- Confidentiality
- Resources should be protected from unauthorized access
- Prioritized by governments
- Concepts
- Sensitivity
- How harmful is disclosure
- Discretion
- Controlled disclosure to prevent damage
- Criticality
- How essential the information is to the organisation
- Concealment
- Hiding information (e.g. obfuscation)
- Secrecy
- Keeping something a secret
- Privacy
- Keeping personal information secret
- Seclusion
- Storing data in out-of-the-way locations
- Isolation
- Keeping data separate
- Sensitivity
- Integrity
- Resources should be protected from unauthorized modification
- Resources should maintain semantic consistency
- Availability
- Resource should be accessible to authorized parties
- Prioritized by businesses
- Required to hold a subject accountable for actions
- Identification
- Subject identifies themselves
- Authentication
- Subject proves their identity
- Authorization
- Subject is allowed/disallowed to perform an action
- What can the subject do and not do?
- Auditing
- Subject's actions are logged
- Accounting
- Subject's logs are reviewed for violations
- Subject is held accountable for their actions
- Legally Defensible Security
- Required to hold subjects accountable
- You need to prove:
- Efforts were made to prevent the crime
- Log files are accurate
- All laws and regulations were followed
- Warning and notifications were posted
- Electronic evidence is decisive
- Non-repudiation
- Subjects cannot deny performing an action
- Layering/Defense-in-Depth
- Use of multiple controls in a series
- Uses series vs. parallel
- Series
- Useful for security
- Data passes through multiple filters
- Airport with multiple gates
- Parallel
- Useful for performance
- Data can pass any filter
- Mall with multiple entrances
- Series
- Abstraction
- Generalizes a group of objects and subject
- Defines object and subject templates
- E.g. "Employee" can be used to describe "Linda", "Mark", etc.
- Data Hiding
- Places data in location not seen by subject
- Prevents data from being accessed by unauthorized subjects
- Encryption
- Hides intent of data rather than hiding the data itself
- Makes data unreadable to unauthorized subjects
- Administration of an organization's security program
- Business Case
- Justifies starting a new project
- Approaches
- Top-down
- Upper management makes security policies
- Lower professionals flesh out security policies
- Bottom-up
- IT staff makes security decisions
- Problematic
- Top-down
- Autonomous InfoSec Team
- Led by the CSO
- Reports directly to senior management
- Security Policy
- Requires support of senior management to succeed
- Evidence of due care and due diligence
- Strategic Plan
- Long-term plan
- Defines security purpose of organization
- Lifetime: 5 years
- Tactical Plan
- Mid-term plan
- Contains TASKS to achieve Strategic Plan
- Examples
- Project plans
- Acquisition plans
- Hiring plans
- Budget plans
- Lifetime: 1 year
- Operation Plan
- Short-term plan
- Contains STEPS to achieve Tactical Plan
- Examples
- Training plans
- System deployment plans
- Product design plans
- Lifetime: 1 month/1 quarter
- Changes can lead to security issues
- Purpose
- Prevents compromise after change
- Goals
- Monitor change
- Test change
- Allow rollback of change
- Inform users of change
- Analyze effects of change
- Minimize negative impact of change
- Allow review of change by Change Approval Board (CAB)
- Identify which data need to be prioritized for protection
- Identify which controls is needed for which data
- Benefits
- Demonstrates commitment to protection of data
- Identifies critical assets
- Justifies selection of controls
- Required for regulations
- Defines proper access, declassification, and destruction method
- Helps with data life-cycle management
- Classification Criterias
- Usefulness
- Timeliness
- Value
- Age
- Lifetime
- Relationship with subjects
- Sensitivity
- Criticality
- National Security Implications
- Storage method
- Ownership
- Implementing Classification
- Identify custodian
- Determine evaluation criteria
- Classify resources
- Determine exceptions
- Determine security controls
- Determine declassification procedure
- Staff awareness/training
- Classification Schemes
- Government/Military
- Classified
- Top Secret
- Secret
- Confidential
- Unclassified
- Sensitive
- Unclassified
- Classified
- Private/Business
- Confidential/Private
- Confidential/Proprietary: Related to business
- Private: Related to personnel
- Sensitive
- Public
- Confidential/Private
- Government/Military
- Roles and Responsibilities
- Senior Manager
- Signs off on policy issues
- Liable for security solution
- Security Professional
- Designs and implements security solutions
- Data Owner
- Classifies data
- Data Custodian
- Implements controls to protect data
- Protects data based on classification
- User
- Accesses the system
- Complies with security policies
- Auditor
- Checks for compliance to security policy
- Checks effectiveness of security policy
- Senior Manager
- Training vs Education
- Training
- So users can comply with security policies
- Education
- Users lean more than what they need to know
- Training
- For planning IT security of an organization
- Control Objectives for Information and Related Technology (COBIT)
- By ISACA
- Principles
- Meeting Stakeholder Needs
- Covering the Enterprise End-to-End
- Applying a Single Integrated Framework
- Enabling a Holistic Approach
- Separating Governance from Management
- Due Care
- Required effort to protect data
- Compliance to legal regulations
- Legal duty of company
- Failure will result in negligence
- Due Diligence
- Maintaining due care
- Continuous improvement of security
- Penetration tests, vulnerability assessments, etc.
- Operational Security
- Ongoing maintenance of due care and due diligence
- Should be kept as separate dcuments
- Only changed materials need to be redistributed
- Not all users are concerned with all documents
- Security Policy
- Generalization of security needs, goals, and practices
- Broad overview of security
- Strategic plan
- Proof of due care
- Compulsory
- Responsibilities must be roles-based, not individual-based
- Types
- Organizational
- Issue-specific
- Network Service
- Department
- System-specific
- Categories
- Regulatory
- Required by law
- Advisory
- Required by senior management
- Acceptable Use Policy
- Assigns security roles
- Assigns responsibilities to roles
- Contains expected behaviour
- Informative
- Not required
- Provides background information to issues
- Regulatory
- Standard
- Describes uniform implementation of technology
- Tactical documents
- Baselines
- Describes a secure state for a system
- System-specific
- Guideline
- Recommendations and suggested actions for compliance
- Describes controls rather than products
- Not compulsory
- Procedure
- Step-by-step instruction on how to implement a security control
- Specific to a system or product
- Ensures compliance to standard
- Approaches
- Proactive
- Performed before and while the system is being implemented
- Predicting threats and designing defenses in advance
- More cost effective and more successful
- Security Development Lifecycle
- Reduce number of coding defects
- Reduce severity of remaining defects
- Reactive
- Performed after the system has been implemented
- Less effective but more cost effective than redesign
- E.g. penetration testing, source code review, fuzz testing
- Fuzz Testing
- Random invalid input is fed to a program
- Attempts to find previously undetected flaws
- Proactive
- Steps
- Threat Identification
- Approaches
- Focused on Assets
- Protect valuable assets
- Focused on Attackers
- Protect the things that attackers want to attack
- Focused on Software
- Protect the software
- Focused on Assets
- Individual Threats
- Be cautious of
- Contractors
- Trusted Partners
- Be cautious of
- Approaches
- Threat Categorization
- STRIDE
- Spoofing
- Falsifying information to gain access
- Tampering
- Making unauthorized changes
- Repudiation
- Denying having done an action
- Information Disclosure
- Revelation of controlled information
- Denial-of-Service
- Prevents the use of an asset
- Escalation of Privilege
- Elevates capability of under privileged account
- Spoofing
- STRIDE
- Determining Potential Attacks
- Data Flow Diagrams
- Entities
- Technologies
- Transactions
- Attacks vs each element
- Data Flow Diagrams
- Reduction Analysis
- Decomposing system/process/environment
- Modules
- Functions
- Protocols
- etc.
- Identify the Following
- Trust Boundaries
- Data Flow Paths
- Input Points
- Privileged Operations
- Security Approach
- Decomposing system/process/environment
- Prioritization and Response
- Probability x Damage Potential
- High/Medium/Low
- DREAD
- Discoverability
- Reproducibility
- Exploitability
- Affected Users
- Damage Potential
- Threat Identification
- Select software with integrated security
- Evaluate 3rd party service provider
- On-Site Assessment
- Observe their operating habits
- Document Exchange and Review
- Investigate data exchange process
- Process/Policy Review
- Review their security poilicy
- On-Site Assessment
- Review Service Level Agreements
- People
- Weakest link in security chain
- Hiring Process
- Job Description
- Concepts
- Separation of Duties
- Least Privilege
- Job Responsibilities
- Job Rotation
- Cross-training
- Maintain throughout organization lifecycle
- Concepts
- Job Classification
- Employee Screening
- Background checks, etc.
- Hiring and Training
- Non-disclosure Agreement
- Non-compete Agreement
- Termination
- Notify employee
- Request return of company equipment
- Disable electronic access
- Exit interview and NDA review
- Escort off premises
- Job Description
- Separation of Duties
- Work tasks divided among administrators
- Applies to administrators instead of users
- Prevents collusion
- Least Privilege
- Users should only have privileges that they require
- Applies to users instead of admins
- Job Responsibilities
- Work tasks that an employee is required to perform
- Defines required objects, resources, and services
- Job Rotation
- Provides knowledge redundancy
- Less downtime
- Reduces risk of fraud via peer auditing
- Protects against collusion
- Cross-training
- Alternative to job rotation
- Employees are trained for other jobs
- Workers are not rotated through different job
- Collusion
- When peole work together to commit a crime
- Non-disclosure Agreement (NDA)
- Protects confidential information within an organization
- Non-compete Agreement (NCA)
- Prevents employees from jumping to a competitor
- Has time limit
- Allows company to keep competitive edge
- Difficult to enforce
- Deters violation of NDA
- Mandatory Vacations
- Used to audit employees
- Termination Best Practices
- Have one witness
- Escort off premises
- Escort required when in work area
- Return employee identification and equipment
- Disable network user account at same time of termination
- Notify HR to issue final paychecks
- Inform security personnel of termination
- Terminate at end of shift in middle of week
- Perform exit interview
- Exit Interview
- Review liabilities and restrictions
- Review NDA and other agreements
- Third-party Controls
- Service Level Agreements
- Defines expected level of service from third-party
- Put in place for network connections and services
- Includes remedies if not met
- Common SLA Issues
- System uptime
- Maximum consecutive downtime
- Peak load
- Average load
- Responsibility for diagnostics
- Failover time
- Service Level Agreements
- Compliance
- Adherance to regulations
- Employees need to follow polcies, etc.
- Privacy
- Secrecy of personal information
- Prevention of unauthorized access to PII
- Freedom from being monitored without knownledge
- For employees, site visitors, customers, suppliers, and contractors
- Personally Identifiable Information
- Information that can be traced back to a person
- Includes
- Phone
- Address
- SSN
- Name
- Excludes
- MAC Address
- IP Address
- OS Type
- Directing the security efforts of an organization
- Third-party Governance
- Employment of external auditors
- External auditors review your security
- Compliance of external providers
- Providers must comply with your security policies
- Documentation Review
- On-site assessments
- Employment of external auditors
- Documentation review
- Exchanging materials
- Reading and verifying them against expectations
- Required before preforming on-site assessments
- On-site assessments
- First hand exposure to security mechanisms
- Auditors should follow COBIT
- Authorization to Operate (ATO)
- For government contractos
- Required when complying with government security policies
- Risk
- Possibility that assets could be damaged or disclosed
- Risk Management
- Actions to reduce risk to an acceptable level
- Steps
- Risk Analysis
- Identify
- Evaluate
- Countermeasures
- Risk Responses
- Mitigate
- Using countermeasures to reduce risk
- Transfer
- Transferring risk to another organization
- Purchashing insurance
- Outsourcing business processes
- Accept
- When countermeasure costs more than risk cost
- Organization absorbs risk cost
- Signed off by management
- Reject
- Ignoring the existence of the risk
- Not prudent due-care responses to risk
- Mitigate
- Countermeasure Selection and Implementation
- Rules
- Countermeasure Cost < Asset Value
- Countermeasure Cost < Countermeasure Benefit
- Benefit of Attack < Cost of Attack
- Secure by design
- Benefit should be testable and verifiable
- Rules
- Monitoring and Measurement
- Continuous Improvement
- Risk Analysis
- Risk Analysis
- Process of achieving risk management goals
- Steps
- Identifying risk
- Evaluating risk
- Likelihood
- Damage Potential
- Risk Rating
- Determining countermeasures
- Cost/benefit analysis
- Types
- Quantitative
- Qualitative
- Hybrid
- Quantitaive Risk Analysis
- Assigning dollar value to risks
- Steps
- Identify assets and value (AV)
- Identify threats against assets and exposure factor (EF)
- Determine single loss expectancy (SLE)
- Identify annual rate of occurence (ARO)
- Determine annual loss expectancy (ALE)
- Identify countermeasures and changes to ARO and ALE if applied
- Determine countermeasure cost and benefit (Raw ALE - Controlled ALE - Annual Control Cost)
- Values
- Asset Value (AV)
- The value of an asset
- Exposure Factor (EF)
- Percentage of loss to an asset if a risk to it is realized
- Single Loss Expectancy (SLE)
- Cost if a risk is realized
- SLE = AV * EF
- Annualized Rate of Occurence (ARO)
- Number of times a risk is realized per year
- Historical records, statistical analysis, guesswork
- Determined through Probability Determination
- ARO = Threat Sources * Single Likelihood
- Annualized Loss Expectancy (ALE)
- Expected yearly cost of a risk
- ALE = ARO * SLE
- Annualized Loss Expectancy with Safeguard (ALE)
- When safeguard is applied, ARO and EF changes
- Recalculate ALE with modified ARO
- ALE = ARO * SLE
- Annualized Cost of Safeguard (ACS)
- Yearly cost to implement safeguard
- Safeguard cost should be less than asset value
- If asset value is less than safeguard, just accept the risk
- Safeguard Benefit
- The amount of money saved by implementing the safeguard
- Benefit = ALE w/o safeguard - ALE w/ safeguard - ACS
- Asset Value (AV)
- Qualitative Risk Analysis
- Scenario-based
- Uses threat-ranking
- Techniques
- Delphi Technique
- Brainstorming
- Surveys
- etc.
