These are my personal notes (and my own understanding of the different topics) which I have gathered from reading through different resources. These notes may help prepare for various Security exams.
You are more than welcome to share these notes.
CIA Tried is the core principle behind Information Security. Everything else in Information Security are simply details which always refer back to one or more of CIA principles.
Confidentiality: prevents disclosure.
Integrity: prevents alteration.
Availability: prevents destruction
There are several Symmetric (same key, also known as secret key,) and Asymmetric (different keys, also known as public key) algorithms that provide confidentiality from the CIA Tried perspective. The most common Symmetric algorithms are:
Asymmetric algorithms that provide confidentiality include:
- • Diffie Hellman – provides key exchange, lacks authentication, was the first Asymmetric algorithm
• El Gamal
• Elliptic Curve
- DSS – Digital SignatureStandard
- DSA – Digital Signature Algorithm
When your goal is to achieve confidentiality, you encrypt message with recipient’s public key. However, if you want to maintain integrity, you encrypt message with your private key because your goal is authenticity and not confidentiality.
Symmetric + Integrity = Message Authentication Code (MAC)
Asymmetric + Integrity = Digital Signature
MAC: Four types:
Stream Ciphers: Symmetric, fast, KeyStream, prefer on hardware implementation
Block Ciphers: Symmetric, fix length/fix block, suitable for software implementation
Key Clustering: Occurs when two different keys generate the same cipher text from the same plaintext using the same cipher algorithm.
Collision: When an algorithm produces the same hash values for two different messages
Pretty Good Protection (PGP): uses Symmetric encryption to encrypt and uses Asymmetric algorithm to encrypt session key and send it securely to the receiver. It is considered a Hybrid System. It also uses “web of trust” vs the Certificate Authority. Other Hybrid systems include: SSL, PGP, IPSEC, S/MIME.
Kerberos: depend of Symmetric key. Key Distribution Center KDC: holds only private keys and NOT public.
Authentication Header: provides strong integrity, authentication and non-repudiation (cannot deny sending it).
X.509 Digital Certificate includes: Serial number, Signature algorithm identifier, Issuer name, Validity period, Subject’s name, Subject’s public key.
MD5, SHA, Message Digest, HAVAL, One Way HASH
Hashing: algorithms provide data integrity only. When a hash algorithm is applied to a message, it produces a Message Digest and this value is signed with sender’s private key to produce Digital Signature.
Digital Signature: provides integrity with MD5 and/or SHA algorithm and accountability because of public/private key pairs; provides integrity, authentication, and non-repudiation.
- Identification (who you are)
- Authentication (proving by something you know, something you have, something you are)
- Authorization (read, write, execute)
- Audit (logs)
Verification: identification Validation: Authentication
Certification: Technical evaluation of product.
Accreditation: Formal acceptance of risk.
Covert Timing Channel: Modulation; speed up or slow down something.
Covert Storage Channel: A process writes data to a storage location.
TOC/TOU: Time of check; time of use.
Steganography: Digital watermarks, least significant bit.
Digital Signature: Uses Asymmetric, a hash value that has been encrypted with a sender’s private key.
Known PlainText: plaintext and the encrypted version.
CipherText Only: Access to only CipherText.
Clipper Chip: Key Escrow, uses SkipJack algorithm.
HTTPS vs S-HTTP: HTTPS – protects the entire communication channel. S-HTTP – protects only each message (application data) and not the communication channel.
Due Care: doing the right thing, performing the ongoing maintenance necessary to keep something in proper working order. Opposite = negligence.
Due Diligence: Investigating, performing research before committing to a course of action. Opposite = haphazard; not doing your homework.
Remote Journaling: Act of parallel processing transaction logs to an offsite facility.
Electronic Vaulting: Bulk, batch transfer of information.
Database Shadowing: Live process that duplicates transactions and the entire files from primary server to backup.
Degree = Columns Cardinality = Number of rows
Total Risk: Inherent risk, comprehensive.
Pseudo Flow: Loophole purposely added to operating system or application to trap intruders.
Residual Risk: Left over risk; usually after a countermeasure in place.
8 Steps of BIA Business Impact Analysis:
- Select individuals to interview for data gathering.
- Create data gathering techniques – survey questions.
- Identify the company’s critical business functions.
- Identify the resources these functions depend upon.
- Calculate how long these functions can survive without these resources.
- Identify vulnerabilities and threats to these functions.
