CISSP Study Material
security policy
A security policy is an overall general statement produced by senior management (or a selected policy board or committee) that dictates what role security plays within the organization.
Security Token, Static Password Token, Synchronous Dynamic Password Token, One-time Password, Asynchronous password, Passphrase, Cognitive Passwords
A security token (or sometimes a hardware token, authentication token, USB token, cryptographic token, software token, virtual token, or key fob) may be a physical device that an authorized user is given to ease authentication. Security tokens are used to prove one's identity electronically (as in the case of a customer trying to access their bank account). The token is used in addition to or in place of a password to prove that the customer is who they claim to be. The token acts like an electronic key to access something. Some may store cryptographic keys, such as a digital signature, or biometric data, such as fingerprint minutiae. Some designs feature tamper resistant packaging, while others may include small keypads to allow entry of a PIN or a simple button to start a generating routine with some display capability to show a generated key number. All tokens contain some secret information that is used to prove identity. There are different ways in which this information can be used. A Static password token is a device that contains a password which is physically hidden, but which is transmitted for each authentication. The token authenticates the identity of the owner to the information system. Static passwords are passwords that can be reused, but may or may not expire. They can, therefore, be used for each log-on session if password expiration has not been configured. A passphrase is a sequence of characters that is longer than a password and, in some cases, takes the place of a password during an authentication process. Passphrases are long static passwords, which is made up of words in a phrase or sentence. The user enters this phrase into an application, and the application transforms the value into a virtual password, making the passphrase the length and format that is required by the application. (For example, an application may require your virtual password to be 128 bits to be used as a key with the AES algorithm.) If a user wants to authenticate to an application, such as Pretty Good Privacy (PGP), he types in a passphrase, let's say StickWithMeKidAndYouWillWearDiamonds. The application converts this phrase into a virtual password that is used for the actual authentication. A passphrase is more secure than a password because it is longer, and thus harder to obtain by an attacker. In many cases, the user is more likely to remember a passphrase than a password. A password that is the same for each log-on is called a static password. A password that changes with each log-on is termed a dynamic password. The changing of passwords can also fall between these two extremes. Passwords can be required to change monthly, quarterly, or at other intervals, depending on the criticality of the information needing protection and the password's frequency of use. Obviously, the more times a password is used, the more chance there is of it being compromised. Synchronous dynamic password token: A timer is used to rotate through various combinations produced by a cryptographic algorithm. The token and the authentication server must have synchronized clocks. Synchronous dynamic password tokens generate new passwords at specific time intervals that are synched with the main system. Passwords are only valid for a specific time period. A tool that is used to supply dynamic passwords are Tokens. A security token (or sometimes a hardware token, authentication token, USB token, cryptographic token, software token, virtual token, or key fob) may be a physical device that an authorized user is given to ease authentication. Security tokens are used to prove one's identity electronically (as in the case of a customer trying to access their bank account). The token is used in addition to or in place of a password to prove that the customer is who they claim to be. The token acts like an electronic key to access something. Some may store cryptographic keys, such as a digital signature, or biometric data, such as fingerprint minutiae. Some designs feature tamper resistant packaging, while others may include small keypads to allow entry of a PIN or a simple button to start a generating routine with some display capability to show a generated key number. All tokens contain some secret information that is used to prove identity. There are different ways in which this information can be used. A one-time or dynamic password is no longer valid and, if obtained by a hacker, cannot be reused after it has been used. A one-time or dynamic password is used in environments where a higher level of security than static passwords is required. Asynchronous password token: A one-time password is generated without the use of a clock, either from a one-time pad or cryptographic algorithm. A passphrase is a sequence of characters that is longer than a password. The user enters this phrase into an application, and the application transforms the value into a virtual password, making the passphrase the length and format that is required by the application. (For example, an application may require your virtual password to be 128 bits to be used as a key with the AES algorithm.) If a user wants to authenticate to an application, such as Pretty Good Privacy (PGP), he types in a passphrase, let's say StickWithMeKidAndYouWillWearDiamonds. The application converts this phrase into a virtual password that is used for the actual authentication. A passphrase is more secure than a password because it is longer, and thus harder to obtain by an attacker. In many cases, the user is more likely to remember a passphrase than a password. Cognitive passwords refer to fact-based or opinion-based information used to verify the identity of an individual. The cognitive password enrollment process requires the answering of some questions based on the user's life experiences.
IDS
An IDS which is anomaly based monitors network traffic and compares it against an established baseline, which identifies what is "normal" for that network, and the alerts the relevant party when traffic is detected which is significantly different to the baseline. Anomaly detection IDSs often generate a large number of false positives because normal patterns of user and system behavior can vary wildly. An Anomaly-Based Intrusion Detection System, is a system for detecting computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous. The classification is based on heuristics or rules, rather than patterns or signatures, and attempts to detect any type of misuse that falls out of normal system operation. This is as opposed to signature-based systems, which can only detect attacks for which a signature has previously been created. In order to determine what is attack traffic, the system must be taught to recognize normal system activity. This can be accomplished in several ways, most often with artificial intelligence type techniques. Systems using neural networks have been used to great effect. Another method is to define what normal usage of the system comprises using a strict mathematical model, and flag any deviation from this as an attack. This is known as strict anomaly detection. Anomaly-based Intrusion Detection does have some shortcomings, namely a high false-positive rate and the ability to be fooled by a correctly delivered attack. A cause of the high false-positive rate is that normal patterns of user and system behavior can vary wildly. Different people do things in different ways. These can appear as 'anomalies' to the IDS and generate a false positive. A network-based vulnerability assessment is a type of test also referred to as an active vulnerability. An Intrusion Detection System (IDS) typically follows a two-step process. First procedures include inspection of the configuration files of a system to