- Scenarios
- One page description of a threat
- Contains
- Threat Vectors
- Impact
- Safeguards
- Threat Level
- Delphi Technique
- Anonymous feedback-response process
- For reaching a consensus
- For honest feedback from participants
- Risk Terminology
- Asset
- Items that have value to the organization
- Items that will damage of organization of disclosed
- Any item that needs to be protected
- Asset Valuation
- Monetary or intangible value of asset
- Can be based on cost to develop or replace, market value, etc.
- Threats
- Undesirable occurences that can damage assets
- Threat Agents
- Sources of threats
- Exposure
- Possibility of threat realization
- Exposure is equivalent to risk
- Risk
- Possibility of threat realization
- risk = threat * vulnerability
- Safeguards / Countermeasure
- Things or acts that reduce a threat or vulnerability
- Safeguard
- Pro-active controls
- Countermeasure
- Reactive controls
- Attack
- Exploitation of vulnerability by threat agent
- Intentional attempt to exploit
- Breach
- Occurence of security mechanism bypass
- Penetration
- State where threat agent has access to organization's infrastructure
- Total Risk
- Risk that organization faces without safeguards
- Total Risk = Threat * Vulnerabilities
- Residual Risk
- Risk that remains after countermeasures are implemented
- Risk that management has chosen to accept
- Residual Risk = Total Risk - Control Gap
- Control Gap: Amount of risk reduced by controls
- Asset
- Risk Elements
- Threat exploits...
- Vulnerability, resulting in...
- Exposure, which is...
- Risk, which is mitigated by...
- Safeguards which protected...
- Assets which are endagered by...
- Identifying Threats
- Listing down all threat agents and events
- Should involve various departments
- Employment of external consultants
- Countermeasure Selection and Implementation
- Categories
- Technical
- Hardware or software mechanisms
- Firewalls, IDSs, etc.
- Administratives
- Policies and procedures
- Management controls
- Physical
- Physically tangible
- Guards, fences, CCTV, etc.
- Technical
- Types
- Deterrent
- Discourages violation of security policy
- Fences, trainings, guards, etc.
- Preventive
- Stops violations of security policies
- Firewalls, IPS, mantraps, etc.
- Detective
- Discovers violations of security policies
- CCTV, audit trails, motion detectors, etc.
- Compensating
- Added in addition to other security controls
- Encryption of PII at rest and in transit
- Corrective
- Return system to secure state after violation of policy
- Terminating malicious activity, patching software, etc.
- Recovery
- Extension of corrective controls, but more advanced
- Backups, fault tolerance, shadowing, clustering, etc.
- Directive
- Directs the actions of subjects
- Notifications, escape route signs, procedures, etc.
- Deterrent
- Categories
- Asset Valuation
- Assigning dollar value to assets
- Factors
- Acquisition/Development Cost
- Management Cost
- Maintenance Cost
- Cost to Protect
- Value to Owners and Users
- Value to Competitors
- Intellectual Property
- Market Value
- Replacement Cost
- Productivity Enhancement
- Operational Cost
- Liability of Asset Loss
- Usefulness
- Risk Management Framework (NIST 800-37)
- Categorize
- Categorize information system elements
- Based on impact analysis
- Select
- Select initial security controls
- Implement
- Implement selected security controls
- Asses
- Check if controls are appropriate
- Check if controls are implemented correctly
- Authorize
- Authorize operation of information system
- Acceptance of risks
- Monitor
- Monitor effectiveness of controls
- Categorize
- Humans are weakst element in security
- Awareness
- Make users recognize security
- Prerequisite to training
- Posters, memos, courses, etc.
- Training
- Teaching how to perform work tasks
- Sometimes required before access to network is allowed
- Provided in-house
- Education
- Students learn more than what they need to know
- For people pursuing certification or promotion
- For personnel seeking security positions
- Project Scope and Planning
- Business Organization Analysis
- Who are the stakeholders to BCP planning?
- Senior management
- Operational departments
- Critical support services
- Who are the stakeholders to BCP planning?
- BCP Team Selection
- Departmental representatvies
- Legal representatives
- IT and Security representatvies
- Senior management
- Approval of Senior Management
- Explain benefits of BCP
- Cost of disaster
- Regulatory requirements
- Legal consequences
- Loss of customer trust
- Explain benefits of BCP
- Resource Requirements
- BCP Development
- Manpower
- BCP Testing, Training, and Maintenance
- Manpower and some material costs
- BCP Implementation
- Manpower and large material costs
- BCP Development
- Business Organization Analysis
- Business Impact Assessment
- Determine Recovery Goals
- Approaches
- Quantitative
- Qualitative
- Steps
- Identify Priorities
- Critical Processes
- Maximum Tolerable Downtime
- Recovery Time Objective
- Critical Processes
- Risk Analysis
- Risk Identification
- Likelihood Assessment
- Impact Assessment
- Resource Prioritization
- Identify Priorities
- Continuity Planning
- Minimize impact of risks
- Steps
- Strategy Development
- Know risks which require mitigation
- Know resources to be allocated
- Provisions and Processes
- Risk mitigation mechanisms
- Catgories
- People
- Most valuable asset
- Takes priority over everything else
- Must be provided equipment
- Food and shelter if must stay for extended time
- Facilities
- Hardening
- Alternate Site
- Infrastructure
- Hardening
- Alternate Systems
- People
- Plan Approval
- Senior management must approve
- Approval gives BCP authority and weight
- Plan Implementation
- Schedule implementation
- Utilize resources to achieve goals
- Training and Education
- Education about the plan
- BCP Team
- BCP Task Training
- BCP Backup
- BCP Task Training
- Everyone Else
- Plan Overview
- BCP Documentation
- Goals
- Provide reference if BCP members are absent
- Track BCP history
- Allows review of BCP plan
- Contains
- Continuity Planning Goals
- Continue business in an emergency
- MTD and RTO goals
- Statement of Importance
- Says why BCP plan is important
- Signed by senior management
- Statement of Priorities
- List of critical activities
- Arranged from most critical to least critical
- Statement of Organizational Responsibility
- "Business continuity is everyone's responsibility"
- Expectation from employees to help in continuity
- Statement of Urgency and Timing
- Expresses criticality of BCP
- Timetable of implementation
- Risk Assessment
- Documented results of risk assessment
- AV, EF, ARO, SLE, ALE
- Risk Actions (Acceptance/Mitigation)
- Reason for risk acceptance
- Provisions for mitigated risks
- Continuity Planning Goals
- Vital Records Program
- Vital Records
- Critical business records
- Records that need to be present when rebuilding the business
- Identify, find, and secure vital records
- Vital Records
- Emergecy Response Guidelines
- Immidiate response procedures
- Individuals that should be notified
- Secondary response procedures until BCP team arrives
- Goals
- Maintenance
- Revise and improve the plan
- Do not disband BCP team
- Keep track of changes
- Add to job descriptions
- Testing and Exercises
- Perform exercises to test BCP process
- Strategy Development
- Categories
- Criminal Law
- To keep peace and order
- Punishes acts against society
- Prosecuted by federal and state governments
- Civil Law
- To settle matters between entities
- Enforcement of contracts
- Not prosecuted unless a party sues another
- Administrative Law
- Regulation of government agencies
- Granted to executive branch
- Must comply with civil and criminal law
- Religious Law
- Criminal Law
- Laws
- Comprehensive Crime Control Act 1984 (CCCA)
- Coverage
- Federal computers
- Offending interstate computers
- Provisions
- Unauthorized access to systems or information
- Fraud using federal systems
- Damaging federal systems exceeding $1000
- Modify medical records impairing medical care of individual
- Trafficking passwords affecting interstate commerce
- Coverage
- Computer Fraud and Abuse Act 1986 (CFAA)
- Amends CCCA 1984
- Coverage
- CCCA 1984
- Federal interest computers
- Government computers
- Financial institution computers
- Provisions
- Same as CCCA 1984
- Computer Fraud and Abuse Act 1994 (CFAA)
- Amends CFAA 1986
- Coverage
- CFAA 1986
- Interstate commerce computers
- Provisions
- Same as CFAA 1986
- Creation of malware
- Imprisonment of offenders
- Authority for victims to sue
- Computer Security Act of 1987 (CSA)
- Federal system security baselines
- Provisions
- Gives NIST authority to develop standards
- For non-classified federal systems
- NIST still gets advice from NSA
- NSA retains authority for classified systems
- Enacts said standards and guidelines
- Security plans must be established
- Mandatory preiodic training
- Gives NIST authority to develop standards
- Federal Sentencing Guidelines 1991 (FSG)
- Punishment guidelines for computer crime
- Provisions
- Requires due care from executives
- Due diligence reduces punishment
- Burdens of proof for negligence
- Accused must have legal obligation
- Accused failed to comply to standards
- Causal relationship between negligence and damages
- National Information Infrastructure Protection Act of 1996 (NIIPA)
- Extends CFAA 1994 to include infrastructure systems
- Coverage
- CFAA 1994
- National infrastructure computing systems
- Paperwork Reduction Act of 1995 (PRA)
- Request for information from public requires OMB approval
- OMB: Office of Management and Budget
- Includes
- Forms
- Interviews
- Record-keeping requirements
- Request for information from public requires OMB approval
- Government Information Security Reform Act of 2000 (GISRA)
- Amends PRA 1995
- Required government agencies to implement an infosec programs
- Created "mission-critical system" category
- A national security system
- Protected by classified information procedures
- Breach would result in debilitating impact of an agency
- Agency leaders responsible for informayion system security
- Federal Information Security Management Act 2002 (FISMA)
- Replaces GISRA
- Required government agencies to implement an infosec programs
- Include activities of contractors in security management programs
- NIST is responsible for FISMA guidelines
- Requirements
- Periodic risk assessment
- Policies and procedures based on risk assessment
- Security Awareness Trainings
- Testing of Policies and Procedures
- Remediation plans
- Incident response plan
- Continuity of operations plan
- Digital Millenium Copyright Act (DMCA)
- Prohibits attempts to circumvent copyright protection mechanisms
- Limits libability of ISPs for transitory activities
- Transmission initiated by person other than provider
- Transmission must be automated without selection of material by ISP
- ISP does not determine recepient
- Intermediate copies not accessible to anyone and not retained
- Material transmitted without modification to content
- Service providers must respond promptly to remove copyrighted materials
- Allows backup of backup copies of software
- Must be deleted when no longer needed
- Applies copyright law to content published on internet
- Economic Espionage Act of 1996
- Protects U.S. trade screts
- Stealing trade secrets to benefit foreign agent
- $500,000 fine
- 15 years in prison
- Stealing trade secrets in general
- $250,000 fine
- 10 years in prison
- Uniform Computer Information Transactions Act (UCITA)
- Regulates computer business transactions
- Addresses software licensing
- Backs validity of shrink-wrap and click-wrap licensing
- Allows users to reject agreements and get refunds
- Fourth Amendment
- Prevents unreasonable searches and seizures of houses
- Requires probable cause before search is conducted
- Privacy Act of 1974 (PA)
- Agencies must have consent of person before disclosing their info to others
- Agencies must only maintain necessary records
- Agencies must destroy records no longer needed
- Electronic Communication Privacy Act 1986 (ECPA)
- Protects electronic privacy of individuals
- Prohibits interception of electronic communications
- Prohibits unauthorized disclosure of communications
- Communications Assistance for Law Enforcement Act 1994 (CALEA)
- Requires all carriers to make wiretaps possible for law enforcement
- Requires a court order
- Economic Protection of Proprietary Information Act of 1996 (EPPIA)
- Extends definition of property to include proprietary economic information
- Theft no longer restricted by physical constraints
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- Governs health insurance and health maintenance organizations
- Privacy and security regulations for organizations storing patient information
- Defines the rights of individuals subject to medical records
- Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH)
- Updates HIPAA's privacy and security requirements
- Business associates of organizations under the scope of HIPAA must comply with it as well
- Requires business associate agreement
- Added data breach notification requirement
- SB 1386
- California law requiring disclosure of breach to affected individuals
- Breach includes disclosure of unencrypted copies of:
- SSN
- Driver's License Number
- State Identification Card Number
- Credit or Debit Card Number
- Bank Account Number + Security Code
- Medical Records
- Health Insurance Information
- Children's Online Privacy Protection Act of 1998 (COPPA)
- Applies to websites that caters to children
- Requires privacy notice
- States type of collected information
- Which information is disclosed to 3rd parties
- Parents must be able to review and delete children's information
- Parental consent required for info collection on children younger than 13
- Gramm-Leach-Bliley Act of 1999 (GLBA)
- Relaxed restrictions on information sharing between financial organizations
- Still provides limitations on what sort of information could be exchanged
- Institutions required to provide privacy notice to all customers
- USA PATRIOT Act of 2001
- Expanded power of law enforcement to monitor electronic communications
- Police can now obtain blanket wiretapping warrants
- ISPs can voluntarily provider government with detailed information
- Government can obtain detailed information on user activity with a subpoena
- Amends CFAA and adds more sever penalties
- Family Educational Rights and Privacy Act (FERPA)
- For educational institutions receiving funding from governemnt
- Parents and students given right to inspect educational records
- Parents and students given right to request correction of records
- Schools may not release personal information from student records without written consent
- Identity Theft and Assumption Deterrence Act of 1998
- Before: defrauded creditors were the only victims of identity theft
- Now: the person with stolen identity is also the victim
- Provides severe pentalties of 15 years and $250,000
- European Union Privacy Law of 1995
- Requires that personal data processing meet one of the following criteria
- Consent
- Contract
- Legal obligation
- Vital interest of the data subject
- Balance between interest of data holder and subject
- Outlines rights of data subjects
- Right to access data
- Right to know data source
- Right to correct innacurate data
- Right to not consent to data processing
- Right of legal action if rights are violated
- Organizations that want to operate in the EU must comply to these
- Department of Commerce certifies "safe harbor" businesses
- Requirements for "safe harbor"
- Notice
- Subjects must know which info is collected from them
- Choice
- Opt-out policy required for data shared with 3rd parties
- Opt-in policy required for sensitive information
- Onward Transfer
- Data can only be shared with other safe harbor organizations
- Access
- Data subjects must be able to access the data stored about them
- Security
- Data must be secure from loss, misuse, and disclosure
- Data Integrity
- Reliability of data must be maintained
- Enforcement
- Dispute process must be available to subjects
- Notice
- Requires that personal data processing meet one of the following criteria
- Sarbanes-Oxley Act Of 2002
- Protect investors from fraudulent accounting activities by corporations
- Comprehensive Crime Control Act 1984 (CCCA)
- Intellectual Property
- Copyright
- Original works of authorship
- For art and software
- Protects expression rather than idea
- Automatically granted to creator
- Can be work for hire as well
- Protected until 70 years after death of last author
- Protected until 95 years of publication for anonymous works
- Indicated by (c) symbol
- Trademark
- Brand name, logos, slogans, etc.