- Calculate the risk for each of these functions.
- Document finding and report them to management.
Subject’s sensitivity label must be equal to or greater than the object’s sensitivity label in order for subject to have read access to it. It would have to dominate the object’s sensitivity label.
In order for a subject to have write access to an object, subject’s sensitivity label must be dominated by the object’s sensitivity bale.
Identification: One to Many Authentication One to One
Mandatory Access Control: based on security labels which indicate clearance and classification of objects. Lattic Based: type of MAC, least upper and greatest lower bounds.
Discretionary Access Control: Uses Access Control List, identify based, controlled access protection.Rights are determined by many different entities, set by owner; identify-based.
Non-Discretionary: central authority determines access rights; role based.
Dedicated Security: Single state.
System High Security: Have the clearance and have the need to know.
Compartmented Security: Have the clearance but not the need to know.
Multilevel Security Mode: Controlled security mode; multiple state, mandatory.
Clark-Wilsion Model: Similar to a change control board in an organization. Well-formed transactions, prevents collusion (working together to do something bad), constrained data items, integrity verification procedures, transformation procedures. Access triples – 3 rules:
- Prevents unauthorized users from making modifications.
- Prevents authorized users from making improper modifications.
- Maintains internal and external consistency.
Take-Grant Model: consists of a set of states and state transactions. A directed graph shows the connections between the nodes of the system. Theses nodes are representatives of the subjects or objects of the model.
Non-Interference: User’s actions in one domain cannot affect with other users.Strictly separates differing security levels to assure that higher level actions do not determine what lower level users can see.
Information Flow: Similar to Bell LaPadula, it controls how information may flow between objects based on security classes. Information will be allowed to flow only in accordance with security policy.
Access Control Matrix Model: Straight forward approach provides access rights to subjects for objects, two dimensional. Capability – is in rows ACL – column in the matrix. ACL is applied to objects Capability is applied to subjects.
Brewer and Nash (Chinese Wall): Mathematical theory, dynamically changing, prevents conflict of interest and fraudulent modifications.
Protection Domain: goal is to protect programs from all unauthorized modification or interference.
Security Perimeter: is the boundary that separates the trusted computing base from the remainder of the system.
Category Set = Compartment Set
High Humidity: >60% = corrosion
Low Humidity: <40% = static electricity
A = Common combustibles
B = Liquids
C = Electrical
D = Metals
Soda Acid: suppresses fule supply of the fire
Carbon Dioxide: removes oxygen from the fire
Halon (FM-200 replacement): suppresses combustion by disrupting the chemical reactions
Fire protection for ceiling should be minimum of an hour and adjacent walls where purpose records are stored should be 2 hours. Fire extinguishers should be placed 50ft from electronics.
Fences: critical areas should have at-least 8ft with 3 strands of barbed wire. Lighting: 8ft high providing at least 2 foot candles.
Occupant Emergency Plan: provides coordinated procedures for minimizing loss of life or injury and protecting damage in response to a physical threat.
Recovery Time Objectives: amount of time allowed for the recovery of a business function. If RTO exceeds, then severe damage to organizations occurs.
Recovery Point Objectives: point in time in which data must be restored in order to resume processing.
Inline UPS: Constantly provides power.
Standby UPS: Switches to battery power after outage.
Clean Power: No interference; no voltage fluctuation.
Positive Pressurization: Air goes out; in an event of a fire, smoke should go out.
Most Effective = Low CER Least Effective = High CER
A network topology defines the manner in which the network devices are organized to facilitate communications. Common LAN technologies are:
LAN transmission methods refer to the way packets are sent on the network are:
LAN transmission protocols are the rules for communicating between computers on a LAN. Common LAN transmission protocols are:
LAN media access methods controls the use of a network (physical and data link layers). They can be:
- Token Ring
TCP: connection oriented UDP: connectionless
TCP/IP: is composed of 2 protocols: IP – defines the rules for getting a packet from one point to another and TCP protocol defines the rules for ensuring that data is received at the destination is accurate and in the correct sequence.
Password Authentication Protocol PAP: Passwords are send in cleartext; vulnerable to sniffing, MITM and replay attacks.
Challenge Handshake Authentication Protocol CHAP: User’s password is used to encrypt challenge value. Unlike PAP, password is not sent over the wire.
Tunneling: is placed onto of encaspulation.