detect inadvisable settings; inspection of the password files to detect inadvisable passwords; and inspection of other system areas to detect policy violations. In a second step, procedures are network-based and considered an active component; mechanisms are set in place to reenact known methods of attack and to record system responses. An intrusion detection system (IDS) monitors network or system activities for malicious activities or policy violations and generates reports to a management station. An Intrusion Detection System (IDS) is a system that is used to monitor network traffic or to monitor host audit logs in order to determine if any violations of an organization's security policy have taken place. An IDS can detect intrusions that have circumvented or passed through a firewall or are occurring within the local area network behind the firewall. An Intrusion Detection System (IDS) is a system that is used to monitor network traffic or to monitor host audit logs in order to determine if any violations of an organization's security policy have taken place. An IDS can detect intrusions that have circumvented or passed through a firewall or are occurring within the local area network behind the firewall. On-line network-based IDS monitors network traffic in real time and it analyses the Ethernet packet and applies it on the same rules to decide if it is an attack or not. A network-based IDS usually provides reliable, real-time information without consuming network or host resources. A network-based IDS is passive while it acquires data. Because a network-based IDS reviews packets and headers, denial of service attacks can also be detected. Furthermore, because this IDS is monitoring an attack in realtime, it can also respond to an attack in progress to limit damage. On-line network-based IDS monitors network traffic in real time and it analyses the Ethernet packet and applies it on the same rules to decide if it is an attack or not. A network - based IDS (Intrusion Detection systems) watches for questionable activity occurring on the network medium by inspecting packets and observing network traffic patterns. Commonly reside on a discrete network segment and monitor the traffic on that network segment. A host-based IDS (HIDS) is installed on individual workstations and/or servers to watch for inappropriate or anomalous activity. A host-based intrusion detection system (HIDS) monitors and analyzes the internals of a computing system. This would include system and event logs. Because the HIDS uses the resources of the host, it can be very invasive. It can be very invasive to the host operating system A signature based IDS monitors packets and compares them against a database of signatures or attributes from known malicious threats. In a signature-based ID, signatures or attributes, which characterize an attack, are stored for reference. Then, when data about events are acquired from host audit logs or from network packet monitoring, this data is compared with the attack signature database. If there is a match, a response is initiated. A weakness of this approach is the failure to characterize slow attacks that are extended over a long time period. To identify these types of attacks, large amounts of information must be held for extended time periods. Another issue with signature-based ID is that only attack signatures that are stored in their database are detected. An Anomaly-Based Intrusion Detection System, is a system for detecting computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous. The classification is based on heuristics or rules, rather than patterns or signatures, and attempts to detect any type of misuse that falls out of normal system operation. They generate a large number of false positivies because normal patterns of user and system behavior can vary wildly. This is as opposed to signature-based systems, which can only detect attacks for which a signature has previously been created. In order to determine what is attack traffic, the system must be taught to recognize normal system activity. This can be accomplished in several ways, most often with artificial intelligence type techniques. Systems using neural networks have been used to great effect. Another method is to define what normal usage of the system comprises using a strict mathematical model, and flag any deviation from this as an attack. This is known as strict anomaly detection. Anomaly-based Intrusion Detection does have some shortcomings, namely a high false-positive rate and the ability to be fooled by a correctly delivered attack. A cause of the high false-positive rate is that normal patterns of user and system behavior can vary wildly. Different people do things in different ways. These can appear as 'anomalies' to the IDS and generate a false positive. Statistical Anomaly-Based IDS is an IDS which is anomaly based monitors network traffic and compares it against an established baseline, which identifies what is "normal" for that network, and the alerts the relevant party when traffic is detected which is significantly different to the baseline. If an organization were to deploy only one Intrusion Detection System (IDS) sensor to protect its information system from the Internet, It should be network-based and installed in the DMZ, between the external router and the firewall. Network Intrusion Detection Systems (NIDS) are placed at a strategic point, such as between the internet-facing router and the firewall, within the network to monitor traffic to and from all devices on the network. Knowledge-based detection is also called signature-based detection. In this case the IDS use a signature database and attempts to match all monitored events to its contents. Behavior-based detection is also called statistical intrusion detection, anomaly detection, and heuristics-based detection. An IDS can detect malicious behavior using two common methods. One way is to use knowledge based detection which is more frequently used. The second detection type is behavior-based detection.
802.11 standard
802.11 is a set specifications for implementing wireless local area network (WLAN) computer communication. The multiple access method for computer networks that 802.11 wireless local area network uses is CSMA/CA. 802.11 Wireless Local Area Network uses CSMA\CA. Note: Carrier sense multiple access with collision avoidance (CSMA/CA) is a network multiple access method in which carrier sensing is used, but nodes attempt to avoid collisions by transmitting only when the channel is sensed to be "idle".
RADIUS
A central authentication service for dial-up users is the standard Remote Authentication and Dial-In User Service (RADIUS). RADIUS incorporates an authentication server as well as support for static and dynamic passwords. The RADIUS protocol is an open lightweight, UDP-based protocol that can be modified to work with a variety of security systems. It provides authentication, authorization and accounting services to routers, modem servers, and wireless applications. RADIUS is described in RFC 2865.
demilitarized zone
A demilitarized zone (DMZ) is a network segment located between the protected private network and unprotected public network (typically being the Internet). A DMZ is located right behind your first Internet facing firewall. A demilitarized zone is shielded by two firewalls: one right behind the first Internet facing the Internet, and one facing the private network. The DMZ does not normally contain an encryption server. The DMZ usually contains web servers, mail servers, and external DNS servers. A DMZ is also known as a screened subnet.
NIST control categories
Controls include administrative, technical and physical categories. Management, technical, operational. Personnel Security is an Operational control
Callback systems
Is an access protection system that limits connections by calling back the number of a previously authorized location called. Callback is when the host system disconnects the caller and then dials the authorized telephone number of the remote terminal in order to reestablish the connection.