- Avoids confusion in marketplace
- Does not have to be registered
- Indicated by TM symbol if not registered
- Can also be registered
- Indicated by (R) symbol if registered
- Renewed for unlimited successive 10-year periods
- Requirements
- Must not be similar to another trademark
- Must not describe the product
- Patent
- For inventions, hardware, and manufacturing processes
- Not all software can be patented
- Protects expressions rather than idea
- Requirements
- Inventions must be new and original
- Must be useful and must actually work
- Must not be obvious (e.g. collection rainwater with a cup)
- Trade Secret
- Business-critical intellectual property
- Not disclosed to competitors or anyone
- Applying for copyright or patent would require disclosure
- Anyone who has access to it needs a Non-Disclosure Agreement
- Copyright
- Licensing
- Contractual License
- Written contract
- Signing = acceptance
- Active consent
- Shrink-wrap License
- Written on software packaging
- Braking package = acceptance
- No active consent
- Click-through License
- Written on software box or documentation
- Clicking "I Agree" = acceptance
- Actice consent
- Cloud Service License
- Agreement flashed on the screen
- Clicking "I Agree" = acceptance
- Active consent
- Contractual License
- Import/Export
- Computer Export Controls
- No high-performance computing exports to countries:
- Posing a threat to nuclear proliferation
- Sponsoring terrorism
- Includes
- India
- Pakistan
- Afghanistan
- Cuba
- North Korea
- Sudan
- Syria
- No high-performance computing exports to countries:
- Encryption Export Controls
- Export used to be banned
- Export now possible
- Requires Commerce Department review
- Computer Export Controls
- Privacy
- Right to privacy not in constitution
- Still upheld by numerous courts
- U.S. Privacy Laws
- Fourth Amendment
- Privacy Act of 1974
- Electrionic Communication Privacy Act 1986
- Communications Assistance for Law Enforcement Act 1994
- Economic Protection of Proprietary Information Act of 1996
- Health Insurance Portability and Accountability Act 1996
- Health Information Technology for Economic and Clinical Health Act of 2009
- Children's Online Privacy Protection Act of 1998
- Gramm-Leach-Bliley Act of 1999
- USA PATRIOT Act of 2201
- Family Educational Rights and Privacy Act
- Identity Theft and Assumption Deterrence Act of 1998
- Privacy in Workplace
- There is no reasonable expectation of privacy when using employer equipment
- Make sure there is no implied expectation of privacy in the office:
- State it in the employment contracts
- State it in corporate acceptable use and privacy policies
- State it in logon banners
- State it on warning labels in telephones and computers
- Data Breach Notification
- Health Information Technology for Economic and Clinical Health Act of 2009
- SB 1386
- Compliance
- Payment Card Industry Data Security Standard (PCI DSS)
- For entities that accept, store, and process credit cards
- Requirements
- Install firewall
- Do not use default passwords
- Protect cardholder data
- Encrypt transmission of cardholder data
- Protect systems against malware by updating antivirus programs
- Develop secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Authenticate access to system
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personell
- Might also require external auditors to report to regulators
- Payment Card Industry Data Security Standard (PCI DSS)
- Contracting and Procurement
- Make sure to review vendor security policies
- Questions to ask
- Information stored, processed, and transmitted?
- Information protection controls?
- How information is segregated from other clients?
- Encryption algorithms and key management?
- Types of security audits performed?
- Third parties used by the vendor?
- Location of data storage, processing, and transmission?
- Incident response process?
- How is integrity ensured?
- Sensitive Data
- Personally Identifiable Information
- Can be used to distinguish an individual's identity
- Information linkable to an individual
- Personal Health Information
- Processed by health organizations, schools, employer
- Relates to past, present, or future health condition of individual
- Relates to past, present, or future payment for healthcare
- Proprietary Data
- Helps maintain competitive edge of organization
- Personally Identifiable Information
- Sensitive Data Management
- Marking
- Applying classification labels
- Digital Labels
- Headers and Footers
- Watermarks
- Metadata
- Background Colors
- Physical Labels
- Hardware Color
- Text Label
- Digital Labels
- Label unclassified assets as well
- Prevents omission
- Identify downgrade procedures
- Purging, etc.
- Usually prohibited
- Destruction and repurchasing is safer
- Applying classification labels
- Handling
- Secure use and transport of data based on classification
- Backup should be as protected as production data
- Log, monitor, and audit to ensure compliance and accountability
- Storage
- Apply appropriate controls based on classification
- Encryption
- AES256
- Physical Security
- Safes
- Secure Rooms
- Cabinets
- HVAC
- Encryption
- Data is more valuable than the media
- Buy high quality media
- Buy media with built-in security
- Apply appropriate controls based on classification
- Destruction
- Data disposal requirements based on classification
- Prevents unauthorized disclosure
- Data Remanance
- Magnetic Media
- Residual magnetic footprint of data on hard drive
- Can be recovered even if data was overwritten
- Use a degausser to remove it
- Solid State Drives
- No reliable way to destroy data
- Has built-in erase commands, but innefective
- Physical destruction is best solution
- Magnetic Media
- Terms
- Erasing
- Normal delete operation
- Frees file space but doesn't remove data
- Data might be overwritten eventually
- Clearing
- Overwriting, essentially
- Write a single character, its complement, and then random data
- Bad and spare sectors are not overwritten
- Might still be recoverable
- Overwriting, essentially
- Purging
- Prepares media for less secure environments
- Involves both clearing and degaussing
- Declassification
- Involves purging and changing media classification
- Not recommended; destruction is better
- Organization risks an undiscovered recovery technique
- Sanitation
- Umbrella term referring to removal of sensitive data from media
- Can involve purging, or destruction, etc.
- Degaussing
- Using strong magnets to erase data on media
- Destroys media electronics sometimes
- Does not affect CDs, DVDs, or SSDs
- Destruction
- Physical destruction, basically
- Crushing, shredding, incineration, chemicals, etc,
- Most secure data destruction method
- Erasing
- Retention
- Data retention requirements based on classification
- Can reduce liabilities
- Record Retention
- Retaining important information as needed
- Timeframe identified by regulation or organization policy
- Media/Hardware Retention
- Retaining hardware until it has to be replaced
- Personnel Retention
- Retaining personnel knowledge
- Ensuring personnel don't violate NDA
- Marking
- Data Classifications
- Allows appropriate controls to be implemented for assets
- Government
- Focuses on value to national security
- Classified
- Top Secret (Class 3)
- Disclosure = exceptionally grave damage
- Secret (Class 2)
- Disclosure = serious damage
- Confidential (Class 1)
- Disclosure = damage
- Top Secret (Class 3)
- Unclassified
- Sensitive
- Unclassified (Class 0)
- Disclosure = no damage
- Available via FOI request
- Private
- Focuses on value to organization
- Proprietary (Class 3)
- Disclosure = exceptionally grave damage
- Keeps the organization competitive
- Business depends on secrecy of this data
- E.g. unreleased Sony movies, trade secrets, etc.
- Private (Class 2)
- Disclosure = serious damage
- Personal information of staff, customers, and contractors
- E.g. salary information
- Sensitive (Class 1)
- Disclosure = damage
- Sensitive information that is not proprietary or private
- E.g. company records, emails, etc.
- Public (Class 0)
- Disclosure = no damage
- Meant for public consumption
- Only integrity and availability is protected
- E.g. brochures, websites, etc.
- Data States
- Data at Rest
- Stored on media
- E.g. data stored in hard drive
- Controls
- Symmetic Encryption
- AES
- Triple DES
- Blowfish (basis for bcrypt)
- Symmetic Encryption
- Data in Motion
- Moving across a network
- E.g. data moving across wired or wireless connection
- Controls
- Transport Encryption
- HTTPS
- Encrypts HTTP Data
- TLS/SSL
- SSL - Vulnerable to POODLE (do not use)
- Encrypts data between sockets
- IPSec
- Encrypts data between two networks
- Allows VPN solutions
- Modes
- Authentication Header
- Provides Integrity
- Encapsulating Security Payload
- Provides Confidentiality
- Authentication Header
- SSH/SCP/SFTP
- Encypted terminal sessions with file transfers
- HTTPS
- Transport Encryption
- Data In Use
- Data in temporary storage buffer while being used
- E.g. data in RAM, registers, etc.
- Controls
- Purging after use
- Data at Rest
- Data Roles
- Data Owner
- Ultimately responsible for the data
- Liable for negligence
- Identifies data classification
- Roles
- Determine acceptable use policy
- Determine security controls policy
- Determine access and privilege policy
- e.g. President, CEO, etc.
- System Owner
- Owns the system that processes data
- Roles
- Craft system security plan w/ data owner
- Manage system security plan
- Train users and personnel on acceptable use policy
- Implement system security plan
- e.g. IT department
- Business/Mission Owner
- Owns a business process that leverages systems
- Leverages on systems to provide value to organization
- Goals may sometimes conflict with system owners
- e.g. Sales department
- Data Processor
- Processes data for a data controller (business/mission owner?)
- Must not use data for anything else aside from intended purpose
- e.g. 3rd party payroll processor
- Administrator
- Grants access to personnel
- Follows principle of least privilege
- Uses role-based access control model
- Adds and removes users from roles
- Data Custodian
- Implements data security controls
- Implements safe backup and storage of data based on policy
- e.g. IT department
- User
- Accesses data to accomplish work tasks
- e.g. employees, end users
- Data Owner
- Protecting Privacy
- Security Baselines
- List of security controls
- Image of a secure system
- Scoping and Tailoring
- Revising a standard/baseline to meet your requirements
- e.g. removing WAF when you have no web application
- e.g. not complying with safe harbor if you don't do business in EU
- Selecting Standards
- Determine which regulations apply to your service
- e.g. PCI DSS, HIPAA, Safe Harbor
- Security Baselines
- History
- Caesar Cipher
- Used by Julius Caesar
- ROT 3
- Defeated by frequency analysis
- Engigma
- Used by Germans
- Defeated by project Ultra
- Purple Machine
- Used by Japanese
- Caesar Cipher
- Goals
- Confidentiality
- Date at Rest
- Data in Motion
- Integrity
- Authentication
- Non-repudiation
- Confidentiality
- Concepts
- Kerchoff Principle
- Cryptosystem must be secure even if mechanism disclosed
- Key is the only thing that needs to be a secret
- Security by design instead of obscurity
- Cryptography
- Methods to keep information secret
- Cryptanalysis
- Art of defeating cryptography
- Cryptology
- Cryptography + Cryptanalysis
- Codes
- Representation of words or messages
- e.g. 10-4 = "Acknowledged"
- Not always meant to provide confidentiality
- Ciphers
- Hides true meaning of messages
- Always meant to provide confidentiality
- Confusion
- Disassociation of relationship between plain text and key
- Diffusion
- Slight change in plain text changes the whole cipher text
- Frequency Analysis
- Examination of recurring data
- E.g. some letters of the alphabet occur more than the others
- Period Analysis
- Frequency examiniation based on repeated use of key
- Block Ciphers
- Encryption occurs per chunk
- Stream Ciphers
- Encryption occurs per bit or byte
- Kerchoff Principle
- Mathematics
- Boolean Mathematics
- AND
- OR
- NOT
- XOR
- One-way Functions
- Producing output is easy
- Deriving input is hard
- E.g. factoring very large numbers
- Nonce
- Initialization Vector
- Adds randomness to encryption process
- Zero Knowledge Proof
- Proving knowledge of fact without revealing fact itself
- E.g. providing password hash instead of password
- E.g. answering to an authentication challenge
- Split Knowledge
- Key Escrow
- Parts of key sent to different escrow providers
- M of N Control
- M of N individuals must be present to perform high security task
- Key Escrow
- Work Function
- Amount of work to brute force an encryption system
- Key length is primary factor to determining work function
- Boolean Mathematics
- Ciphers
- Transposition Ciphers
- Rearrangement of data/characters
- Example: Columnar Transposition
- Message is split into
len(key)blocks/rows - Each letter of the key is associated with a column
- Columns are arranged based on the value of the key letter associated with them
- Columns are converted into strings and concatenated
- Message is split into
- Substitution Ciphers
- Replacement of data/characters (ROT3)
- Example: Vignere Cipher
- Have a matrix of the alphabet where the letters of each row is increment by 1
- Have columns and rows in total
- Ci = Matrix[Ki][Pi]
- One-Time Pads
- Key as large as message itself
- Each message letter is padded by each key letter
- Unbreakable encryption scheme
- Requirements
- Key must be random
- Protection of key from disclosure
- Keys must only be used once
- Key must be as long as message
- Running Key Ciphers
- AKA book cipher
- One-time pad, except you get the key from a book
- E.g. using a specific chapter and paragraph of Moby Dick
- Transposition Ciphers
- Symmetric Key Algorithms
- Single shared key is used to encrypt and decrypt
- AKA private key cryptography
- Provides
- Confidentiality
- Advantages
- Very fast
- 1000 times faster than asymmetric cryptography
- Very fast
- Disadvantages
- Key distribution is hard
- A secure channel must be established first before key is communicated
- No non-repudiation mechanism