WTLS: “Gap in the WAP” translation to wire, short period sensitive data encryption.
- Circuit Switching (ISDN, POTS):
- Virtual connection acts like a dedicated link, connection oriented, digital and fix delays.
- Packet Switching (X25, Frame Relay):
- First packet switching technology, permanent switched virtual circuit, committed information rate.
- Cell Switching (ATM):
- 53-byte fixed cells, high bandwidth, switching, multiplexing.
- ATM – Asynchronous Transfer Mode: is a cell switching technology, uses virtual circuits but unlike Frame Relay it used fixed-size frames or cells, it can guarantee through out which makes ATM an excellent WAN technology for voice and video conferencing.
Individual Packet of Ethernet is: Frame
Individual Packet of IP is: Datagram
Individual Packet of TCP is: Segment
Security Kernel: Made up of hardware, software, firmware.
Indirect Addressing: When the address location that is specified in the programs instruction contains the address of the final desired location.
Direct Addressing: When a portion of primary memory is accessed by specifying the actual address of the memory location.
SESAME: developed to address some of the weakness in Kerberos and used public key cryptography for the distribution of secret keys and provides additional access control support.
IPSec: Internet Protocol Security – usually used for VPN; secure channel 2 servers, 2 routers, a workstation and a server; or 2 gateways between different networks. Two modes: Transport and Tunnel:
- Transport Mode: Where the payload of the message is encrypted.
- Tunnel Mode: Where the payload and the routing and the header information is all encrypted; uses public key.
SSL – Secure Socket Layer: developed by Netscape, public key.
SSL/TLS – TLS is the successor of SSL. It adds more encryption & hashing options such as using two different hashing methods to reduce the chance of hash collision. Relies on Public Key Infrastructure for encryption.
ISO has defined 5 basic tasks related to network management: fault management, configuration management, accounting resources, performance management, security management.
RADIUS: SLIP, PPP, – UDP, Dial-in user service, 3 modes: Accept, Reject, Challenge.
DIAMETER: next generation RADIUS, can be used on any modern devices: PDAs, laptops, cell phones, etc.
Padded Cell: fill in the empty space with noise.
Data Definition Language (DDL): is used to create and destroy databases and database objects.
Data Manipulation Language (DML): is used to retrieve, insert and modify database information.
Data Control Language (DCL): defines the internal organization of the database.
Ad Hoc Query Language (QL): for users to make queries and access the data within the database.
Waterfall Model: Traditional model, completion of one tasks leads to start of another.
Prototyping: refines models/prototypes until acceptable which results of design and completion of the final version.
Spiral: combination of waterfall and prototyping.
Verification: ensures specifications are properly met Validation real world use, solves the problem.
Object Oriented Programming: Class – Families; Object – Specific set from family
Rational Database Management System (RDBMS): is a database management system in which data is stored in tables and the relationships among the date are also stored in tables. The data can be accessed or reassembled in many different ways without having to change the table forms.
Polymorphism: Character changing type of viurs.
Polyinstantiation: Creation of many instances/version of an object using different values of its variables to ensure that lower level subjects do not access data at a higher classification; copy and repopulate.
Aggregation: Obtaining information of a higher sensitivity by combining information from low level sensitivity.
High Cohesive: Working independently; with little or no help.
Low Cohesive: Need help from others.
High Coupling: Measurements of interaction between objects.
Low Coupling: Less interaction; provides better software design.
Relational Database Model: Data structures called tables or relations, integrity rules on allowable values and value combinations in the tables, operators on the data in the tables.
- Atomicity = All or none
- Consistency = Does not breach the rules ; integrity constraints
- Isolation = Not visible until transaction is complete
- Durability = Transaction are permanent
Ingress Filtering: Do not allow packets in with internal source address.
Egress Filtering: Do not allow packets to leave with external source address.
M.O.M: Motivations, Opportunities, Means – Why crimes are committed.
- Preventive: Concerned with avoiding occurrences of the risk
- Deterrent: Concerned with discouraging violations
- Detective: Identify occurrences
- Corrective: Remedying circumstances and restoring controls
- Compensative: Alternative controls used to compensate weakness in other controls
- Preventive: Concerned with avoiding occurrences of the risk
ISC2 Code of Ethics:
- Safety of the commonwealth
- Duty to our principals and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior
- Therefore, strict adherence to this code is a condition of certification
Code of Ethics Canons:
- Protect society, the commonwealth, and the infrastructure
- Act honorably, honestly, justly, responsibly, and legally
- Provide diligent and competent service to principles
- Advance and protect the profession
Response Time Frame:
- Critical – Minutes to Hours
- Urgent – 24 hours
- Important – 72 hours
- Normal – 7 Days
- Non Essential – 30 Days
- Critical – Minutes to Hours
Peril Policy: covers what is “named” – included in the policy. Good choice for those whose business is located in an area frequently hit by disasters.