Kerberos
Kerberos is a credential-based authentication system. Kerberos uses symmetric key cryptography and provides end-to-end security. Although it allows the use of passwords for authentication, it was designed specifically to eliminate the need to transmit passwords over the network. Most Kerberos implementations work with shared secret keys. Kerberos uses a credential-based mechanism as the basis for identification and authentication. Kerberos credentials are referred to as tickets. Kerberos is a third-party authentication service that can be used to support SSO (single sign on). Its weakness includes attacks on users passwords. Primarily provides authentication. Kerberos makes use of symmetric key (same key is used to both encrypt and decrypt) cryptography and offers end-to-end (no eaves dropping, only intended recipients can read msgs) security. The majority Kerberos implementations works with shared secret keys (where only the parties involved have access to the data). It depends upon symmetric ciphers. It address confidentiality, integrity and authentication of information, not availability. Kerberos corresponds closely to a Public key infrastructures use of public-key certificates because Kerberos uses Kerberos tickets which are supplied to provide access to resources. The authenticator within Kerberos provides a requested service to the client after validating their timestamp. Secure European System for Applications in a Multi-vendor Environment (SESAME) is used to address some of the weaknesses in Kerberos. Sesame uses public key cryptography for the distribution of secret keys and provides additional access control support. It can prevent a Playback (replay) attack (where an authentication session is replayed by an attacker to fool a computer into granting access or redoing a command). In a Kerberos implementation that is configured to use an authenticator, the user sends to the server her identification information, a timestamp, as well as sequence number encrypted with the session key that they share. The server then decrypts this information and compares it with the identification data the KDC (key distribution center) sent to it regarding this requesting user. The server will allow the user access if the data is the same. The timestamp is used to help fight against replay attacks. Kerberos addresses the confidentiality and integrity of information. It does not directly address availability and attacks such as frequency analysis. Furthermore, because all the secret keys are held and authentication is performed on the Kerberos TGS and the authentication servers, these servers are vulnerable to both physical attacks and attacks from malicious code. Replay can be accomplished on Kerberos if the compromised tickets are used within an allotted time window. Because a client's password is used in the initiation of the Kerberos request for the service protocol, password guessing can be used to impersonate a client. Kerberos uses shared secret keys and tickets for the initial authentication, not a public key algorithm. The authenticator within Kerberos provides a requested service to the client after validating their timestamp. In Kerberos implementations where the use of an authenticator is configured, the user sends their identification information and a timestamp and sequence number encrypted with the shared session key to the requested service, which then decrypts this information and compares it with the identification data the KDC sent to it about this requesting user. If the data matches, the user is allowed access to the requested service. The Key Distribution Center (KDC) is the most important component within a Kerberos environment as it holds all users' and services' secret keys. Although it allows the use of passwords for authentication, it was designed specifically to eliminate the need to transmit passwords over the network. Because a client's password is used in the initiation of the Kerberos request for the service protocol, password guessing can be used to impersonate a client. Most Kerberos implementations work with shared secret keys. Kerberos uses a credential-based mechanism as the basis for identification and authentication. Kerberos credentials are referred to as tickets. The sequence of steps required for a Kerberos session to be established between a user (Principal P1), and an application server (Principal P2): Principal P1 authenticates to the Key Distribution Center (KDC), Principal P1 receives a Ticket Granting Ticket (TGT), and Principal P1 requests a service ticket from the Ticket Granting Service (TGS) in order to access the application server P2
Logon Abuse
Logon abuse refers to legitimate users accessing networked services that would normally be restricted to them. Unlike network intrusion, this type of abuse focuses primarily on those users who may be internal to the network, legitimate users of a different system, or users who have a lower security classification.
The Bell-LaPadula model, The Clark-Wilson model
The Bell-LaPadula model was the first mathematical model of a multilevel security policy used to define the concept of a secure state machine and modes of access, and outlined rules of access. The Orange Book used the Bell-LaPadula Computer Security Policy model as a comparative evaluation for all systems. The Bell-LaPadula model was developed to ensure that secrets stay secret. Therefore, it provides and addresses confidentiality only. The Bell-LaPadula Model (abbreviated BLP) is a state machine model used for enforcing access control in government and military applications. It was developed by David Elliott Bell and Leonard J. LaPadula, subsequent to strong guidance from Roger R. Schell to formalize the U.S. Department of Defense (DoD) multilevel security (MLS) policy. The model is a formal state transition model of computer security policy that describes a set of access control rules which use security labels on objects and clearances for subjects. Security labels range from the most sensitive (e.g."Top Secret"), down to the least sensitive (e.g., "Unclassified" or "Public"). Within this model, the *-property ("star"-property) states that a subject in a specified security level cannot write information to a lower security level. This property is also known as the Confinement property. The Bell-LaPadula model was developed to address the security concerns of time-sharing mainframe systems and leakage of classified information. It was the first mathematical model of a multilevel security policy employed to define the concept of a secure state machine and modes of access, and outlined rules of access. With the Clark-Wilson model, users are unable to modify critical data (CDI) directly. Users have to be authenticated to a piece of software, and the software procedures (TPs) will carry out the operations on behalf of the user. It introduces access to objects only through programs. The Clark-Wilson model enforces the three goals of integrity by using access triple (subject, software [TP], object), separation of duties, and auditing. This model enforces integrity by using well-formed transactions (through access triple) and separation of duties. When an application uses the Clark-Wilson model, it separates data into one subset that needs to be highly protected, which is referred to as a constrained data item (CDI), and another subset that does not require a high level of protection, which is called an unconstrained data item (UDI). Users cannot modify critical data (CDI) directly. Instead, the subject (user) must be authenticated to a piece of software, and the software procedures (TPs) will carry out the operations on behalf of the user. For example, when Kathy needs to update information held within her company's database, she will not be allowed to do so without a piece of software controlling these activities. First, Kathy must authenticate to a program, which is acting as a front end for the database, and then the program will control what Kathy can and cannot do to the information in the database. This is referred to as access triple: subject (user), program (TP), and object (CDI). A user cannot modify CDI without using a TP. The Clark-Wilson security model uses division of operations into different parts and requires different users to perform each part. This is known as Separation of Duties. The Clark-Wilson model outlines how to incorporate separation of duties into the architecture of an application. If a customer needs to withdraw over $10,000, the application may require a supervisor to log in and authenticate this transaction. This is a countermeasure against potential fraudulent activities. The model provides the rules that the developers must follow to properly implement and enforce separation of duties through software procedures.