- No way to prove an encrypted message came from someone since many people know the key
- Not scalable
- Each two-party communication in a large group requires a unique key
- Frequent key regeneration
- When someone leaves the group, key needs to be regenerated
- Key distribution is hard
- Asymmetric Key Algorithms
- Private and public key decrypt message encrypted with the other
- AKA public key algorithms
- Private key must be kept private by a user
- Public key must be known by everyone
- Provides
- Confidentiality
- Integrity
- Authentication
- Non-repudiation
- Advantages
- Key distribution is simple
- No secure channel required to start communication
- Supports Non-repudiation mechanism
- Since only the person knows their private key
- Allows digital signatures to be generated
- Hash of a message encrypted with a private key
- Verification involves decryption using public key and cross-checking hashes
- Scalable
- No new key needs to be generated for each pair of communicating parties
- New users only require generation one key pair
- Infrequent key regeneration
- Required only if private key is compromised
- Key can easily be invalidated when user leaves system
- Key distribution is simple
- Disadvantages
- Very slow
- 1000 times slower than symmetric cryptography
- Very slow
- Hashing
- Production of message digest
- One-way function
- Summary of message's content
- Key Management
- Creation and Distribution
- Offline Distribution
- Sheet of paper or storage media is physically transported
- Interception might occur via mail
- Telephones can be wiretapped
- Papers might get thrown in the trash
- Public Key Cryptography
- Requires public key infrastructre
- Diffie-Hellman
- No public key infrastructure is required
- Steps
- Parties agree on two large prime numbers
- p and g
- 1 < g < p
- Each party chooses a random integer and performs
- gi mod p
- Results are sent to each other
- Each party multiplies their origin random integer with received number
- They end up with same value
- Parties agree on two large prime numbers
- Offline Distribution
- Storage and Destruction of Symmetric Keys
- Don't store key and data in same system
- Provide two different individuals half the key (split knwoledge)
- Key must be regenerated when someone who knows the key leaves the organization
- Key Escrow and Recovery
- Allows government to get copy of key upon court order
- Fair Cryptosystems
- Key is divided and sent to multiple third parties
- Court provides evidence of court order to third parties in order to retrieve key
- Escrowed Encryption Standard
- Provides government with technological means to decrypt ciphertext
- Uses skipjack algorithm
- Creation and Distribution
- Cryptographic Life Cycle
- Computers get faster all the time
- Encryption algorithms will eventually get obsoleted
- Appropriate algorithm must be used depending on how long data needs to be retained
- Algorithm Governance Controls
- Specifying acceptable cryptographic algorithms
- Identifying acceptable key lengths
- Enumerating transport potocols that may be used
- Algorithms
- Data Encryption Standard (DES)
- Old standard required for government communications
- Insecure and deprecated; replaced by AES
- Key size: 56 bits (technically 64, but 8 bits is used for parity)
- Modes
- ECB (Electronic Code Book)
- Each block is encrypted separately
- Generates the same ciphertext for the same plaintext
- Vulnerable to cryptanalysis
- CBC (Cipher Block Chaining)
- Plaintext block is XORed with previous ciphertext
- Difference from CFB: Splits messages into block before encrypting
- Requires an Initialization Vector
- Destroys patterns
- Allows errors to propagate
- CFB (Cipher Feedback Mode)
- Streaming version of CBC
- Difference from CBC: Encrypts once a buffer is filled
- Requires an Initialization Vector
- Destroys patterns
- Allows errors to propagate
- OFB (Output Feedback Mode)
- Plaintext is XORed with DES-encrypted seed value
- Seed value is re-encrypted for every block
- Requires an Intialization Vector
- Destroys patterns
- Errors do not propagate
- CTR (Counter Mode)
- Like OFB but incrementing counter is used rather than DES of previous seed value
- Requires an Initialization Vector
- Destroys patterns
- Errors do not propagate
- ECB (Electronic Code Book)
- Triple DES (3DES)
- Three passes of DES algorithm
- Produces a more secure encryption
- Uses 3 or 2 keys depending on the mode
- Variants
- EEE3 (three keys)
- E(K1,E(K2,E(K3,P)))
- Total key length: 168
- EDE3
- E(K1,D(K2,E(K3,P)))
- Total key length: 168
- EEE2
- E(K1,E(K2,E(K1,P)))
- Total key length: 112
- EDE2
- E(K1,D(K2,E(K1,P)))
- Total key length: 112
- EEE3 (three keys)
- International Data Encryption Algorithm (IDEA)
- Patended by Swiss developers
- Used in PGP
- Block size: 64
- Key size: 128 (divided into 52 16-bit keys)
- Has same modes as DES
- Blowfish
- Basis of bcrypt
- Used in SSH
- No license required
- Faster than DES an IDEA
- Block size: 64
- Key size: 32-448
- Skipjack
- Escrowed Encryption Standard (EES)
- Supports escrow of encryption keys
- Not adopted by the public
- Block size: 64
- Key size: 80
- Rivest Cipher 5 (RC5)
- By Rivest, Shamir, and Adleman
- Block size: 32, 64, 128
- Key Sizes: 0-2048
- Two-Fish
- AES finalist
- Includes pre-whitening and post-whitening
- Prewhitening
- Before first round of encryption
- XORing plaintext with separate subkey
- Postwhitening
- After 16th round of encryption
- XORing plaintext with separate subkey
- Block size: 128
- Key size: 256
- Rijndael
- Block sizes: 128, 192, 256
- Key sizes: 128, 192, 256
- Chosen as AES
- Advanced Encryption Standard (AES)
- Meant to replace DES
- Rijndael with 128 block size
- Key sizes: 128, 192, 256
- Data Encryption Standard (DES)
- Private and Public Keys
- Decrypts each other
- Private Key
- Kept private
- Used to generate digital signatures
- Used to decrypt confidential messages
- Public Key
- Published
- Used to verify digital signatures
- Used to encrypt confidentail messages
- Algorithms
- Rivest Shamir Adlement (RSA)
- Key Length: 1024
- n = p * q
- select random e where e < n and e and (p-1)(q-1) is relatively prime
- Find d such that (ed-1)mod(p-1)(q-1) = 1
- e and n are public keys
- d is private key
- Encryption: C = Pe mod n
- Decryption: P = Cd mod n
- Merkle-Hellman Knapsack
- Like RSA but relies on super-increasing sets
- Provden ineffective in 1984
- El Gamal
- Based on Diffie-Hellman
- Not patented
- Doubles length of data it encrypts
- Elliptic Curve
- Key Length: 160
- Uses elliptic curve mathematics
- Elliptic curve definition:
- y2 = x3 + ax + b
- Elliptic Curve Group
- Points that lie on the elliptic curve
- O = located at infinity
- Two points can be added: P + Q
- Can be multipled: Q = xP (Q is multiple of P)
- It's extremely difficult to find X
- 160-bit key is just as strong as 1024 RSA ket
- Rivest Shamir Adlement (RSA)
- Key Management
- Use publicly-vetted encryption system
- Select appropriate length keys
- Ensure that private key is secret
- Retire keys after they're no longer useful
- Keep backups of your key
- Facts
- Converts messages into fixed length outputs
- Generated value is called a Message Digest
- Used to ensure message integrity
- Used as a component of Digital Signatures
- Requirements (According to RSA)
- Input can be any length
- Output has fixed length
- Easy to compute for any input
- Is one-way
- Collision-free
- Algorithms
- SHA
- Facts
- Stands for Secure Hash Algorithm
- Developed by NIST
- Part of Secure Hash Standard
- Algorithms
- SHA-1
- Block Size: 512
- Output Size: 160
- SHA-2
- SHA-256
- Block Size: 512
- Output Size: 256
- SHA-192
- Block Size: 512
- Output Size: 192
- Truncated SHA-256
- SHA-512
- Block Size: 1024
- Output Size: 512
- SHA-384
- Block Size: 1024
- Output Size: 384
- Truncated SHA-512
- SHA-256
- SHA-3
- Keccak Algorithm
- Not yet published
- SHA-1
- Facts
- MD Series
- Facts
- Developed by Ronald Rivest
- Algorithms
- MD2
- Block Size: 16
- Output Size: 128
- Facts
- Proved to be reversible
- MD4
- Block Size: 512
- Output Size: 128
- Facts
- Uses 3 rounds
- Block data must be 64 bits less than 512
- MD5
- Block Size: 512
- Output Size: 128
- Facts
- Uses 4 rounds
- Block data must be 64 bits less than 512
- Subject to collisions
- HAVAL
- Hash of variable length
- MD5 variant
- MD2
- Facts
- SHA
- Facts
- Ensures non-repudiation
- Message digest encrypted with a private key
- Verified using the public key
- Does not provide ny privacy
- Achieves
- Non-repudiation
- Authentication
- Integrity
- Generation
- Message is hashed
- Hash is encrypted with sender private key
- Encrypted hash is attached to the message
- Message with signature is sent
- Verification
- Signature is decrypted with sender public key
- Message is hashed
- Decrypted hash is compared to hash of message
- If same, signature is valid
- Hashed Message Authentication Code (HMAC)
- Facts
- Just like Digital Signatures, but uses a symmetric algorithm
- Provides no non-repudiation
- Operates more efficiently
- Facts
- Digital Signature Standard
- Acceptable Digital Signature Algorithms
- Digitial Signature Algorithm (DSA)
- Rivest, Shamir, Adleman (RSA)
- Elliptic Curve DSA (ECDSA)
- Acceptable Hashing Algorithms
- SHA-2
- Acceptable Digital Signature Algorithms
- Allows communications between previously unknown parties
- Components
- Certificates
- Endorsed copies of public key
- E.g. Public key digitally signed by Certificate Authority
- Information Contained (X.509 Certificate)
- X.509 Version
- Serial Number
- Signature Algorithm Identifier
- Issuer Name
- Validty Period
- Subject's Name
- Subject's Public Key
- Used to establish SSL connections
- Certificate Authorities
- Notarizes digital certificates
- People trust them and they trust various organizations
- You prove your identity to CA and they vouch for you
- Examples
- Symantec
- Thawte
- GeoTrust
- GoDaddy
- Comodo Limited
- DigiCert
- etc.
- Default trusted CAs are built-into the browser
- Registration Authorities
- Assist CA with verifying user idnetities
- Certificates
- Certificate Path Validation
- Verification of the chain of trust from the root down to the client
- Certificate Generation and Destruction
- Enrollment
- Registration to a Certificate Authority
- Steps
- Providing documents / physically appearing, etc.
- User provides CA with public key
- CA creates X.509 digital certificate
- CA digital signs the certificate
- CA provides user signed copy of certificate
- Verification
- Steps
- Verify digital signature of certificate
- Verify that the CA is trusted
- Check if the certificate is not in a CRL
- Check if certificate contains data that us trusted (e.g. email/domain)
- Steps
- Revocation
- Reasons
- Compromise of private key
- Incorrectly issued certificate
- Certificate details chnaged
- Security association changed (e.g. subject no longer employed)
- Verification
- Certificate Revocation List (CRL)
- List of revoked certificate serial numbers
- Has to be downloaded and cross-checked
- May have some latency issues
- Online Certificate Status Protocol (OCSP)
- Allows lookup of certificate status without downloading CRL
- Allows real-time verification
- Return status
- Valid
- Invalid
- Unknown
- Certificate Revocation List (CRL)
- Reasons
- Enrollment
- Portable Devices
- Disk/Volume Encryption
- Trusted Platform Modules
- Email
- Pretty Good Privacy
- By Phil Zimmerman
- Uses web of trust
- Decide which users to trust
- Transitive trust takes effect
- Commercial Version
- Key Exchange: RSA
- Encryption: IDEA
- Message Digest: MD5
- Freeware Version
- Key Exchange: Diffie-Hellman
- Encryption: CAST
- Message Digest: SHA-1
- S/MIME
- De facto standard for encrypted email
- Key Exchange: X.509 Certificates
- Public Key Protocol: RSA
- Symmetric Encryption: AES and 3DES
- Supported by desktop mail clients
- Not supported by web clients
- Pretty Good Privacy
- Web Applications
- SSL/TLS/HTTPS
- Originally by Netscape, adopted by Microsoft
- Steps
- Browser retrieves website certificate
- Browser extracts public key from certificate
- Browser generates random symmetric key
- Public key is used to encrypt random symmetric key
- Encrypted key is sent to webserver
- Server decrypts symmetric key using its private key
- All future messages are encrypted using the symmetric key
- POODLE Attack
- Makes TLS fallback to SSL 3.0
- Organizations now just drop suppport for SSL
- SSL/TLS/HTTPS
- Steganography and Watermarking
- Embedding secret messages within other files
- May be used to add digital watermarks to assets
- Can be used to protect intellectual property
- Watermark can be traced back to original copy
- Digital Rights Management
- Music
- Movie
- Content Scrambling System
- Enforces playback and region restrictions on DVDs
- Broken with release of DeCSS tool
- Advanced Access Content System (AACS)
- Protects content stored on Blu-Ray and HD DVD
- AACS encryption keys have been retrieved and posted online
- Content Scrambling System
- E-Book
- Most successful type of DRM
- Adobe Digital Experience Protecttion
- DRM for e-books
- Encrypted with AES
- RSA to protect AES key
- Used by a variety of e-readers
- Adobe Digital Experience Protecttion
- Most successful type of DRM
- Video Game
- Make video games dependent on internet to verify the game license
- Document
- Prevents actions from being performed on a document
- Examples
- Reading a fle
- Modifying a file
- Removing watermarks
- Downloading/saving
- Printing
- Taking screenshots
- Networking
- Circuit Encryption
- Link Encryption
- Encrypts communication between two network locations
- Entire packets are encrypted
- Slower but less succeptible to sniffing
- Done beneath transport layer
- E.g. two office networks
- End-to-end Encryption
- Encrypts communication between two hosts
- Only data is encrypted
- Faster but more succeptible to sniffing
- Done in transport layer or above
- E.g client and webserver
- Link Encryption
- IPSec
- IETF standard for setting up secure comms channel
- Parties can be two gateways, two systems, etc.
- Uses publci key cryptography
- Modes
- Transport Mode
- Between two gateways
- Uses L2TP (layer 2 tunneling protocol)
- Tunnel Mode
- Between two hosts (peer-to-peer)
- Transport Mode
- Components
- Authentication Header
- Uses public keys(?)