All Risk/Comprehensive/Open Peril Policy: covers your business from damages caused by any type of disaster with the exception of those specifically excluded in the policy.
- Project initiation and planning
- Functional requirements definition
- System design specification
- Development and implementation
- Documentations and common program controls
- Testing and evaluation control, certification and accreditation
- Transition to production implementations
- Operation and maintenance support
- Revisions and system replacement
Backward Chaining: System backtracks to determine if a given hypothesis is correct
Forward Chaining: Acquires information and comes to conclusion based on that information. Used when there is a small number of solutions relative to the number of inputs.
Active Attempts: alters the data or otherwise affects the flow
Passive Attempts: just observes the flow and gain knowledge of information that contains evidence (traffic analysis, eavesdropping, shoulder surfing)
Best Evidence: Original, primary evidence rather than a copy of duplicate of the evidence
Secondary: Copy of evidence, oral description of its contents; not as reliable as the best evidence
Direct: Proves or disproves a specific act through oral testimony based on information gathered through witness’s five senses
Conclusive: Incontrovertible; overrides all other evidence
Opinions: Experts or Non-experts
Circumstantial: Factual knowledge of information from others, immediate, relevant facts
Corroborative: Supporting evidence used to help prove an idea or point; used as supplementary tool to help prove a primary piece of evidence
Hearsay 3rd Party: Oral or written evidence that is presented in court that is second hand and no first hand proof of accuracy or reliability. Usually not admissible in court; computer generated records
TEMPEST: U.S. government established program that addressed the problem of Radio Frequency Signals generated by computers. This required shielding and other emanation, reducing mechanism to be employed
Output Control: for verifying the integrity and protecting the confidentiality of an output
System Reboot: performed after shutting down the system in a controlled manner in response to a TCB failure
Emergency System Reboot: is done after a system fails in an uncontrolled manner but consistency can be brought back automatically to the system
System Cold Start: takes place when unexpected TCB or media failures take place and the recovery procedures cannot bring the system to a consistent state. Intervention of administrative personnel is required to bring the system to a consistent state from maintenance state/mode
Incremental BackUp: is the fastest on daily bases; only copies files that have been recently changed or added. Backups addresses Integrity, Recovery, and Availability
Similar to Secure Shell, Secure Socket Layer (SSL) uses Symmetric encryption for encrypting the bulk of the data being sent over the session and it uses Asymmetric or Public Key key cryptography for peer authentication
Transport layer sets up communication between computer systems; while the session layer sets up connections between applications
Critical Survey: is implemented through a standard questionnaire to gather input form the most knowledgeable people not all personnel that is going to be part of the recovery team
Spoofing Attack: when an attempt is made to gain access to a computer system by posing as an authorized user a system
Spamming: refers to sending out or posting junk advertising and unsolicited mail
Smurf Attack: is a type of DoS attack using ping and spoofed address
Sniffing: refers to observing packets passing on a network
Multiprocessing: more than one CPU
Multitasking: simultaneous execution of 2 or more programs. Both launched but only one in running state
Multiprogramming: interleaved execution of two or more programs by CPU. Several programs run at the same time on a uni-processor. Operating system executes part of one program, then part of another. To the user it appears that all programs are executing at the same time
Ring 0: Operating System Kernel
Ring 1: Remaining parts of the Operating System
Ring 2: Input/Output drivers and utilities
Ring3 : Applications and prorgams
Business Resumption Planning: details the steps required to restore normal business operations after recovery from a disruptive event
Business Continuity Planning: develops a long-term plan to ensure the continuity of business operations
Continuity of Operations: describes the procedures required to maintain operations during a disaster
Occupant Emergency Plan: provides the response procedures for occupants of a facility in the event a situation poses a threat to the health and safety of personnel environment or property
Recovery Point Objective: moment in time at which data must be recovered and made available to users in order to resume business operations
Recovery Time Objective: the time it takes to bring a failed system back online
Trusted Computing Base: total combination of protection mechanisms within a computer system: software, firmware, hardware
Common Attacks (not original content):
- Information Leakage: OS/Server/Database fingerprinting, usernames, passwords, installation paths.