OSI Model
The ISO/OSI model is a standard model for network communications, enables dissimilar networks to communicate, and defines 7 protocol layers. Layer 2 of the OSI model has two sublayers. Those sublayers and two IEEE standards that describe technologies at that layer are LCL and MAC; IEEE 8022 and 8023. The data link layer provides node-to-node data transfer -- a link between two directly connected nodes. It detects and possibly corrects errors that may occur in the physical layer. It, among other things, defines the protocol to establish and terminate a connection between two physically connected devices. It also defines the protocol for flow control between them. The data link layer is divided into two functional sublayers: the Logical Link Control (LLC) and the Media Access Control (MAC). The LLC, defined in the IEEE 802.2 specification, communicates with the protocol immediately above it, the network layer. The MAC will have the appropriately loaded protocols to interface with the protocol requirements of the physical layer. The IEEE MAC specification for Ethernet is 802.3, Token Ring is 802.5, wireless LAN is 802.11, and so on. So when you see a reference to an IEEE standard, such as 802.11, 802.16, or 802.3, it refers to the protocol working at the MAC sublayer of the data link layer of a protocol stack. The International Organization for Standardization / Open Systems Interconnection (ISO/OSI) Layer 7 does NOT include TCP. TCP is an OSI layer 4 (transport layer) protocol. Some examples of the protocols working at OSI layer 7, the application layer, are the Simple Mail Transfer Protocol (SMTP), Hypertext Transfer Protocol (HTTP), Line Printer Daemon (LPD),File Transfer Protocol (FTP), Telnet, and Trivial File Transfer Protocol (TFTP). In the OSI model layer 4 is the transport layer. In the TCP/IP model, Application Layer data is encapsulated in a Layer 4 TCP segment. That TCP segment is encapsulated in a Layer 3 IP packet. Data, segments, and packets are examples of Protocol Data Units (PDUs). TCP and UDP are examples of protocols working at the transport layer in the Open Systems Interconnect (OSI) Reference model. TCP is connection-oriented, UDP is not. The transport layer is where Connection-oriented protocols are located in the TCP/IP suite of protocols. When two computers are going to communicate through a connection-oriented Protocol, such as TCP/IP, they will first agree on how much information each computer will send at a time, how to verify the integrity of the data once received, and how to determine whether a packet was lost along the way. The two computers agree on these parameters through a handshaking process at the transport layer, layer 4. ICMP and IGMP work at the network layer of the OSI model. The IP header contains a protocol field. If this field contains the value of 1, ICMP is the type of data that is contained within the IP datagram. The IP header protocol field value for ICMP is 1. If this field contains the value 2, IGMP is contained with the IP datagram. Non-repudiation is provided by applications such as PGP (Pretty Good Privacy). Provided by the application layer. PGP is used to provide authentication and confidentiality for e-mail messages. PGP is often used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. The Transport layer is an encrypted authentication between a client software package and a firewall performed. Encrypted authentication is a firewall feature that allows users on an external network to authenticate themselves to prove that they are authorized to access resources on the internal network. Encrypted authentication is convenient because it happens at the transport layer between a client software and a firewall, allowing all normal application software to run without hindrance. The presentation layer has a service that negotiates transfer syntax and translates data to and from the transfer syntax for users, which may represent data using different syntaxes. At which of the following layers would you find such service. The presentation layer is not concerned with the meaning of data, but with the syntax and format of the data. It works as a translator, translating the format an application is using to a standard format used for passing messages over a network. Fiber optics work at the physical layer. The physical layer consists of the basic networking hardware transmission technologies, such as fiber optics, of a network. SSL encryption takes place at the transport layer. The BEST answer pertaining to the difference between the Session and Transport layers of the OSI model is that the Transport layer sets up communication between computer systems, while the Session layer sets up connections between applications. The transport layer provides host-to-host (for example, computer-to-computer) communication services. The session layer provides the mechanism for opening, closing and managing a session between end-user application processes. Layer 2 of the OSI model has two sublayers. Those sublayers and the two IEEE standards that describe technologies at that layer are LLC and MAC; IEEE 802.2 and 802.3. OSI layer is the data link layer. The data link layer is divided into two functional sublayers: the Logical Link Control (LLC) and the Media Access Control (MAC). The IEE LLC specification for Ethernet is defined in the IEEE 802.2 standard, while the IEEE MAC specification for Ethernet is 802.3 Within the OSI model, the SLIP, CSLIP, PPP control functions are provided at the data link layer. PPP (Point-to-Point Protocol) is a data link protocol used to establish a direct connection between two nodes. PPP has replaced the older SLIP and CSLIP protocols. The Presentation Layer is layer 6 in the OSI model.
Two-Factor Authentication, Biometric Identification System
Two-Factor Authentication: Includes something you have (token), something you are/what you do(know) (biometrics). Based on "what you are"(type 3) or "what you do". Security characteristics that need to be taken into consideration are data acquisition process (how the biometric data will be acquired), enrollment process and speed/user interface. A biometric system executes a one-to-many comparison against a biometric database in attempt to establish the identity of an unknown user in identification mode. If the comparison of the biometric sample to a template in the database falls within a threshold previously set, identifying the individual will succeed. There are three major types of authentication available: static, robust, and continuous. Static authentication includes passwords and other techniques that can be compromised through replay attacks. They are often called reusable passwords. Robust authentication involves the use of cryptography or other techniques to create one-time passwords that are used to create sessions. These can be compromised by session hijacking. Continuous authentication prevents session hijacking. Continuous Authentication provides protection against impostors who can see, alter, and insert information passed between the claimant and verifier even after the claimant/verifier authentication is complete. These are typically referred to as active attacks, since they assume that the imposter can actively influence the connection between claimant and verifier. One way to provide this form of authentication is to apply a digital signature algorithm to every bit of data that is sent from the claimant to the verifier. There are other combinations of cryptography that can provide this form of authentication but current strategies rely on applying some type of cryptography to every bit of data sent. Otherwise, any unprotected bit would be suspect. Biometrics is used for identification in physical controls and for authentication in logical controls. It is based on a type 3 authentication mechanism. Increased system sensitivity can cause a higher false rejection rate. Biometrics is based on "what you are" or "what you do". It is not based on what you know. Physical controls are items put into place to protect facility, personnel, and resources. As a physical control, biometrics provides protection by identifying a person to see if that person is authorized to access a facility. When a user is identified and granted physical access to a facility, biometrics can be used for authentication in logical controls to provide access to resources. In addition to the accuracy of the biometric systems, there are other factors that must also be considered. These factors include the enrollment time, the throughput rate, and acceptability. The throughput rate is the rate at which individuals, once enrolled, can be processed and identified or authenticated by a system. Acceptable throughput rates are in the range of 10 subjects per minute. Acceptability in terms of biometric systems refers to considerations of privacy, invasiveness, and psychological and physical comfort when using the system. For example, a concern with retina scanning systems may be the exchange of body fluids on the eyepiece or the feeling that a retinal scan could be harmful to the eye. Another concern would be the retinal pattern that could reveal changes in a person's health, such as diabetes or high blood pressure. Retinal Scan Biometric Device: A physical characteristic that a retinal scan biometric device measures is the pattern of blood vessels at the back of the eye. Biometrics are based on the Type 3 authentication mechanism — something you are. Biometrics are defined as an automated means of identifying or authenticating the identity of a living person based on physiological or behavioral characteristics. The most critical characteristic of a biometric identifying system (or any other identification and authentication system) is the accuracy of the system. The system needs to ensure that the identification of the person is correct. The most important type of error to avoid for a biometric access control system is type II error. A Type II Error occurs when the system accepts impostors who should be rejected. This type of error is the most dangerous type, and therefore the most important to avoid. Controls are put into place to reduce the risk an organization faces, and they come in three main flavors: administrative, technical, and physical. Administrative controls are commonly referred to as "soft controls" because they are more management-oriented. Examples of administrative controls are security documentation, risk management, personnel security, and training. Technical controls (also called logical controls) are software or hardware components, as in firewalls, IDS, encryption, identification and authentication mechanisms. And physical controls are items put into place to protect facility, personnel, and resources. Examples of physical controls are security guards, locks, fencing, and lighting. A Type I error, or false rejection rate (FRR), is when a biometric system rejects an authorized individual. The percentage of valid subjects that are falsely rejected. A Type II error, or false acceptance rate (FAR), is when the system accepts impostors who should be rejected. The percentage of invalid subjects that are falsely accepted. The crossover error rate (CER) is a percentage that signifies the point at which the false rejection rate equals the false acceptance rate. Voice pattern biometrics have the highest Crossover Error Rate (CER). This is because voice patterns tend to change with the individual's mood and health. The common cold or flu, for instance, would alter the tone and pitch of a person's voice. Almost all types of detection permit a system's sensitivity to be increased or decreased during an inspection process. If the system's sensitivity is increased, such as in an airport metal detector, the system becomes increasingly selective and has a higher FRR. Conversely, if the sensitivity is decreased, the FAR will increase. Thus, to have a valid measure of the system performance, the CER is used. The biometric device with the lowest user acceptance is a retina scan. Acceptability in terms of biometric systems refers to considerations of privacy, invasiveness, and psychological and physical comfort when using the system. For example, a concern with retina scanning systems may be the exchange of body fluids on the eyepiece or the feeling that a retinal scan could be harmful to the eye. Another concern would be the retinal pattern that could reveal changes in a person's health, such as diabetes or high blood pressure.