- Authentication
- Access Control
- Integrity
- Non-repudiation
- Prevents replay attacks
- Encapsulating Security Payload
- Uses symmetric keys(?)
- Encryption
- Some authentication
- Prevents replay attacks
- Sometimes used without AH
- Authentication Header
- Security Association
- Represents communication session
- Records configuration ststus about connection
- Represents a one-way connection
- Additional SA must be setup per direction and IPSec component
- Internet Security Association Key Management Protocol (ISAKMP)
- Establishes, modifies, and deletes Security Associations
- Requirements for ISAKMP
- Authenticate communicating peers
- Create and management security associations
- Provide key generation mechanisms
- Protect against threats (DOS, replay attacks, etc.)
- Wireless Networking
- Wired Equivalent Privacy
- Not secure - do not use
- 64 and 128-bit encryption
- WiFi Protected Access
- WPA
- Adds TKIP to the mix
- Temporal Key Integrity Protocol
- Secure IV generation
- WPA2
- Uses CCMP instead of TKIP
- Uses AES instead of RC4
- WPA
- 802.1X
- For network authentication
- Clients that connect to a network are authenticated
- Client runs a supplicant application
- Supplicant communicates with Authentication Server
- Wired Equivalent Privacy
- Circuit Encryption
- Analytic Attack
- Reduces complexity of the algorithm
- Implementation Attack
- Attacks specific implementations
- Statistical Attack
- Exploits statistical weaknesses
- Inability to produce random numbers
- Floating-point errors
- Exploits statistical weaknesses
- Brute Force
- Trying every possible key
- Time to break depends on length of key
- Approaches
- Rainbow table
- Table of hashes and corresponding values
- Makes brute force attacks faster
- Prevented by salting passwords
- Adding a random nonce before hashing a password
- Salt is stored alongside password hash
- Salt is added to any new string that needs to be compared w/ password
- This increases the difficulty of brute force attacks
- Specialized computing hardware
- Rainbow table
- Ciphertext Only / Frequency Analysis
- Only ciphertext is available to cryptanalyst
- One can perform a frequency analysis attack
- E T O A I are the most frequent letters of the alphabet
- If these letters are also the most common, expect a transposition cipher
- If other letters are more common, expect a substitution cipher
- E T O A I are the most frequent letters of the alphabet
- Known Plaintext
- Attacker knows plaintext and corresponding ciphertext
- Chosen Plaintext Attack
- Attack can encrypt any plaintext of his choosing
- Chosen Ciphertext
- Attacker has ability to decrypt certain portions of ciphertext
- Meet in the Middle
- Defeats algorithms that use two rounds of encryption
- This is what broke 2DES
- Process
- Have specific plaintext
- Encrypt it with every possible key
- Each ciphertext is decrypted with all possible keys
- When match is found, the pair of keys represent both portions of double encryption
- Key strength is only 2^n rather than 2^n * 2^n
- Only adds minimal amount of protection
- Man in the Middle
- Interception of communications
- Key is intercepted and replaced
- A different secure session is started by MitM between the 2 hosts
- 2 hosts don't know they're not communicating with each other
- Birthday Attack
- AKA collision attack / reverse hash matching
- Attacker replaces signed communication with another message w/c has the same hash
- Replay Attack
- Used against algorithms w/c do not use temporal protections
- E.g. algorithms without initialization vectors, etc.
- Captured messages can simply be resent in order to trigger some action
- Objects and Subjects
- Subject
- User/process trying to access a resource
- Object
- A resource a user/process wants to access
- Subject
- Closed and Open Systems
- Open System
- System built on agreed-upon industry standards
- Easy to integrate with other systems
- More likely to be targetted
- Closed System
- Works with narrow range of other systems
- Usually proprietary
- Less likely to be targetted
- Open System
- Open Source and Closed Source
- Open Source
- Source code is exposed to the public
- Depends on pubic scrutiny to evaluate and secure
- Closed Source
- Source code is hidden from the public
- Depends on vendor to evaluate and secure
- Also called "commercial"
- Can still be an open system
- Open Source
- Ensuring CIA
- Confinement
- Restricting program to a specific memory and resource space
- Also called "sandboxing"
- Implemented by the operating system
- Bounds
- The range of memory and resources that a program can operate in
- Enforced by the operating system
- Physical Bounding
- Processes can be required to run on a range that is physcially separated from other processes
- Logical Bounding
- Process can be allowed to run on a range that is in the same physical range of other processes
- Isolation
- The state of being confined
- Program is prevented from accessing memory of another processes
- OS provides resource sharing capabilities instead
- Confinement
- Controls
- Control
- Limits subject access to an object
- Mandatory Access Control
- Subjects and objects have static labels
- Labels determine access right
- Rules Based Access Control
- Uses rules to determine access right
- Rules grant access rights to objects
- Discretionary Access Control
- Subjects define access rules to objects
- If they have the authority to, that is
- Control
- Trust and Assurance
- Trusted System
- One which protects data for many types of users
- Assurance
- Degree of confidence in satisfaction of security needs
- Needs to be maintained
- Changes decrease assurance, hences, reevaluation is needed
- Trusted System
- Concepts
- Security Model
- Maps abstract statements into a security policy
- Used to measure system support of security policy
- Tokens, Capabilities, and Labels
- Tokens
- Separate object associated with a resource
- Describes resource's security attributes
- Capabilities
- A list of capabilities for each object
- Not very flexible but faster
- Labels
- Attached to a resource and is a part of it
- Cannot be altered
- Tokens
- Security Model
- Models
- Trusted Computing Base
- Set of computing components which enforces security policy
- Foundation of most security models
- Restrict activities of components outside the TCB
- Concepts
- Security Perimeter
- Bounds between TCB and rest of system
- Prevents insecure communications between TCB and rest of system
- Trusted Path
- Used by TCB to communicate with rest of system
- Adheres to strict standards to prevent compromise of TCB
- Reference Monitor
- Validates access to every resource
- Grants access to resources
- Stands between subject and object
- Just a theory, not an actual thing
- Security Kernel
- TCB components that implement the reference monitor
- Launches components that enforce reference monitor
- Uses trusted paths to communicate with subjects
- Mediates all resource access
- Security Perimeter
- State Machine Model
- Describes a system that is always secure
- All valid states are secure
- All valid state transitions are secure
- Also called Secure State Machine
- Basis for other security models
- Based on Finite State Machine
- Information Flow Model
- Only valid information flows may be allowed
- Prevents insecure information flows
- Addresses covert channels
- Focuses on flow of information
- Composition Theories
- Describes information flow between systems
- Theories
- Cascading
- Input of one system comes from output of another
- Example: Web server with database backend
- A -> B -> C : Chaining
- Feedback
- System receives input and responds with output
- Example: HTTP Request and Response
- A -> B : Request
- A <- B : Response
- Hookup
- System sends input to one system and sends copy to another
- Example: CC and BCC in email
- A -> B : To Destination
- A -> C : To Hookup
- Cascading
- Based on State Machine Model
- Noninterference Model
- High privileged actions should not affect lower priviliged subjects
- Unauthorized parties should not be affected by information flows
- Prevents inference attacks and covert channels
- Based on the Information Flow Model
- Take-Grant Model
- Describes how rights can be passed/taken from subject to subject/objects
- Allows you to track where rights can change
- Allows you to track where leakage can occur
- Rules
- Take Rule
- Allows subjects to take rights over an object
- Grant Rule
- Allows a subject to grant rights over an object
- Create Rule
- Allows a subject to create new rights
- Remove Rule
- Allows a subject to remove rights it has
- Take Rule
- Access Control Matrix
- A matrix of subjects an objects
- Indicates the rights each subject has over each object
- Parts
- Row
- Subjects
- Capabilities List
- Each row shows capability of each subject
- List of rights a subject has for every object
- Columns
- Objects
- Access Control Lists
- Each column shows subjects that have rights to object
- List of subject that has rights to an object
- Cells
- Access Rights
- Access rights of a subject to an object
- Access Rights
- Row
- Lattice-Based Access Control
- Subject are assigned position in a lattice
- Positions fall between security labels
- Subjects only access objects that are within "range"
- Example
- A subject between Private and Sensitive
- Can only access an object within those two labels
- Bell-LaPadula Model
- Prevents information flow to lower sensitivity levels
- Protects Confidentiality
- Does not address integrity or availability
- Used by military organizations
- Properties
- Simple Security Property
- No Read Up
- Subjects can't read objects with higher sensitivity labels
- (*) Security Property
- No Write Down
- Subjects can't write to objects with lower sensitivity labels
- Unless performing declassification, which is a valid operation
- Discretionary Security Property
- An access matrix is used to enforce discretionary access control
- Simple Security Property
- Trusted Subject
- Exception to * Security Property
- Can declassify objects
- Based on State Machine and Information Flow Model
- Biba Model
- Prevents information flow to higher integrity levels
- Protects Integrity
- Prevent unauthorized modification of objects
- Protects object consistency
- Does not address confidentiality or availability
- Used by commercial organizations
- Properties
- Simple Integrity Property
- No Read Down
- Subjects can't read objects at lower integrity levels
- (*) Integrity Property
- No Write Up
- Subjects can't write objects at higher integrity levels
- Simple Integrity Property
- Based on Bell-LaPadula Model
- Based on State Machine and Information Flow Model
- Clark-Wilson Model
- Access to subject must be mediated through a program
- Program enforces well-formed transactions
- Protects
- Confidentiality
- Integrity
- Constrained Interface
- Enforces well-formed transactions
- Enforces separation of duties
- Authorizes transactions
- Access Control Triple
- Subject
- Object
- Program/Transaction/Interface
- Constrained Data Item
- Data items protected by the model
- Can only be modified by transformation procedures
- Unconstrained Data Item
- Data not controlled by the model
- Input and output data
- Integrity Verification Procedure
- Determines integrity of data items
- Transformation Procedures
- Used to modify a constrained data item
- The only thing that can
- Essentially the backbone of the model
- Example: Store Procedure in Database
- Restricted Interface Model
- Provides subjects authorized information and functions
- Subjects at different levels see different set of data
- Like a webapp that shows you only the info and features you can access
- Enforces separation of duties in effect
- Brewer and Nash Model / Chinese Wall
- Focused on confidentiality
- Uses security domains / conflict classes
- Prevents conflict of interests
- Based on a user's previous actions
- Security domains are not predetermined
- Examples
- Separate conflict classes for accessing data of two competing companies
- Preventing access to data irrelevtant to a current operation
- Goguen-Meseguer Model
- Focused on integrity
- Basis for non-interference model
- Security domains are predetermined
- List of objects a subject can access is predetermined
- List of operations a subject can perform is predetermined as well
- Sutherland Model
- Focused on integrity
- A non-interference model
- A state machine model
- Defines a set of system states, and transitions
- Integrity is maintained if the defined states and transitions are used
- Grahan-Denning Model
- Focused on secure creation and deletion of objects
- Specifies how to securely:
- Create
- Object
- Subject
- Delete
- Object
- Subject
- Provide Right
- Read
- Grant
- Delete
- Transfer
- Create
- Trusted Computing Base
- Evaluation Steps
- Certification
- Notes
- Initiated by a vendor
- Test system security capabilities
- Compare design, security criteria, and actual capabiltiies
- Auditors decided if security criteria is met
- Security criteria is based on intended use (commercial, health, etc)
- Usually performed by a 3rd party
- Steps
- Choose security crtieria (TCSEC/ITSEC/CC)
- Analyze each system component beased on criteria
- Evaluate deployment environment
- Determine level of security
- Notes
- Accreditation
- Recognition of the certification
- Performed by an adopting organization/customer
- Maintenance
- Ensuring that the security criteria is up to date
- Ensuring that the system still meets security criteria
- Certification
- Rainbow Series
- Orange - Trusted Computer System Evaluation
- Green - DoD Password Management Guidelines
- Yellow - TCSEC in Specific Environments
- Tan - Audit in Trusted Systems
- Bright Blue - Trusted Product Evaluation for Vendors
- Light Blue - PC Security Considerations
- Neon Orange - Discretionary Access Controls
- Aqua - Computer Security Terms
- Red - Trusted Network Interpretation
- Amber - Configuration Management
- Burgundy - Design Documentation
- Lavender - Trusted Distribution
- Venice Blue - Computer Security Subsystem Interpretation
- Evaluation Models
- TCSEC - Orange Book
- Categories
- D - Minimal Protection
- Do not meet the requirement to belong to any other category
- C - Discretionary Protection
- C1 - Discretionary Protection
- Access is controlled using users and groups
- C2 - Controlled Access Protection
- Meets requirements of C1
- Strict logon procedures
- Enforces media cleansing
- C1 - Discretionary Protection
- B - Mandatory Protection
- B1 - Labeled Security
- Access is controlled using subject and object labels
- B2 - Structured Protection
- Meets requirements of B1
- Ensures that no covert channels exists
- Operator and administrators are separated
- Enforces process isolation
- B3 - Security Domains
- Meets requirements of B2
- Administrators are separated from other users
- Reduce exposure to vulnerabilities
- B1 - Labeled Security
- A - Verified Protection
- A1 - Verified Protection
- Meets requirements of B3
- Each step of implementation is documented
- A1 - Verified Protection
- D - Minimal Protection
- Limitations
- Doesn't control what users do with information once granted
- Focused on confidentiality and doesn't work in commercial contexts
- No physical, personnel, procedural provisions
- Doesn't deal with networked systems
- Categories
- TNI-TCSEC - Red Book
- TCSEC with Networking Considered
- Includes
- CIA Rating
- Communications Integrity
- DoS protection
- Intrusion prevention
- Rating Level
- None
- C1 - Minimum
- C2 - Fair
- B2 - Good
- Restrictions
- Centralized networks
- Single accreditation authority
- ITSEC
- European security evaluation criteria
- Corresponds to TCSEC categories
- Categories
- F0: F-D - Minimal Protection
- F1: F-C1 - Discretionary Protection
- F2: F-C2 - Controlled Access Protection
- F3: F-B1 - Labeled Security
- F4: F-B2 - Structured Access Protection
