ISMN 5730 exam 2 - Cegielski

stages of BCM

(never-ending cycle) 1. understanding your business 2. BC strategies 3. develop and implement BC response 4. build a continuity culture 5. maintenance and audit

IP

- Composed of 32-bit addresses that are often displayed in the form of 4 groups of decimal digits separated by a period/dot IP fragmentation attacks o Tiny fragment attack o Overlapping fragment attack o Teardrop denial of service attack - IP address spoofing - Source routing - Smurf and fraggle - IP tunneling over other protocols

threats and attacks

- DOS - DDOS - Mobile code - Malicious code - Wireless LAN vulnerabilities - Spoofing - Sniffing - Eavesdropping - Masquerading - Instant messaging vulnerabilities

wireless LAN vulnerabilities

- Detection 1. WLAN generates and broadcasts detectable radio waves for a great distance - Eavesdropping 1. WLAN signals extend beyond physical security boundaries 2. Standard Wire Equivalent Privacy WEP encryption often not used 3. WEP is flawed and vulnerable due to no user authentication - Modification - Injection - Hijacking - WLAN architecture - Radio frequency management

DNS

- Distributed internet directory service - Global network of name servers that translate host names to numerical IP addresses - Internet services rely on DNS to work o if DNS fails, website cannot be located and email delivery stalls - Tree structured - 2 elements o name server (responds to client requests by supplying name to address conversions) o resolver (when it doesn't know the answer, the resolver element will ask another name server for the info)

backdoor/trapdoor

- Implanted intentionally in development, or by error, usually be an insider - Maintenance hook (may have been deliberate and useful) - Also bug/loophole/wormhole

Intrusion Prevention and Detection Intrusion Prevention Systems (IPS)

- Intrusions are prevented - Block attacks in real lime - Intercept and forward packets - Considered access control and policy enforcement Intrusion Detection Systems IDS - Intrusion attempts and any set of actions that attempt to gain unauthorized access are detected - Auditing for intrusion attempts in a timely basis - Considered network monitoring and audit

components of a data network

- Mainframe/server hosts - File servers - Workstations - Software - network operating system and applications - Network adaptor/network interface card - Hub/concentrator/repeater - Bridges - Switches - Router - Gateways

IM security issues

- Most lack encryption capabilities - Most have features to bypass traditional corporate firewalls - Insecure password management - Increased exposure to account hijacking and spoofing

remote access threat

- Often provides undetected access to unprotected back doors - Brute force attack on location's prefix using "war dialer" is an example - Targets of opportunity include 1. Insecure internet connections 2. Unsecured modem access 3. Diagnostic ports on various network devices 4. Admin ports on voicemail system 5. Unauthenticated sessions

system life cycle

- Project management-based method used to plan, execute, and control software development and maintenance - Framework for phases of software development projects and includes disposal stage - Involves teams of developers, analysts, owners, users, technical experts, and security experts

open system interconnection model OSI

- Seven layers - Data transfer occurs with a layer interacting with another layer above or below through the user of interface control information

network protocols

- Standard set of rules that govern the exchange of data between hardware and/or software components in a communications network - Describes the format of a message and how it is exchanged o When computers communicate with one another, they exchange a series of messages o To understand and act, computers must agree on what a message means

system life cycle stages

- Start up - Acquisition and development - Implementation - Operations and maintenance - Decommissioning

TCP (Transmission Control Protocol)

- The protocols in the TCP/IP suite work together to o Break the data into smaller pieces that can be handled by the network o Communicate the destination of the data to the network o Verify the receipt of the data on the other end of the transmission o Reconstruct the data in its original form - Transmission control protocol - Provides reliable data transmission - Retransmits lost/damaged data segments - Sequences incoming segments to match original order - Marks every TCP packet with a source host and port number, as well as a destination host and port number

Data Encapsulation

- To transmit data across a layered network, the data passes through each layer of the protocol stack - It begins at the application layer with the application software passing the data to the next lower protocol in the stack - At each layer, the data is encapsulated (the protocol processes the data in the format that the next protocol layer requires)

VPN

- dynamically established secure network link between 2 specific network nodes or subnets using a secure encapsulation method - uses tunneling AND encryption to protect private traffic over an untrusted network

tunneling

- packaging one network packet (the tunneled packet) inside another (the transport packet) - the tunnel is the vehicle for encapsulating packets inside a protocol that is understood at the entry and exit points of a given network - tunnels should be encrypted

how to stay safe when granting remote access safeguards

- publish a clear/definitive remote access policy and enforce it through audit - justify all remote users and review regularly, such as yearly - identify and periodically audit all remote access facilities, lines, and connections - consolidate all general user dial-up facilities into a central bank that is positioned on a DMZ - use phone lines restricted to outbound access for dial-out services - set modems to answer after a predetermined number of rings 1. counters "war dialers" - use secure modems for SINGLE PORT diagnostic and admin access and unplug when not in use - 2 factor user authentication and network access restrictions - use VPN when using public networks - use personal firewalls and anti-virus tools on remote computers

remote access services

- typically conducted over an untrusted network - increased risk to disclosure, modification, and denial of service - remote access security minimums o strong identification and authentication services - rapid growth of remote access via the internet o wide availability o economical