Land attack
A land (Local Area Network Denial) attack involves sending a spoofed TCP SYN packet (connection initiation) with the target host's IP address to an open port as both source and destination. This causes the machine to reply to itself continuously. Involves the perpetrator sending spoofed packet(s) which contains the same destination and source IP address as the remote host, the same port for the source and destination, having the SYN flag, and targeting any open ports that are open on the remote host. When an intrusion detection system detects internet protocol (IP) packets where the IP source address and port is the same as the destination IP address and port, it should record the selected information about the packets and drop the packets. In this question, a land attack has been detected by the IDS. A reasonable response from the IDS would be to record selected information about the packets and drop the packets. Knowledge is accumulated by the IDS vendors about specific attacks and how they are carried out. Models of how the attacks are carried out are developed and called signatures. Each identified attack has a signature, which is used to detect an attack in progress or determine if one has occurred within the network. Any action that is not recognized as an attack is considered acceptable. An example of a signature is a packet that has the same source and destination IP address. All packets should have a different source and destination IP address, and if they have the same address, this means a Land attack is under way. In a Land attack, a hacker modifies the packet header so that when a receiving system responds to the sender, it is responding to its own address. Now that seems as though it should be benign enough, but vulnerable systems just do not have the programming code to know what to do in this situation, so they freeze or reboot.
Single Sign-On (SS0)
A major concern with Single Sign-On (SSO) is that if a user's ID and password are compromised, the intruder would have access to all the systems that the user was authorized for. Provides convenience and centralized administration. Single Sign-on allows a single administrator to add and delete accounts across the entire network from one user interface, providing centralized administration. Provides the ability to use stronger passwords, easier password administration, one set of credential, and faster resource access. Single Sign-On (SSO) addresses the cumbersome situation of logging on multiple times to access different resources. In SSO, a user provides one ID and password per work session and is automatically logged-on to all the required applications. SSO can be implemented by using scripts/smart agents that replay the users' multiple log-ins, or by using authentication servers to verify a user's identity and encrypted authentication tickets to permit access to system services. Single Sign-On (SSO) allows a user to enter credentials once to gain access to all resources in primary and secondary network domains. Thereby, minimizing the amount of time users spend authenticating to resources and enabling the administrator to streamline user accounts and better control access rights. Furthermore, security is improved by reducing the likelihood that users will record passwords and also lessens the administrator's time spent on adding and removing user accounts and modifying access permissions. Because SSO requires a user to remember only one password, a but one of the goals is that if a user only has to remember one password, a more complicated and secure password policy can be enforced. Single sign-on (SSO) gives the administrator the ability to streamline user accounts and better control access rights. It, therefore, improves an administrator's ability to manage users and user configurations to all associated systems. Legacy single sign on (SSO) is a mechanism where users can authenticate themselves once, and then a central repository of their credentials is used to launch various legacy applications. An SSO solution may provide a bottleneck or single point of failure. If the SSO server goes down, users are unable to access network resources. This is why it's a good idea to have some type of redundancy or fail-over technology in place.
Security Token, Synchronous token
A security token (or sometimes a hardware token, authentication token, USB token, cryptographic token, software token, virtual token, or key fob) may be a physical device that an authorized user is given to ease authentication. Security tokens are used to prove one's identity electronically (as in the case of a customer trying to access their bank account). The token is used in addition to or in place of a password to prove that the customer is who they claim to be. The token acts like an electronic key to access something. Some may store cryptographic keys, such as a digital signature, or biometric data, such as fingerprint minutiae. Some designs feature tamper resistant packaging, while others may include small keypads to allow entry of a PIN or a simple button to start a generating routine with some display capability to show a generated key number. All tokens contain some secret information that is used to prove identity. There are different ways in which this information can be used. Examples include: Synchronous dynamic password token: Synchronous dynamic tokens make use of time or counters to synchronize a displayed token code with the code expected by the authentication server. Hence, the codes are synchronized.Synchronous dynamic password tokens generate new passwords at specific time intervals that are synched with the main system. Passwords are only valid for a specific time period. A timer is used to rotate through various combinations produced by a cryptographic algorithm. The token and the authentication server must have synchronized clocks. In Synchronous dynamic password tokens the token generates a new password value at fixed time intervals (this password could be based on the time of day encrypted with a secret key). Asynchronous password token: A one-time password is generated without the use of a clock, either from a one-time pad or cryptographic algorithm. A Synchronous token generates a one-time password that is only valid for a short period of time. Once the password is used it is no longer valid, and it expires if not entered in the acceptable time frame. Its the most reliable authentication method for remote access.
Race Condition
A technique an attacker could user to force authorization step before authentication. A race condition happens when two different processes need to carry out their tasks on the same resource. In the industry, race conditions and TOC/TOU attacks are considered to be the same thing.
Access Control Lists and Capability Tables, Access Control Matrix
Access control lists are related/attached to an object whereas capability tables are related/attached to a subject. A capability table stipulates the access rights that a specified subject has in relation to detailed objects. Access control lists defines subjects that are authorized to access a specific object, and includes the level of authorization that subjects are granted. Therefore, the difference between the two is that the subject is bound to the capability table, while the object is bound to the ACL. An access control matrix is a table of subjects and objects that specifies the actions individual subjects can take upon individual objects.