- F5: F-B3 - Security Domains
- Difference from TCSEC
- Change doesn't require re-evaluation of a system
- Also considers integrity
- Doesn't require a TCB
- Common Criteria
- A product evaluation model
- Does not ensure that a system has no vulnerabilities
- Helps buyers purchase products
- An official ISO standard: ISO 15408
- Goals
- Add to buyer confidence in purchasing products
- Eliminates duplicate evaluations
- To make security evaluations more cost effectove
- To evaluation functionality and assurance of TOE/target of evaluation
- Elements
- Protection Profiles
- Specify security demands of customers
- "What I want" from customers
- Security Targets
- Security claims of a vendor about their system
- "I will provide" from a vendor
- A target that a vendor sets for itself
- Customers compare their requirements to this
- Package
- Additional security components provided by the vendor
- Can be added and removed
- Protection Profiles
- Process
- Customer compares their protection profile to security targets of various vendors
- Customer chooses product with closest security target based on published assurance levels
- Structure
- Introduction and General Model
- Explains the security evaluation process
- Security Function Requirements
- Specifies requirements for each function that needs evaluation
- Security Assurance
- Specifies how systems are designed, checked, and tested
- Introduction and General Model
- Categories
- EAL1 - Functionally Tested
- TCSEC: D
- For non-serious threats to security
- Requirements
- Features are working as intended
- EAL2 - Structurally Tested
- TCSEC: C1
- For low to moderate assurance requirements
- Requirements
- EAL1 is passed
- Design information is evaluated
- EAL3 - Methodically Tested and Checked
- TCSEC: C2
- For moderate assurance requirements
- Requirements
- EAL2 is passed
- Security is engineered since design stage
- EAL4 - Methodically Designed, Reviewed, and Tested
- TCSEC: B1
- For moderate assurance requirements
- Requirements
- EAL3 is passed
- Security and commercial best practices are followed
- EAL5 - Semi-Formally Designed and Tested
- TCSEC: B2
- For high assurance requirements
- Requirements
- EAL4 requirements
- Specialist security engineering techniques are followed
- EAL6 - Semi-Formally Verified, Designed, and Tested
- TCSEC: B3
- For high risk situations
- Requirements
- EAL5 requirements
- Specialist security engineering techniques are used at all phases of design
- EAL7 - Formally Verified, Designed, and Tested
- TCSEC: A1
- For highest-risk situations
- Requirements
- EAL6 requirements
- EAL1 - Functionally Tested
- TCSEC - Orange Book
- Certification and Accreditation Systems
- Standards
- Department of Defense
- RMF - Risk Management Framework (Current)
- DIACAP - DoD Information Assurance Certification and Accredication Process
- DITSCAP - Defense Information Technology Security Certification and Accreditation Process
- Executive Branch
- CNSSP - Committee on National Security Systems Policy (Current)
- NIACAP - National Information Assurance Certification and Accreditation Process
- Department of Defense
- Phases of Current Standards
- Definition
- Assign personnel
- Document mission need
- Registration and negotiation
- Creation of System Security Authorization Agreement
- Verification
- Refinement of SSAA
- Development activities
- Certification analysis
- Validation
- Further refinement of SSAA
- Certification evaluation
- Recommendation development
- Accreditation decision
- Post Accreditation
- Maintenance of SSAA
- System operation
- Change management
- Compliance validation
- Definition
- Standards
- Memory Protection
- Prevents processes from interacting with memory locations not allocated to them
- Virtualization
- Allows mutliple operating systems to run on the same set of hardware
- Hardware Security Module
- Hardware cryptoprocessors
- Used to store keys
- Used by banks and authorities to store certificates
- Trusted Platform Module
- Specs for a cryptoprocessor chip
- A type of a hardware security module (HSM)
- Provides
- Key storage
- Hardware encryption
- Hard drive encryption
- More secure
- Key is stored in TPM so TPM is required to decrypt the hard drive
- Hard drive can't be decrypted when put in a separate system
- Hard drive encryption
- Interfaces
- Provides users access to the data
- Must be constrained based on user privileges
- Through hiding, if permission is not granted to a user
- Implementation of Clark-Wilson model
- Fault Tolerance
- Ability of a system to continue to operate when experiencing a fault
- Achieved by adding redundant components
- Essential element of security design
- Hardware
- Processor
- Execution Types
- Multitasking
- Single processor, multiple tasks
- Multiprocessing
- Multiple processors, multiple tasks
- Types
- SMP - Symmetric Multiprocessing
- Single OS distributes task to processors
- Multiple processors treated equally
- Good for simple operations
- MMP - Massive Multiprocessing
- Multiple OS environment
- Tasks assigned to coordinating processors
- Coordinating processors assign tasks to other processors
- Good for complex operations
- SMP - Symmetric Multiprocessing
- Multiprogramming
- Singl processor, one task at a time
- Switch to different task when one waits
- Needs to be specially written
- Multithreading
- Multiple tasks in a single process
- Multitasking
- Processing Types
- Single State
- Processors handle only one security level
- The system only handles one security level
- Access is controlled via policy
- Cheaper
- Multistate
- Processors handle multiple security levels
- The system handles multiple security levels
- Access is controlled via technical protection mechanisms
- More expensive
- Single State
- Protection Mechanisms
- Protection Rings
- Lower rings, higher privilege
- Multics has six rings, modern OSes has 4 rings
- Rings
- Ring 0 - Kernel
- Ring 1 - OS Components
- Ring 2 - Drivers
- Ring 3 - User Programs
- Mediated Access Model
- Process communicate to lower ring via interfaces
- System Call
- Request to resources on lower level ring
- Usually a programming interface
- Lower ring must authorize requester
- Process States / Operational States
- Ready
- Process is ready to be given a time slice
- Initial state of a process
- Transitions to Running State
- Waiting / Blocking
- Process is waiting on a resource
- Transitions to Running State
- Running
- Process is currently in execution
- Ends upon termination or end of time slice
- Also called Problem State as errors can occur
- Transitions to Ready, Waiting, or Stopped State
- Supervisory
- Process is performing privileged operation
- States other than this is user mode
- Stopped
- Process is finished or must be terminated
- Ready
- Security Modes
- Requirements
- MAC Environment
- Physicial control of system and room
- Modes
- Dedicated Mode
- Right to know everything in system
- Permission to access everything in the system
- Need to know everything in system
- System High Mode
- Right to know everything in system
- Permission to access everything in the system
- Need to know some things in the system
- Compartmented Mode
- Right to know everything in the system
- Permission to access some things in the system
- Need to know things to be accessed in the system
- Multilevel Mode
- Right to know some things in the system
- Permission to access some things in the system
- Need to know things to be accessed in the system
- Dedicated Mode
- Requirements
- Protection Rings
- Operating (System) Modes
- User Mode / Problem State
- Ring 3
- When user applications are being executed
- Prevents accidental damage to system
- User programs are executed in a sandbox
- Also called a Virtual Machine
- Kernel Mode / Privileged Mode / System Mode
- Ring 0 to 2
- Allows OS to perform full range of CPU instructions
- User Mode / Problem State
- Execution Types
- Memory
- ROM - Read Only Memory
- Types
- ROM - Read Only Memory
- Contents are written at factory
- Can't be modified
- PROM - Programmable Read Only Memory
- Unwritten ROM
- Users can write once
- Example: CDs
- EPROM - Erasable Programmable Read Only Memory
- Can be erased using chemicals or UV light
- EEPROM - Electronically Erasable Programmable Read-Only Memory
- Can be erased electronically
- All contents must be erased
- Flash Memory
- Can be erased electronically
- Allows erasure of individual blocks
- Example: NAND Flash, SSDs, Flash Drives
- ROM - Read Only Memory
- Issues
- Data retention
- Types
- RAM - Random Access Memory
- Types
- Real Memory
- Main memory
- Made up of Dynamic RAM
- Cache RAM
- Attached to a processor
- Contains RAM data that is accessed frequently
- Levels
- Level 1 Cache
- Attached to processor chip
- Level 2 Cache
- On a separate chip
- Level 1 Cache
- Peripherals also have RAM caches
- Printers have RAM caches which can load an entire job
- Dynamic RAM
- Loses charge over time even if power is supplied
- Must be refreshed by CPU
- Made up of capacitors
- Cheaper but slower than static RAM
- Static RAM
- Does not lose charge over time if power is supplied
- Does not need to be refreshed by CPU
- Made up of flip flops
- More expensive but faster than dyanmic RAM
- Real Memory
- Issues
- Pilferable
- Data retention
- Cold boot attack
- Types
- Registers
- Limited amount of onboard CPU memory
- ALU - Arithmetic Logic Unit
- Perform arithmetic operations
- Can directly access registers
- Values to process must be loaded to registers first
- Addressing
- Register Addressing
- Value to process is in a register
- Register address is provided by instruction
- Immediate Addressing
- Value to process is in the instruction
- Provided value is used in operation
- Direct Addressing
- Value to process is in memory
- Memory address of value is provided by instruction
- Indirect Addressing
- Address of value to process is in memory
- Memory address of value's address is provided by instruction
- Base + Offset Addressing
- Address of value to process is in a register
- Register address and offset is provided by instruction
- Register Addressing
- Secondary memory
- Storage devices; non-volatile
- Example: optical disk, hard drive, etc.
- Cheaper but slower than primary memory
- Virtual Memory / Paging
- Used to extend main memory
- Stores overflowing contents onto secondary memory
- Pages from main memory are "swapped" into secondary memory
- Non-used parts of main memory are stored in pagefile
- They are restored into main memoery when they need to be used
- Storage
- Primary and Secondary
- Primary
- RAM
- Data is readily available to CPU
- Secondary
- SSDs, CDs, hard drives
- Data not readily available to CPU
- Primary
- Volatile and Non-volatile
- Volatile
- Not designed to retain data
- Non-volatile
- Designed to retain data
- Volatile
- Random and Sequential
- Random
- Any memory location can be accessed immediately
- Faster but more expensive; for shorter term storage
- Examples: Hard Drives, RAM, CDs, DVDs
- Sequential
- Data prior to desired location must be read
- Slower but cheaper; for long term storage
- Examples: Magnetic Tape
- Random
- Issues
- Data Remanence
- Files can be recovered after deletion
- SSD blocks may retain information even after wiping
- Some blocks might hold a copy of data when copied to lower leveled blocks
- Theft
- May disclose confidential information
- Removable media are pilferable
- Data Remanence
- Primary and Secondary
- ROM - Read Only Memory
- IO Devices
- Types
- Monitors
- Van Eck radiation
- Electronic emanations coming from monitors
- Can be read via TEMPEST program
- Also called Van Eck phreaking
- CRT are more vulnerable than LCDs
- Van Eck radiation
- Printers
- Print outs can be taken if not secured
- Printers store data locally
- Keyboards/Mice
- Vulnerable to TEMPEST attacks
- Keyboards are vulnerable to keyloggers
- Signal interception if wireless
- Modems
- Uncontrolled entry points into the network
- Can establish external connections by themselves
- Needs a telephone line
- Monitors
- Structures
- Memory-Mapped IO
- Memory space is reserved for input and output communication with device
- CPU reads from those memory locations to read input from device
- CPU writes to those memory locations to write output to device
- CPU facilitates transfer of data to and from device (synchronously)
- IRQ - Interrupt Request
- Specific signal lines are used for CPU and device communication
- Signal lines are identified via IRQ number
- IRQ numbers range from 8 to 16
- OS assigns IRQ to devices
- Interrupt conflict happens when two devices share the same IRQ
- DMA - Direct Memory Access
- Like memory-mapped IO but data transfer is done asynchronously
- CPU not needed to facilitate data transfer between memory and device
- Steps
- DMQ - DMA Request
- Device requests to access memory location
- CPU locks target memory for device
- Device access the memory location
- CPU continues with other tasks
- DACK - DMA Acknowledgement
- Device finishes accessing memory location
- Device tells CPU that it can now access the memory location
- CPU accesses data on shared memory location
- DMQ - DMA Request
- Memory-Mapped IO
- Types
- Firmware
- Hard-coded software
- Software stored on a ROM chip
- Not changed frequently
- Types
- BIOS
- Starts up the operating system from the disk
- Stored on an EEPROM chip
- Phlashing: Malicious BIOS is flashed onto the ROM
- Device Firmware
- Mini operating systems onboard devices
- Stored on EEPROM chip
- BIOS
- Processor
- Client-Based Systems
- Applets
- Client executes code sent by the server
- Self contained mini programs
- Processing burden is shifted to client
- Privacy advantage as data is never sent to server
- Applets can be trojans though
- Examples
- Java Applets
- By Sun Microsystems
- Sandboxed Java programs; requires JVM
- Can run on different operating systems
- Widely exploited
- ActiveX Controls
- By Microsoft
- Non-sandboxed VB, C, C++, and Java programs
- Has full access to Windows operating system
- Can run on Microsoft browsers only
- Widely exploited; usually prohibited altogether
- Java Applets
- Local Caches
- ARP Cache (Poisoning)
- Spoofed ARP replies
- Spoofed ARP reply is used to populate ARP table
- ARP: translates IP to MAC address
- Spoofing: Wrong machine associated with an IP address
- Allows man in the middle attack
- ARP Poisoning: Static ARP Entries
- Malicious ARP entries manually configured in the operating system
- Must be modified locally on the machine
- Attack Vector: Using a trojan or social engineering attack
- Allows man in the middle attack
- Spoofed ARP replies
- DNS Cache (Poisoning)
- HOSTS File Poisoning
- Malicious entries added to hostsfile
- HOSTS File: local configuration file used to translate names to IPs
- Attack Vector: Using trojan or social engineering attack
- Allows impersonation of intended server with malicious dummy
- Authorized DNS Server Attacks
- Atacking DNS records stored on authoritative DNS servers
- Affects the entire internet and gets noticed pretty quickly
- Allows impersonation of intended server with malicious dummy
- Caching DNS Server Attacks
- Attacking DNS records on cache servers
- These are provided by ISP and companies
- Watched by less people and can occur without notice for some time
- Allows impersonation of intended server with malicious dummy
- DNS Lookup Address Changing
- Changing the DNS server used by a system to a malicious one
- Attack Vectors: intercepting DHCP responses or local system attacks vis trojans
- Allows impersonation of intended server with malicious dummy
- DNS Query Spoofing
- Intercepting DNS responses and changes substitutes it with false information
- Allows impersonation of intended server with malicious dummy
- HOSTS File Poisoning
- Temporary Internet Files
- Contains cached website content
- Can be posioned to contain malicious content (client sid scripts, etc.)