- Configuration: Misconfiguration/insecure configuration of apps, OS, system, etc.
- Bypass: Authentication, authorization, file control, front end (can access backend systems directly).
- Injection: Command injection, code injection SQL injection (SQLi), Blind SQLi, Cross Site Scripting (XSS), HTTP response splitting, Cross Site Request Forgery (CSRF).
- Directory Traversal
- File Inclusion
- Username Harvesting: by collecting valid usernames you only need to guess the passwords which results in increase in the probability of a successful guess and reduces the overall time.
Cross Site Scripting CSS/XSS: Application layer (
- Also known as script injection.
- Leverages vulnerabilities in the code of a web application to allow an attacker to send malicious content from an end-user and collect same type of data from the victim. Source Ref.
- In a typical XSS attacker, the attacker infects a legitimate webpage with his malicious client-side script. When a user visits this web page the script is downloaded to his browser and executes. Source Ref.
- Two types:
SQL Injection (SQLi): a subset of the unverified and unsanitized user input vulnerability. Source Ref.
- Two types: normal also known as in-band and Blind SQLi.
- Blind SQLi is similar to normal SQLi the primary difference being that error messages are not displayed back from the target system.
- Two types: normal also known as in-band and Blind SQLi.
Directory Traversal (directory climbing, backtracking): form of HTTP exploit in which a hacker uses the software on a Web server to access data in a directory other than the server’s root directory. If the attempt is successful, the hacker can view restricted files or even execute commands on the server. It is commonly performed using Web browsers. Any server in which input data from Web browser is not validated is vulnerable to this type of attack. Source Ref.
Watering Hole: ” threat actors compromise a carefully selected website by inserting an exploit resulting in malware infection”
False Positives (vulnerability scanning): when vulnerability is identified by the scanner but in actuality does not exist.
False Negatives (vulnerability scanning): scanner does not identify vulnerabilities that in fact exist in the environment.
|GET||The GET method is used to retrieve information from the given server using a given URI. Requests using GET should only retrieve data and should have no other effect on the data.|
|HEAD||Same as GET, but only transfer the status line and header section.|
|POST||A POST request is used to send data to the server, for example customer information, file upload etc using HTML forms.|
|PUT||Replace all current representations of the target resource with the uploaded content.|
|DELETE||Remove all current representations of the target resource given by URI.|
|CONNECT||Establish a tunnel to the server identified by a given URI.|
|OPTIONS||Describe the communication options for the target resource.|
|TRACE||Perform a message loop-back test along the path to the target resource.|
DNS (Domain Name Services): Holds mapping of IP addresses with website names. When you attempt to access a website, your system first checks if the name to IP address mapping is cached in your browser (from a previous visit). If not, the next place it will check will be your system’s local cache. If it does not find it there, then it will reach out to your ISP DNS server. If the mapping information is not there either, then the ISP DNS server will reach out to authoritative nameserver of your request.
Common DNS Records:
- A – Points to a host’s IP address
- MX – Points to domain’s mail server
- NS – Points to host’s name server
- CNAME – Canonical naming allows aliases to a host
- SOA – Indicate authority for domain
- SRV – Service records
- PTR – Maps IP address to a hostname
- RP – Responsible person
- HINFO – Host information record includes CPU and OS type
- URG – Urgent: It states that the data contained in the packet should be processed immediately.
- ACK – Acknowledge: Used to acknowledge the receipt of a packet.
- PSH – Push: Used to instruct the sending system to send all buffered data immediately.
- SYN – Synchronize: Used to initiate a connection between hosts.
- FIN – Finish: It tells the remote system that there will be no more transmission.
- RST – Reset: Used to reset a connection.
Spot Base64: [A-Z, a-z, 0-9, and + /] If needed [=] used for padding.
Spot MD5 : [a-f, 0-9] total of 32 characters
More to come…
Last Update: 01/30/2016
- CISSP Reloaded
- CISSP Key Points Review
- Information Security Assurance – CISSP Domain Review
- ISC2 Member Counts
- Penetration Testing 101
- Security Engineering
- Why Certify?
- Why You Should Not Get CISSP
- Why You Should Sit And Study For CISSP