System Accountability
Accountability is the ability to identify users and to be able to track user actions. Through the use of audit logs and other tools the user actions are recorded and can be used at a later date to verify what actions were performed. An audit mechanism is needed. To 'ensure' accountability, the user must prove that they are who they say they are. This is the function of authentication. Therefore, authentication best ensures accountability of users for the actions taken within a system or domain.
Alternative routing
Alternative routing provides two different cables from the local exchange to your site, so you can protect against cable failure as your service will be maintained on the alternative route. It is a method of providing telecommunications continuity that involves the use of an alternative media.
VPN
Another name for VPN is tunnel. A virtual private network (VPN) is a secure, private connection through an untrusted network. VPN technology requires a tunnel to work and it assumes encryption.
Behavioral-based Systems
Are also known as Profile-based systems.
Smartcards in a PKI
Are tamper resistant, mobile storage and application of private keys of the users. A smart card, which includes the ability to process data stored on it, is also able to deliver a two-factor authentication method as the user may have to enter a PIN to unlock the smart card. The authentication can be completed by using an OTP, by utilizing a challenge/response value, or by presenting the user's private key if it is used within a PKI environment. The fact that the memory of a smart card is not readable until the correct PIN is entered, as well as the complexity of the smart token makes these cards resistant to reverse-engineering and tampering methods.
IANA
Assigned the well-known ports 0 to 1023.
EAL 5
Assurance requirements include semiformally designed and tested. The EAL 5 requirement is: Semiformally designed and tested; this is sought when developing specialized Target of Evaluations for high-risk situations.
Attenuation
Attenuation is the loss of signal strength (amplitude) as it travels. The longer a cable, the more attenuation occurs, which causes the signal carrying the data to deteriorate. It is a decrease in amplitude as a signal propagates along a transmission medium.
Differential backup process
Backs up data labeled with archive bit 1 and leaves the data labeled as archive bit 1. When a file is modified or created, the file system sets the archive bit to 1. A differential backup process backs up the files that have been modified since the last full backup, but does not change the archive bit value.
Black-box testing, White-box testing
Black box testing examines the functionality of an application without peering into its internal structures or workings. Black box testing provides the tester with no internal details; the software is treated as a black box that receives inputs. White-box testing is a method of testing software that tests internal structures or workings of an application, versus its functionality. White-box testing allows access to program source code, data structures, variables, etc. Examines internal structure or working of an application.
buffer overflow
Buffer overflow exists because of human error. The human error in this answer is poor programming by the software developer. A buffer overflow takes place when too much data are accepted as input to a specific process. A buffer is an allocated segment of memory. A buffer can be overflowed arbitrarily with too much data, but for it to be of any use to an attacker, the code inserted into the buffer must be of a specific length, followed up by commands the attacker wants executed. When a programmer writes a piece of software that will accept data, this data and its associated instructions will be stored in the buffers that make up a stack. The buffers need to be the right size to accept the inputted data. So if the input is supposed to be one character, the buffer should be one byte in size. If a programmer does not ensure that only one byte of data is being inserted into the software, then someone can input several characters at once and thus overflow that specific buffer. A packet containing a long string of NOP's followed by a command is usually indicative of a buffer overflow attack. In a carefully crafted buffer overflow attack, the stack is filled properly so the return pointer can be overwritten and control is given to the malicious instructions that have been loaded onto the stack instead of back to the requesting application. This allows the malicious instructions to be executed in the security context of the requesting application. In this example the buffer is filled with NOP's (No Operation) commands followed by the instruction that the attacker wants to be executed.
Class C network
Class A contains all addresses in which the most significant bit is zero. The address range of Class A is 0.0.0.0 - 127.255.255.255. The first bit of the IP address would be set to zero. In the days before CIDR (Classless Internet Domain Routing), networks were commonly organized by classes. For a Class C Network, The first two bits of the IP address would be set to one, and the third bit set to zero. Class C was defined with the 3 high-order bits set to 1, 1, and 0, and designating the next 21 bits to number the networks. This translates to the IP address range of a class C network of 192.0.0.0 to 223.255.255.255. IP address that is private (i.e. reserved for internal networks, and not a valid address to use on the Internet) is The IP address 192.168.42.5 is in the private Class C IP address range. The private IP address ranges are: * 10.0.0.0-10.255.255.255 (Class A network) * 172.16.0.0-172.31.255.255 (Class B networks) * 192.168.0.0-192.168.255.255 (Class C networks) An IP address that is private id 10.0.42.5.
Server farm, server cluster
Clusters may also be referred to as server farms. If one of the systems within the cluster fails, processing continues because the rest pick up the load, although degradation in performance could occur. A server cluster is a group of servers that are viewed logically as one server to users and can be managed as a single logical system. Clustering provides for availability and scalability. It groups physically different systems and combines them logically, which provides immunity to faults and improves performance.
CIA
Confidentiality - Prevention of unauthorized disclosure of data and resources Integrity - Prevention of unauthorized modification of data and resources Availability - Prevention of loss of, or loss of access to, data and resources
Database Views
Database views are used to restrict user access to data in a database. A database has referential integrity if all foreign keys reference existing primary keys. Database views are not used to implement referential integrity. Constrained user interfaces restrict users' access abilities by not allowing them to request certain functions or information, or to have access to specific system resources. Three major types of restricted interfaces exist: menus and shells, database views, and physically constrained interfaces. Database views are mechanisms used to restrict user access to data contained in databases. If the database administrator wants managers to be able to view their employees' work records but not their salary information, then the salary fields would not be available to these types of users. Similarly, when payroll employees look at the same database, they will be able to view the salary information but not the work history information.