- Malicious content is invoked when cached items are accessed
- ARP Cache (Poisoning)
- Other Considerations
- Emails, Phishing, and Trojans
- Upload and Downloads
- System Access Control
- User Interfaces
- System Encryption
- Process Isolation
- Protection Domains
- Data and Media Labels
- Data Backups
- Awareness Trainings
- Physical Protections
- Disaster Recovery Procedures
- Secure Coding, Configuration, and Updates
- Applets
- Server-Based Systems
- Database
- Aggregation
- Combining multiple instances of data
- Produces useful information that may be classified
- Examples: Sum, Average, Max, Min, etc.
- Individual records might not be classified
- Sum/Average/Max/Min of data might be classified
- Example: record for 1 soldier and total number of troops
- Inference
- Deducing classified information from available information
- Example
- Clerk knows total salary expenses of entire company
- A new person gets hired
- Total salaries increase
- The increase in salary expenses is the salary of new person
- Data Warehousing
- Stores large amounts of information
- For use with specialized analysis techniques
- Data Dictionary
- Stores usage and access rights of data
- Data Mining
- Process of analyzing data warehouses
- Search for patterns in large data sets
- Produces metadata
- Metadata
- Data about data
- Can be representation of data
- Can be aggregation(?)
- Something that describes the bulk of data in the warehouse
- Examples:
- Security incident report
- Sales trends report
- May be more valuable than the bulk data
- Data Analytics
- Examination of bulk data to extract useful information
- Large-Scale Parallel Data Systems
- Performs simultaneous calculations / Multiprocessing
- Breaking down tasks into subtasks and distributing the load
- Aggregation
- Distributed Systems
- Cloud Computing
- Computing is outsourced to a service provider
- Service is accessdible via the internet
- Types
- SaaS - Software-as-a-Service
- Provider manages:
- Networking
- Storage
- Virtualization
- Operating System
- Middleware
- Applications
- Customer uses the application
- Examples
- GMail
- Google Docs
- Provider manages:
- PaaS - Platform-as-a-Service
- Provider manages:
- Networking
- Storage
- Virtualization
- Operating System
- Middleware
- Customer manages:
- Applications
- Examples:
- Heroku
- Provider manages:
- IaaS - Infrastructure-as-a-Service
- Provider manages:
- Networking
- Storage
- Virtualization
- Customer manages:
- Operating System
- Middleware
- Applications
- Examples:
- Amazon Web Services EC2
- Provider manages:
- SaaS - Software-as-a-Service
- Grid Computing
- Computing tasks are distributed to clients
- Clients return result to central server
- Similar to asymmetric multiprocessing
- Clients are able to view the data that they are handling
- Clients are not guranteed to return results
- Returned results need to be validated to ensure integrity
- Peer-to-Peer
- No central server
- Clients connect directly to each other
- Examples
- VoIP
- Skype
- BitTorrent
- Same security concerns as grid computing
- Cloud Computing
- Database
- Industrial Control Systems
- DCS - Distributed Control Systems
- Each piece of equipment have their own control system
- Remotely accessed and managed from a central location
- Keyword: Central Management
- PLC - Programmable Logic Controllers
- Single-purpose computers
- E.g. displaying signs, marquees, etc.
- Keyword: Single-purpose
- SCADA - Supervisory Control and Data Acquisition
- Stand alone device networked with each other
- Keyword: Stand-alone; Peer-to-Peer
- DCS - Distributed Control Systems
- Web-Based Systems
- Security Association Markup Language
- Used to provide web-based SSO
- Open Web Application Security Project
- Security Association Markup Language
- Mobile Systems
- Operating Systems
- Android
- Based on Linux
- Open Source Apache Lincense
- Made by Google
- App Store: Google Play
- Can be rooted
- iOS
- Made by Apple
- Closed Source
- App Store: Apple App Store
- Can be jailbroken
- Android
- Issues
- Easy to hide
- Can be used to steal data
- Contains sensitive info
- Eavesdropping
- Device Security
- Full Device Encryption
- Storage and voice encryption
- Prevents reading of data
- Remote Wiping
- Delete entire phone data remotely
- Can be blocked
- Deleted data may still be recovered
- Lockout
- Disable access if unlock attempts fail
- Requires a pre configured screen lock
- Gets longer with every failure
- Screen Locks
- Prevents access to unauthorized users
- Doesn't prevent access via network or USB
- Triggered if phone is left idle
- Examples: PIN, patterns, biometrics, etc.
- GPS
- Receives GPS signals
- Apps can record GPS locations
- Allows tracking of movement
- Application Control
- Limits installable aplications
- Enforces application settings
- Storage Segmentation
- Compartmentalizes various data in storage
- Used to separate device apps from user apps
- Can separate company data from user data
- Asset Tracking
- Checks in at office
- Location tracking
- Verifies if device is still with user
- Inventory Control
- Using mobile device to track hardware
- Devices can read RFID, bar codes, etc.
- Mobile Device Management
- Controls and monitors a device remotely
- Device Access Control
- Lock screens, etc.
- Device should be unlocked to access USB / bluetooth
- Removable Storage
- Devices support microSD cards
- Can also support external storage
- Sometimes bluetooth and WiFi based sotrage too
- Disabling Unused Features
- Lessens the chance of exploitation
- Full Device Encryption
- Application Security
- Key Management
- Key generation
- Mobile devices have poor RNGs
- Key storage
- Use Trusted Platform Module
- Use Removable Hardware
- Key generation
- Credential Management
- Password managers with multifactor authentication
- Authentication
- Methods
- Patterns
- PINs
- Biometrics
- RFID
- Encryption when locked
- Methods
- Geotagging
- Embedding of location and data time on photos
- Can dislose your location when photo is uploaded
- Encryption
- Prevents access to data in storage or transit
- Natively available on devices
- Can also be implemented via apps
- Application Whitelisting
- Allows only a specific list of apps to be installed
- Implicit deny
- BYOD Concerns
- Devices can access the company network
- They need to comply with security policies
- Data Ownership
- Personal and cmpany data might be mixed in the device
- They should be segmented
- Policy should define who owns what data
- Support Ownership
- Responsibility for repair and maintenance
- Patch Management
- Responsibility for installing updates
- How are updates to be installed
- How frequent are updates to be installed
- Antivirus Management
- What antivirus solution to use
- Should an antivirus be used
- Forensics
- Involvement of a device in investigations
- Privacy
- Workers might be tracked when they are out of work
- Contents of device may be monitored by the company
- On-boarding/Off-boarding
- On-boarding
- Installing security/management apps
- Secure configuration
- Off-boarding
- Wiping business data
- Full reset?
- On-boarding
- Adherence to Corporate Policies
- Personal mobile devices still need to comply with BYOD policies
- User Acceptance
- BYOD policy details should be explained well to user
- User must accept BYOD policy so they can be held accountable
- Architecture/Infrastructure Considerations
- Allowing BYOD devices might cause more network load
- Might require more IP addresses
- Might require new hardware to be installed (access points)
- Legal Concerns
- BYOD increases burden of liability
- Acceptable Use Policy
- BYOD opens up inappropriate use of mobile devices
- Risk of information disclosure is also increased
- On-board Camera/Video
- Allows employees to take picture of company premises
- Pictures of confidential information may be taken
- Key Management
- Operating Systems
- Cyber-Physical Systems
- Limited functionality
- May be part of a larger system/product
- Examples
- Static Systems
- Does not change
- Can't install new apps on it
- Can't be configured
- Network Enabled Devices
- Devices that can communicate via networks
- WiFi, Ethernet, Bluetooth
- Cyber Physical Systems
- Can control physical components programatically
- Robots, doors, HVACs, self-driving cars, IoT, etc.
- Mainframes
- Usually designed around a single task
- Might be considered static systems
- Able to operate for decades
- Game Consoles
- OS is fixed and changed only when vendor releases a system upgrade
- Focused on playing games and media
- Static Systems
- Methods of Securing
- Network Segmentation
- Isolate Cyber-Physical Systems in a separate VLAN
- Prevents remote exploits
- Security Layers
- Isolating high security systems from lower security ones
- Implementations
- Physical Isolation
- Network Isolation
- etc.
- Application Firewalls
- Prevents application specific attacks
- A server-side firewall
- Use a network firewall as well
- Manual Updates and Firmware Version Control
- Ensures that updates are tested
- Automatic updates allow for untested versions
- This might lead to reduction in security
- Wrappers
- Encapsulates a solution or environment
- Restricts and controls changes to an environment
- Ensures that only valid and secure updates are applied
- Control Redundancy and Diversity
- Use multiple and redundant security controls
- Fulfills defense in depth
- Network Segmentation
- Technical Mechanisms
- Layering
- Levels vs. Rings
- Layering: Highest layer is most privileged
- Rings: Lower ring is most privileged
- Processes in different layers communicate via interfaces
- Security policy set by higher privileged layers take precedence
- Levels vs. Rings
- Abstraction
- Generalizing a bunch of objects
- Hiding implementation details
- Only giving information on interfaces and attributes
- Allows setting of policies to groups of generalized objects
- Data Hiding
- Put objects in different container from subject
- Ensure that object can only be accessed via a legal way
- Hide data from processes running at different levels
- Hide data from those who don't need to know and are unauthorized
- Process Isolation
- Each processes have their own memory spaces
- Processes shouldn't be able to read each other's memory spaces
- Prvents unauthorized data access
- Protects integrity of a process as it can't be modified by another process without its consent
- Implemented via sandboxing processes
- Hardware Segmentation
- Process isolation but uses hardware implementations for separation
- Rare; used for national security concerns
- Layering
- Policy Mechanisms
- Least Privilege
- Only give processes the privileges they need
- Processes should run in user as much as possible
- Use APIs to communicate with kernel mode processes instead
- Separation of Privilege
- Minimize the number of privileged operations a process can do
- Basically, principle of least privilege for administrators
- Compartmentalize reposnibilities of processes
- Prevents conflict of interest
- Accountability
- Record who does what
- Requires authentication and authorization to associate activity with user
- Allows users to be held acocuntable for their actions
- Least Privilege
- Covert Channels
- Allows unauthorized transmission of information
- Detected by analyzing log files
- Types
- Covert Timing Channel
- Modifies system's behaviour to generate timing regularities
- Observing system can then extract information by watching it
- Covert Storage Channel
- Writing data to a common storage area
- Covert Timing Channel
- Coding Flaw Attacks
- Initialization and Failure States
- Security controls get unloaded when a system crashes
- System crashes while its in privileged mode, giving attacker access
- Input and Parameter Checking
- Buffer Overflows: Length checking
- Injection Attacks: Input sanitaztion and validation
- Maintenance Hooks and Privileged Programs
- Allows unauthorized privileged access
- Allows bypassing of security controls
- Incremental Attacks
- Data Diddling
- Making small random incremental changes to data
- Difficult to detect
- Salami Attack
- Small whittling at assets like a salami
- Transferring small amounts of cash from a compromised bank account over time
- Data Diddling
- Initialization and Failure States
- Time of Check to Time of Use
- Race condition
- Object verified might be different from the one used
- TOC - Time of Check
- Process checks if the object is available and valid
- Attack replaces object after the program checks it
- TOU - Time of Use
- Process then uses the object placed by attacked
- Example:
- Process: Check length of file
- Attacker: Replace file with bigger one
- Process: Reserves memory as large as the file that was read
- Process: Leading the actual file into memory causes a buffer overflow
- Technology and Process Integration
- Systems are being implemented via SOA
- SOA integrates seperate service applications into a single solution
- Pay attention to Single Points of Failure
- Electromagnetic Radiation
- EM leaks create a possible covert channel
- Faraday Cage
- Prevents radiation from going in and out of a bounded area
- Jamming / Noise Generation
- Creates meaningless radiation to prevent disclosure of information
- Control Zones
- Zone protected by jammers and faraday cages
- A zone where not EM disclosure can occur
- There is no security without physical security
- Secure Facility Plan
- Critical Path Analysis
- Identifying mission critical assets/processes
- Results in a list of items to secure
- Technology Convergence must be considered
- Technology Convergence
- Tendency for technologies to merge over time
- Results in single points of failure
- Examples
- Voice, Video, Fax, and Data uses single connection
- Integrated Routers, Switches, and Firewalls
- Example: E-Commerce Server
- Internet Connection
- Computer Hardware
- Electricity
- Temperature Control
- Storage Facilty
- Site Selection
- Considerations
- Visibility
- Terrain
- Visibility of Approaching Parties
- Crime
- Riots
- Vandalism
- Break-ins
- Natural Disasters
- Fault Lines
- Tornadoes
- Hurricanse
- Flooding
- Surrounding Businesses
- Too Many Visitors
- Noise
- Vibrations
- Dangerous Materials
- Utilities
- Fire Department
- Medical
- Police
- Visibility
- Facilty Design
- Considrations
- Required Security Level
- Forced Intrusions
- Emergency Access
- Resistance to Entry
- Direction of Entries and Exits
- Alrams
- Conductivity
- Safety
- Fire Rating
- Construction Materials
- Load Rating
- Access Control
- Walls
- Doors
- Ceilings
- Flooring
- Utilities
- HAVC
- Power
- Water
- Sewage
- Gas
- Required Security Level
- Secure Architecture
- CPTED - Crime Prevention Through Environmental Design
- Critical Path Analysis
- Categories of Physical Controls
- Administrative
- Facility Construction and Selection
- Site Management
- Personnel Controls
- Awareness Training
- Emergency Response and Procedures
- Technical
- Access Controls
- Intrusion Detection
- Alarms
- CCTV
- Monitoring
- Heating
- Ventilating
- Air Conditioning
- Physical
- Fencing
- Lighting
- Locks
- Construction Materials
- Mantraps
- Dogs
- Guards
- Administrative
- Corporate v. Personal Property
- Security controls should be placed where company assets are involved
- Company is not responsible for safekeeping employee property
- Company can be responsible for safekeeping key personnel and their property
- Functional Order of Controls
- Deterrence
- Make attackers think attacking is a bad idea
- Example: Fencing
- Denial
- Prevent attackers from making an intrusion
- Example: Vault Doors
- Detection
- Detect when an attacker has made an intrusion
- Example: Motion Sensors
- Delay
- Make extraction of asset more difficult
- Example: Cable Lock
- Equipment Failure
- Considerations
- Replacement part vendor
- Transport and storage
- Pre-purchasing
- Installation and restoration skills
- Scheduling maintenance and replacements
- SLA - Service Level Agreement
- Required response time from vendor to deliver a service
- Includes repair, internet, hosting, etc.