Address resolution protocol

- used when a node knows the network layer address but needs the data link layer address to forward the encapsulating frame - the software maintains a table of translation between IP addresses and data link addresses

attack methodology

1. Identify target and collect info ♣ Map the target's network (traceroute, FIN scanning, port scanning, TCP half scanning, FIN scanning, OS fingerprinting) ♣ Trying to find: domain names, network numbers, IP addresses, names/phone numbers of personnel, network map, including services available or running, operating system type and version 2. Analyze the target to identify a vulnerability ♣ Query to gather detailed info like operating system and services running, many systems will freely volunteer the product name and version number; list of user ids, share d file systems, system info, probe telephone lines for modems that answer 3. Gain access to the target ♣ Make connection attempts using direct login attempts to reach hosts; modems to attack remote access servers and modems attached to individual computers ♣ Try to guess passwords ♣ Exploit known security vulnerabilities; perform piggybacking, hijacking, spoofing ♣ Use social engineering ♣ Perform denial of service attack 4. Escalate privileges ♣ Try to gain admin or operator privileges ♣ Try to utilize the compromised system to gain access to more valuable systems ♣ Techniques: buffer overflows, Trojan horses, password guessing or install a password ♣ Sniffing, gathering, cracking tool ♣ Exploit trust relationships 5. Complete the attack ♣ Install a backdoor mechanism that allows the attacker to bypass access control and avoid detection such as a rootkit ♣ Create rogue user account ♣ Close the original vulnerability so no one else can compromise the system ♣ Modify audit logs if they are stored locally to prevent discovery of the attack

categories of recovery strategies

1. business recovery 2. facility and supply 3. user 4. operational 5. data

5 types of BCP testing strategies

1. checklist 2. structured walk through 3. simulation 4. parallel 5. full interruption

phases of BCP

1. project management and initiation - establish need for BCP - get support from management - establish project management work plan - get members of the BCP team 2. business impact analysis 3. recovery strategy 4. plan design and development 5. testing, maintenance, awareness, and training

8 steps of the BIA

1. select interviewees 2. determine info gathering techniques 3. customize questionnaire to gather economic and operational impact information 4. analyze information 5. determine time-critical business systems 6. determine maximum tolerable downtimes 7. prioritize critical business systems based on maximum tolerable downtime 8. document finding and report recommendations

ACID test

Atomicity - either all changes take effect or none Consistency - a transaction is allowed only if it meets owner/system defined integrity constraints Isolation - the results of the transaction are not visible until the transaction is complete Durability- a completed transaction is permanent

challenges to ESA

GLOBAL ACCESS greater number of user access points END TO END SECURITY different business models, mergers, changing technologies, interfaces with legacy systems LEGAL AND REGULATORY fiduciary responsibilities, data confidentiality, upstream and downstream liability

business impact analysis

Identifies all critical business functions and the effect that a specific disaster may have upon them

threat: malformed input attacks

SQL injection: inserting a series of SQL statements into a query by manipulating data input into an application

secure shell

SSH, SSH2 - powerful method of performing client authentication - safeguards multiple service sessions between 2 systems - support for 1. host and user authentication 2. data compression 3. data confidentiality and integrity - credentials are validated by digital certificate exchange using RSA

system architecture

a high-level design used to satisfy a system's security requirements as defined in an organization's security policy

business continuity planning

addresses the preservation and recovery of the business in the event of outages to normal business operations approved set of advanced arrangements and procedures that enable an organization to - ensure the safety of the people - minimize the amount of loss - facilitate the recovery of business operations to reduce the impact of an event while resuming critical functions within a predetermined period of time - repair or replace the damaged facilities ASAP

business impact analysis measures impact by

allowable business interruption maximum tolerable downtime financial and operational considerations regulatory requirements organization reputation

Remote access technologies

allows users to access network info through a dial-in wireless connection

internet access

allows users to access network info through an ISP connection internet service provider

a complete conceptual model of systems including software, hardware, and users is known as

architecture diagram

disaster activity

assemble emergency operations team contact recovery team members to start damage assessment determine extent of damage calculate tie required to resume operations notify management declare disaster and begin continuity/recovery plans maintain log of all steps taken move backup resources to the recovery site

virus

central characteristic is reproduction generally requires some action by the user may or may not carry payloads payloads may or may not be damaging types: file infector, boot sector infector, system infector, email virus, multipartite, macro virus, script virus, hoax

threat: executable content/mobile code

code is downloaded to the user's machine and executed running programs on a computer may give the program unexpected access to resources on the machine ex: web applets: mini programs written in Java that are automatically loaded and run; a video streaming applet written in Java and downloaded to clients fro a server ex: dynamic email: active scripts/messages are included in email messages

restoration

complete assessment of all damages initiate cleanup of the primary site implement necessary replacement procedures