Secure Shell (SSH), SNMP, SMTP, PPP, DNS, BootP, DHCP, RPC, TFTP, POP3
Ensures no one can eavesdrop on communication. Network devices are often configured by a command line interface such as Telnet. Telnet, however is insecure in that the data including login credentials is unencrypted as it passes over the network. A secure alternative is to use Secure Shell (SSH). Secure Shell (SSH) functions as a type of tunneling mechanism that provides terminal-like access to remote computers. SSH is a program and a protocol that can be used to log into another computer over a network. SSH should be used instead of Telnet, FTP, rlogin, rexec, or rsh, which provide the same type of functionality SSH offers but in a much less secure manner. SSH is a program and a set of protocols that work together to provide a secure tunnel between two computers. The two computers go through a handshaking process and exchange (via Diffie-Hellman) a session key that will be used during the session to encrypt and protect the data sent. Simple Network Management Protocol (SNMP) was released to the networking world in 1988 to help with the growing demand of managing network IP devices. Companies use many types of products that use SNMP to view the status of their network, traffic flows, and the hosts within the network. SNMP uses agents and managers. Agents collect and maintain device-oriented data, which are held in management information bases. Managers poll the agents using community string values for authentication purposes. SNMP versions 1 and 2 send their community string values in cleartext, but with SNMP version 3, cryptographic functionality has been added, which provides encryption, message integrity, and authentication security. So any sniffers that are installed on the network cannot sniff SNMP traffic. SNMP V3 is a protocol that would be BEST to use if some of the requirements are to prevent easy disclosure of the SNMP strings and authentication of the source of the packets. SMTP is a host-to-host email protocol. In e-mail clients SMTP works as a message transfer agent and moves the message from the user's computer to the mail server when the user sends the e-mail message. SMTP uses port 25. Point-to-Point Protocol (PPP) is a full - duplex protocol used for the transmission of TCP/IP packets over various non-LAN connections, such as modems, ISDN, VPNs, Frame Relay, and so on. PPP permits multiple network layer protocols to operate on the same communication link. PPP was designed to support multiple network types over the same serial link. DNS should be allowed through a firewall to easy communication and usage by users. DNS translates domain names into IP addresses, which enables us to use domain names instead of IP addresses. The Domain Name System is lists of domain names and IP addresses that are distributed on Domain Name System (DNS) Servers throughout the Internet in a hierarchy of authority. The DNS service translates domain names into IP addresses. BootP was developed as a simple mechanism for allowing simple network terminals to load their operating system from a server over the LAN. BOOTP has been used for Unix-like diskless workstations to obtain the network location of their boot image, in addition to the IP address assignment. Enterprises used it to roll out a preconfigured client (e.g., Windows) installation to newly installed PCs. The greatest danger from DHCP is an intruder on the network impersonating a DHCP server and thereby misconfiguring the DHCP clients. The main security risk concerning DHCP is that unauthorized (rogue) DHCP servers offering IP configuration to DHCP clients. Rogue DHCP servers are often used in man in the middle or denial of service attacks for malicious purposes. Session-layer services are commonly used in application environments that make use of remote procedure calls (RPCs). RPC allows two computers to coordinate in executing software. The programmer of a piece of software can write a function call that calls upon a subroutine. The subroutine could be local to the system or be on a remote system. If the subroutine is on a remote system, it is a Remote Procedure Call (RPC). The RPC request is carried over a session layer protocol. The result that the remote system provides is then returned to the requesting system over the same session layer protocol. With RPC a piece of software can execute components that reside on another system. When using an open source packet analyzer called Wireshark and are sifting through the various conversations to see if anything appears to be out of order. You are observing a UDP conversation between a host and a router. It was a file transfer between the two on port 69. Use the TFTP protocol to conduct the file transfer. TFTP is a simple protocol for transferring files, implemented on top of the UDP/IP protocols using well-known port number 69. Post Office Protocol Version 3 (POP3) uses port 110
Assurance Procedures
Ensures that the control mechanisms correctly implement the security policy for the entire life cycle of an information system. Controls provide accountability for individuals who are accessing sensitive information. This accountability is accomplished through access control mechanisms that require identification and authentication and through the audit function. These controls must be in accordance with and accurately represent the organization's security policy. Assurance procedures ensure that the control mechanisms correctly implement the security policy for the entire life cycle of an information system.
Extensible Authentication Protocol (EAP)
Extensible Authentication Protocol (EAP) is defined as: A framework that supports multiple, optional authentication mechanisms for PPP, including cleartext passwords, challenge-response, and arbitrary dialog sequences. The Extensible Authentication Protocol (EAP) is a protocol for wireless networks that expands on authentication methods used by the Point-to-Point Protocol (PPP), a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. A circuit level proxy is lower in processing overhead when compared to an application level proxy.
External Consistency
External consistency stipulates that the data should match physical reality. It ensures that data stored in a database is consistent with the real world.
Fiber Optic, Coaxial Cables, Category 5 10Base-T cable
Fiber optic communication technology has significant security advantage over other transmission technology because interception of data traffic is more difficult. Because fiber-optic cable passes electrically non-conducting photons through a glass medium, it is very hard to intercept or wiretap. Fiber optic is a form of media that is most resistant to EMI interference. Because fiber-optic cable passes electrically non-conducting photons through a glass medium, it is resistant to Electromagnetic interference (EMI). It is most resistant to tapping. It is immune to the effects of electromagnetic interference (EMI) and therefore has a much longer effective usable length. Fiber-optic cable uses a type of glass that carries light waves, which represent the data being transmitted. Light waves are not affected by cross talk or interference. A coaxial cable is a three-dimensional linear structure. It has a wire conductor in the center , a circumferential outer conductor, and an insulating medium called the dielectric separating these two conductors. The outer conductor is usually sheathed in a protective PVC outer jacket. All these have a common axis. It includes one physical channel that carries the signal surrounded (after a layer of insulation) by another concentric physical channel, both running along the same axis. The maximum length of a Category 5 10Base-T cable is 100 meters. Twisted-pair cables are categorized into UTP categories CAT1, CAT2, CAT3, CAT4, CAT5, etc. The older coaxial cable has been widely replaced with twisted pair, which is extremely easy to work with, inexpensive, and also resistant to multiple host failure at once In Star topologies, twisted-pair cabling is the preferred cabling.
Packet-switched services
Frame relay and X.25 networks are part of packet-switched services. Some examples of packet-switching technologies are the Internet, X.25, and frame relay.
HTTP, PGP, S/MIME, IPsec, L2TP, IKE, SSL/TLS
HTTP uses port 80. PGP and S/MIME are most suitable protocols/tools for securing email. Secure MIME (S/MIME) is a standard for encrypting and digitally signing electronic mail and for providing secure data transmissions. S/MIME follows the Public Key Cryptography Standards (PKCS). S/MIME uses a hybrid message encryption system, which means it uses both symmetric and asymmetric algorithms. PGP is often used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications. IPsec and L2TP are suitable protocols for securing VPN connections at the lower layers of the OSI model. L2TP integrates with IPSec to provide confidentiality, integrity, and authentication for VPN connections. The role of IKE within the IPsec protocol includes peer authentication and key exchange. Internet Key Exchange (IKE) provides authenticated keying material for use with the Internet Security Association and Key Management Protocol. CHAP is not an IKE authentication method. IKE authentication can be performed using either preshared key (shared secret), certificate based authentication (signatures), or public key encryption. A pre shared key authentication within IKE/IPsec protocol does not need a public key infrastructure (PKI) to work. Pre shared key authentication is normally based on simple passwords, IKE is used to setup security associations and IKE builds upon the Oakley protocol and the ISAKMP protocol. IPsec: Data cannot be read by unauthorized parties, The identity of all IPsec endpoints are confirmed by other endpoints, The number of packets being exchanged can be counted. IPSec uses the IP protocol to deliver packets. IP treats every packet independently, and the packets can arrive out of order. L2TP is not compatible with NAT. SSL/TLS: In SSL/TLS, Server authentication (mandatory) and client authentication (optional) is supported when you establish a secure session between a client and a server. SSL and TLS both support server authentication (mandatory) and client authentication (optional). The Secure Sockets Layer (SSL) protects mainly web-based traffic/ web transactions. Transport Layer Security (TLS) is a two-layered socket layer security protocol that contains the TLS Record Protocol and the Transport Layer Security (TLS) Handshake Protocol. Similar to Secure Shell (SSH-2), Secure Sockets Layer (SSL) uses symmetric encryption for encrypting the bulk of the data being sent over the session and it uses asymmetric or public key cryptography for Peer Authentication. Peer authentication is an integral part of the SSL protocol. Peer authentication relies on the availability of trust anchors and authentication keys. Secure Sockets Layer (SSL) uses a Message Authentication Code (MAC) for message integrity. Message authentication code (MAC) is a keyed cryptographic hash function used for data integrity and data origin authentication.
