist and she takes the document, verifies the signature, verifies that you are the person identified in the document and gives you a new signed document stating that you can go to the accounting department.

Upon arriving at the accounting department, they take the document, verify the signature, verify that you are the person identified in the document, and then asks, "so what can we do for you?"

And after all that, now imagine that this makes Single Sign On possible - in other words this is supposed to reduce complexity by reducing the number of logons needed to enter various systems.