applications software

comprised of programs, processes, utilities, and drivers to provide user functionality and support business activities allows users to execute and perform computerized tasks

enterprise security architecture

defines the information security strategy that consists of layers of policy, standards, and procedures and the way they are linked across an enterprise - Longer life than a blueprint, design specification, topology, or configuration - Constrained by current or changing circumstances if too specific - Cannot provide good guidance if too general - Support long term view of technical direction, not short term technical constraints - Not invalidated by changes in technical direction COMPONENTS - Strategic alignment - Process enhancement - Business enablement - Security foundation - Aligned with best practices

database

developed to manage information from many sources in one location eliminates need for duplication of information in the system preserves storage space prevents unnecessary inconsistency in data by making changes in one central location

DDOS zombie

expands effect of denial of service middle of master/attackers - agent - target structure hides attacker and multiplies attack

business continuity management

framework to review the way an organization provides its products and services while increasing its resilience to disruption

logic bomb

generally implanted by an insider waits for condition or time triggers negative payload

database security issues

inference aggregation unauthorized access improper modifications of data access availability database views query attacks bypass attacks interception of data web security data contamination

RAT

installed, usually remotely, after system is installed and working

spyware and adware

intended as marketing, not malice installed with other software as a separate function or program generates unwanted or irrelevant advertising reports on user activities

disaster

interrupts normal business processes sudden, unplanned, calamitous event that brings about great damage or loss event that creates an inability on an organization's part to support critical business functions for some predetermined period of time

if the time estimated to resume operations exceeds the MTD for critical business functions...

management should consider declaring a disaster and implementing the BCP

actions

move unused backup materials from alternate site to primary site do least critical work first perform installations and updates of the programs and data certify and accredit the system at the primary site initiate normal processing

enterprise

multiple internal networks, internal areas or domains, and various internal devices and systems, applications, and a diverse user presence as a single collective unit

types of disasters

natural system/technical supply systems (electrical power problem) human-made/political

botnets

networks of infected machines

classes of maximum tolerable downtime

non essential normal important urgent critical/essential

O/S

operating system first layer of software objective is to control the use of system resources provide a convenient, easy to understand view of the computer to users

data diddler

payload in a trojan horse or virus that deliberately corrupts data, generally by small increments over time

Zachman Framework

popular choice to define an enterprise architecture Provides a two dimensional classification scheme for descriptive representations of an enterprise ROWS represent 6 levels of architectures with increasing levels of detail COLUMNS represent different areas of interest for each view

threat: buffer overflow

process of exploiting a program weakness by sending long strips of input data into a system that is not prepared to truncate it through proper bounds checking ex: typing your name into a box and holding down the y key for a long time

trojan horse

purported to be a positive utility hidden a negative payload social engineering

wireless

radio frequency, infrared, optical, satellite

online transaction processing OLTP

recording transactions in real time security controls: - concurrency (ensure two users cannot simultaneously change the same data) - atomicity (if one step fails, then all steps should not complete)

worm

reproduces generally uses loopholes in systems doesn't use user often attacks server software

BCP requirements

response to emergencies ensure survivability of the business provide procedures and resources to assist in recovery identify vendors that may be needed

threat: denial of service

result of another person or process consuming the resources on the system and thus denying the resources for the use of others when testing programs, test for how the application would respond to a DoS attack

view based access controls

security achieved through the appropriate use of "views" allows the database to be logically divided into pieces so sensitive data is hidden from unauthorized users controls are located in the front end application that the user interfaces with and not the back end query engine

malicious software

software or programs intentionally designed to include functions for penetrating a system, breaking security policies, or to carry malicious or damaging payloads programming bugs or errors are not generally included in malware ex: backdoors, data diddles, DDOS zombie, hoax warnings, logic bombs, pranks, RATs, trojans, viruses, worms, zombies, spyware/adware, botnets

recovery site

space needs security needs fire protection infrastructure requirements resume critical business functions at recovery site

infrastructure

supporting elements needed for functionality; includes items such as hardware, software, operating system, applications, utilities, network environment

architecture

the highest level concept of a system in its environment cohesive design of the elements; includes items such as principles, concepts, methods, practices, standards - Are fundamental statements of value, operation, or belief that defines the overall approach to IT security - Define the philosophy of the organization that directs security policies - Requires formal commitment from the executives to be relied upon for guidance - Often hard to define - May require assistance with scope definition and management, issue validation, and the definition of the resulting security principles

database management system provides

transaction persistence fault tolerance and recovery sharing by multiple users security controls

physical cabling

twisted pair, coaxial cable, fiber optics

lock controls

used to control read and write access to specific rows of data in a relational system or objects in object-oriented systems ensure only one users at a time can alter data better programming logic and testing reduce deadlocking problems

hoax

uses uses rather than programming meme or mind virus social engineering usually warns of a "new virus" can be bigger problem than the viruses themselves

threat: time of check/time of use

when control info is changed between the time the system security functions check the contents of the variables and when the variables are actually used