- Must be established with vendor for critical assets
- MTTF - Mean Time to Failure
- Time before a device fails
- Expected lifetime of a device
- Devices should be replaced before MTTF expires
- MTTR - Mean Time to Repair
- Time it takes to repair a device
- MTBF - Mean Time Between Failures
- Time between subsequent failures
- Usually same with MTTF
- Considerations
- Wiring Closets
- AKA, Premises Wire Distribution Room
- Connects floor/building cables to essential equipment
- Building management must be notified of wiring closet policies
- Multiple wiring closets may exist for large buildings
- To work around the maximum run length
- Maximum run length is 100 meters
- Run length is reduced in noisy environments
- Houses wiring for other utilities as well:
- Alarm systems
- Circuit breakers
- Telephone punch down blocks
- Wireless access points
- Security cameras
- Rules
- Do not use as storage area
- Have adequate locks
- Keep area tidy
- Remove flammable items
- Video surveillance
- Door open sensor
- Regular physical inspections
- Include in environmental controls plan
- Server Rooms
- Houses mission critical servers
- Human Incompatibility
- Fill room with halon substitutes
- Low temeperature
- Little or no lighting
- Equipment stacked with little room to maneuver
- Location
- At the center of the building
- Away from sewage lines, water, and gas
- Walls
- One hour minimum fire rating
- Media Storage Facilities
- Stores blank and reusable media
- Threats
- Theft
- Restrict Access to Media
- Asset Tracking (RFID/NFC)
- Malware Planting
- Sanitize Returned Media
- Restrict Access to Media
- Data Remnant Recovery
- Secure Data Wiping
- Restrict Access to Media
- Destruction
- Fire
- Flood
- Electromagnetic Field
- Temperature Monitoring
- Theft
- Data Remnants
- Remaining data on storage left over after deletion
- Deletion only removes file record
- Doesn't remove actual file data from disk
- Can be recovered using un-delete utilities
- Restricting Access to Media
- Use a locked cabinet or safe
- Check in and check out procedure
- Have a custodian who manages access
- Evidence Storage
- Stores evidence after breach
- Requirements
- Dedicated storage system/network
- Keeping storage system offline
- Block internet connectivity
- Tracking all activities on system
- Calculating hashes for all datasets within
- Limiting access to security administrator
- Encrypting all datasets stored within
- Work Area Security
- Controls
- Separate work areas and visitor areas
- Escort requirements for visitors
- Require badges and RFID tags
- More restrictive access to more sensitive areas
- Sensitive areas should be in the center of facility protection
- Universal access to essential facilities (e.g. restrooms)
- Work area sensitivity classifications
- Walls / Partitions
- Prevents shoulder surfing or eavesdropping
- Walls should cut off false ceilings
- For separating areas with different sensitivity
- Controls
- Data Center Security
- Usually the same as server rooms
- Same policies as server rooms
- Might be a separate building or remote location
- Might be leased
- Technical Controls
- Smartcards
- Types
- Magnetic Strip
- Bar Code
- Integrated Circuit Chip
- Threats
- Social Engineering
- Theft
- Should come with 2-factor authentication (e.g. PIN)
- Examples: Memory Cards
- Machine readable ID cards with magnetic strip
- Types
- Proximity Readers
- Passive
- Alters reader EM field
- No electronics
- Just a small magnet
- Field Powered
- Uses reader EM field for power
- Must be waved near reader
- Transponder
- Self powered
- Transmits signal received by reader
- Occurs consistently or at press of button
- Passive
- Intrusion Detection Systems
- Detects attempted intrusions
- Used to raise an alarm
- Points of Failure
- Power
- Lack of power prevents the system from operating
- Communication
- Lack of communication prevents alarm from being raised
- Power
- Controls
- Heart Beat Sensor
- Periodically tests connectivity between alarm and IDS
- Alarm is raised if heartbeat signal fails
- Heart Beat Sensor
- Access Abuses
- Examples
- Opening Secured Doors
- Bypassing Locks and Access
- Maquerading
- Using someone else's security ID
- Piggybacking
- Following someone through a secured gate
- Controls
- Audit Trails
- Can be manually or automatically generated
- Audit Trails
- Examples
- Smartcards
- Emanation Security
- Sources
- Wireless Networking Equipment
- Mobile Phones
- TEMPEST
- Government reseearch
- For protecting equipment against EMP
- Expanded to monitoring emanations
- Controls
- Faraday Cage
- Box fully surrounded by a wire mesh
- Prevents EM signals from entering an exiting enclosure
- White Noise
- False traffic to hide presence of real emanations
- Real signal from another source can be used
- Used around the perimeter of an area
- Control Zone
- A zone protected by a Faraday cage or white noise
- Can be a room, floor, or building
- Faraday Cage
- Sources
- Utilities and HVAC
- Power Issues
- Terms
- Fault
- Momentary loss of power
- Blackout
- Prolonged loss of power
- Sag
- Momentary low voltage
- Brownout
- Prolonged low voltage
- Spike
- Momentary high voltage
- Surge
- Prolonged high voltage
- Inrush
- Initial surge of power when connecting to source
- Transient
- Momentary power fluctuation
- Noise
- Prolonged power fluctuation
- Clean
- Non fluctuating power
- Ground
- The wire in a circuit that is grounded
- Fault
- Controls
- UPS - Uninterrptable Power Supply
- Sanitizes power
- Provides power for a few minutes
- Power Strips + Surge Protectors
- Fuse blows when damaging power levels occurs
- Power Generators
- Provides power until main power comes back on
- UPS - Uninterrptable Power Supply
- Terms
- Noise Issues
- Generated by electric current
- Affects quality of communications
- EMI - Electromagnetic Interference
- Common Mode Noise
- From difference in power between hot and ground wires
- Traverse Mode Noise
- From difference in power between hot and neutral wires
- Common Mode Noise
- RFI - Radio Frequency Interference
- Generated by common electrical appliances
- Microwaves, lights, heaters, computers
- Controls
- Shielding
- Grounding
- Power Conditioning
- Limiting RFI and EMI exposure
- Temperature, Humidity, and Static
- Temperature
- 60F to 70F
- 15C to 23C
- Humity
- 40% to 60%
- Too Much: Corrosion
- Too Low: Static
- Temperature
- Water Issues
- Threats
- Leakage
- Flooding
- Electrocution
- Controls
- Monitor plumbing for leaks
- Ensure water is away from electricity
- Ensure servers are away from water
- Ensure the facility is away from flooding areas
- Threats
- Fire Prevention, Detection, and Suppression
- Fire Triangle
- Heat
- Oxygen
- Fuel
- Chemical Reaction
- Stages of Fire
- Incipient
- Air ionization; No smoke
- Smoke
- Smoke is visible from point of ignition
- Flame
- Flame can be seen with naked eye
- Heat
- Heat buildup and fire spreads
- Incipient
- Suppression Mediums
- Water
- Suppresses heat
- Soda Acid / Dry Powders
- Suppresses fuel
- CO2
- Suppresses oxygen
- Halon Subsitutes / Nonflammable Gases
- Suppresses reaction
- Water
- Controls
- Training
- Emergecny Shutdown Procedures
- Rendevouz Location
- Safety Verification Mechanism
- Fire Extinguishers
- A - Wood/Paper - Water, Soda Acid
- B - Oils/Liquids - CO2/Halon/Soda Acid
- Splashes when doused
- C - Electrical - CO2/Halon
- Electrocution
- D - Metal - Dry Powder
- Produces own oxygen
- Detection Systems
- Types
- Fixed Temperature
- Metal/plastic which melts at a temperature
- Rate-of-Rise
- Monitors speed of temperature change
- Flame-Actuated Systems
- Monitors infrared energy
- Smoke-Actuated Systems
- Photoelectic / radioactive ionization
- Fixed Temperature
- Types
- Suppression
- Water Suppression
- For human friendly environments
- Types
- Wet Pipe / Closed HEad
- Pipe is always full of water
- Dry Pipe
- Water is filled with gas and is discharged
- Deluge
- Large pipes; large volumes of water
- Preaction
- Dry pipe until fire is detected
- Has a secondary trigger which releases water
- Allows fire to be dealt with before activating
- Good for areas with electronics and humans
- Wet Pipe / Closed HEad
- Gas Discharge Systems
- For human incompatible environments
- Degrades into toxic gas
- Halon is now banned by the EPA
- Types
- Halon
- FM-200 (HFC-227ea)
- CEA-410 / CEA-308
- NAF-S-III (HCFC Blend A)
- FE-13 (HCFC-23)
- Argon (IG55) or Argonite (IG01)
- Inergen (IG541)
- Low Pressure Water Mists
- Water Suppression
- Damage
- Smoke
- Smoke from a fire can damage storage devices
- Heat
- Heat from a fire can damage storage tapes and hardware
- Suppression
- Suppression mechanism can damage equipment
- Water and soda acid damages computers
- Can cause short circuits and corrosion
- Fire Department
- May damage equipment and walls using axes
- May damage using chosen fire suppression
- Smoke
- Fire Triangle
- Power Issues
- Perimeter
- Accessibility
- Entrances
- Single Entrance
- For security
- Multiple Entrances
- For emergencies
- Single Entrance
- Roads and Transportation
- Constrained by perimeter security
- Entrances
- Controls
- Fence
- Defines a security perimeter
- Deterrent levels
- Vs. Casual Trespassers
- 3 to 4 feet
- Vs. Most Trespassers
- 6 to 7 feet
- Vs. Determined Trespassers
- 8 feet or more
- With barbed wire
- Vs. Casual Trespassers
- Gate
- Controlled entry and exit point
- Must match deterrent level of fence
- Must be hardened vs tampering/removal/destruction
- Must not offer access when closed
- Number must be kept to a minimum
- Must be protected by guards or CCTV
- Turnstile
- Prevents tailgating
- Allows one person at a time
- Allows movement in 1 direction
- Used for entry rather than exit
- Mantrap
- Double set of doors
- Protected by a guard
- Prevents piggybacking or tailgating (e.g. weight measurement)
- Immobilizes a subject until authenticated
- If unauthenticated, subject is locked until authorities respond
- Lighting
- Discourages casual intruders
- Not a strong deterrent
- Should not show positions of detection controls
- Should not cause glare to detection controls
- Should illuminate critical areas w/ 2 candle feet of power
- Should be placed apart as their illumination diameter
- Guards and Dogs
- Advantages
- Can adjust to changing environment
- Can detect and respond to threats
- Acts as a deterrent
- Disadvantages
- Cannot be posted in human incompatible locations
- No guarantees of reliability
- Can be subject to injury or sickness
- Vulnerable to social engineering
- Protection stops when life is endangered
- Not aware of the scope of operations of facility
- Expensive
- Advantages
- Fence
- Accessibility
- Internal Security
- Controls
- Visitor Control
- Escorts
- Monitoring
- Locks
- Key / Preset Locks
- Vulnerable to picking / shimming
- Key can be lost
- Combination
- Combination can be forgotten
- Can include electronic controls
- Can include multiple valid combinations
- Key / Preset Locks
- Badges
- Identification cards
- Can be visual/smartcard/both
- Can be used to authenticate to facility
- Authenticated by security guards or scanning devices
- May require other autnentication factors
- Motion Detectors
- Detects movement or sound in an area
- Types
- Infrared
- Detects changes in infrared lighting
- Heat-based
- Detects changes in heat levels
- Wave-pattern
- Transmits signal into area
- Detects changes in reflected pattern
- Capacitance
- Detects changes in electrical field
- Photoelectric
- Detects changes in visible light patterns
- Passive Audio
- Detects abnormal sound in area
- Infrared
- Intrusion Alarms
- Triggered by a sensor
- By Mechanism
- Deterrent Alarm
- Engages additional locks or shuts down doors
- Makes attack more difficult
- Repellant Alarm
- Triggers siren and lights
- Meant to discourage attackers
- Forces them off premises
- Notification Alarm
- Sends a notification to guards
- Usually silent
- Allows security to capture intruder
- Deterrent Alarm
- By Location
- Local Alarm
- Audible alarm
- Can be heard for 400 feet
- Locally positioned guards must be able to respond
- Must be protected from tampering
- Central Station Systems
- Notifies a central station
- Locally silent
- Usually well-known security companies
- Examples: Residential security systems
- Proprietary System
- Central station system used by private companies
- Auxiliary Station
- Alarm which notifies emergency services
- E.g. police/fire/medical
- Can be added to local alarms and central station systems
- Local Alarm
- Secondary Verification
- Used to verify if alarm was valid
- Examples
- Multiple Sensor Systems
- Must be triggered in quick succession
- CCTV
- Allows guards to manually verify area
- Multiple Sensor Systems
- Visitor Control
- Controls
- Safety
- Life
- Protecting human life is the first priority of security
- Includes providing them with means to survive during disasters
- E.g. food, water, etc.
- Environment
- Ensuring that environment remains safe during disaster
- Deals with flooding, fires, toxic gas, etc.
- Occupant Emergency Plans
- Sustains personnel safety in the wake of a disaster
- How to minimize threats to life and prevent injury
- Does not address IT issues
- Life
- Privacy and Legal
- Privacy
- Protecting personal information from disclosure
- Personal information includes:
- Name
- Address
- Phone
- Race
- Religion
- Age
- Privacy
- Regulatory Requirements
- Depends on industry
- Regulatory requirements must be considered a baseline for security
Clark–Wilson is an integrity model.
it's concerned about information integrity, isn't it?