Identity Management Solutions
Identity management is the combination of business process and technology used to manage data on IT systems and applications about users. Managed data includes user objects, identity attributes, security entitlements and authentication factors. Enterprises manage identity data about two broad kinds of users: Insiders: including employees and contractors. They often access multiple internal systems and their identity profiles are relatively complex. Outsiders: including customers, partners and vendors. There are normally many more outsiders than insiders. One of the challenges presented by Identity management is scalability. It must be able to scale to support high volumes of data and peak transaction rates. Enterprises manage user profile data for large numbers of people. There may be tens of thousands of insiders and hundreds of thousands of outsiders. Any identity management system used in this environment must scale to support the data volumes and peak transaction rates produced by large user populations.
full backup method, Incremental backup method, Hierarchical Storage Management
In a full backup all data are backed up and saved to some type of storage media. It is primarily run when time and tape space permits, and is used for the system archive or baselined tape sets. From this baseline differential and incremental backups can later be made. An incremental process backs up only the files that have changed since the last full or incremental backup. It is used if backup time is critical and tape space is at an extreme premium. Compared to a differential or a full back, an incremental backup copies less files. HSM (Hierarchical Storage Management) provides continuous online backup functionality. It combines hard disk technology with the cheaper and slower optical or tape jukeboxes. HSM is typically used in very large data retrieval systems.
Public Key Model
In cryptography, a public key certificate (or identity certificate) is an electronic document which incorporates a digital signature to bind together a public key with an identity — information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual. Public Key describes a system that uses certificates or the underlying public key cryptography on which the system is based. In the traditional public key model, clients are issued credentials or "certificates" by a Certificate Authority (CA). The CA is a trusted third party. Public key certificates contain the user's name, the expiration date of the certificate etc. The most common certificate format is X.509. Public key credentials in the form of certificates and public-private key pairs can provide a strong distributed authentication system. The Kerberos and public key trust models are very similar. A Kerberos ticket is analogous to a public key certificate (a Kerberos ticket is supplied to provide access to resources). However, Kerberos tickets usually have lifetimes measured in days or hours rather than months or years. Kerberos tickets correspond most closely to public key certificates. In cryptography, a public key certificate (or identity certificate) is an electronic document which incorporates a digital signature to bind together a public key with an identity — information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual.
local loop
In telephony different types of connections are being used. The connection from the phone company's branch office to local customers is referred to as which of the following choices? In telephony, the local loop is the physical link or circuit that connects from the demarcation point of the customer premises to the edge of the common carrier or telecommunications service provider's network.
Individual Accountability*
Includes unique identifiers (to identify an individual), access rules (to define access violations) and audit trails (to trace violations or attempted violations). Accountability would not include policies & procedures because while important on an effective security program they cannot be used in determining accountability. Most access violations are accidental.
Infrared communications
Infrared generally considered to be more secure to eavesdropping than multidirectional radio transmissions because infrared requires direct line-of-sight paths. Infrared communications require line-of-sight transmission. This makes infrared relative secure from electronic eavesdropping.
RAS
Installing the Remote Access Server outside the firewall and forcing legitimate users to authenticate to the firewall can best eliminate dial-up access through a Remote Access Server as a hacking vector. Containing the dial-up security problem is conceptually easy: Put your RAS server outside your firewall in the public security zone, and force legitimate users to authenticate with your firewall first to gain access to private network resources. Allow no device to answer a telephone line behind your firewall. This eliminates dial-up as a vector by forcing it to work like any other Internet connection.
Packet Filtering
It is based on ACLs. It is not application dependent. It operates at the network layer. Packet filtering firewalls are stateless. They do not keep track of the state of a connection. Packet filtering is a firewall technology that makes access decisions based upon network-level protocol header values. The filters can make access decisions based upon the following basic criteria: * Source and destination port numbers (such as an application port or a service number) * Protocol types * Source and destination IP addresses * Inbound and outbound traffic direction Packet Filtering Firewalls can also enable access for only authorized application port or service numbers. A packet filtering firewall looks at the data packet to get information about the source and destination addresses of an incoming packet, the protocol (TCP, UDP, or ICMP), and the source and destination port for the desired service. Packet filtering was the first generation of firewalls and it is the most rudimentary type of all of the firewall technologies. Dynamic packet filtering: When an outgoing request is made on a port number greater than 1023, this type of firewall creates an ACL to allow the incoming reply on that port to pass. Ports up to 1023 are called well-known ports and are reserved for server-side services. The sending system must choose a dynamic port higher than 1023 when it sets up a connection with another entity. The dynamic packet-filtering firewall then creates an Access Control List (ACL) that allows the external entity to communicate with the internal system.
LAN, NAT
LANs are typically protected from the Internet by firewalls. However, to allow external access to a LAN, you need to open ports on the firewall to allow the connections. With the firewall allowing external connections into the LAN, your last line of defense is authentication. You need to ensure that the remote user connecting to the LAN is who they say they are. Therefore, before allowing external access into a LAN, you should plan and implement proper authentication. An extension to Network Address Translation that permits multiple devices providing services on a local area network (LAN) to be mapped to a single public IP address is Port Address Translation. Port address translation (PAT) is an implementation of Network Address Translation. PAT is a mechanism for converting the internal private IP addresses found in packet headers into public IP addresses and port numbers for transmission over the Internet. PAT supports a many-to-one mapping of internal to external IP addresses by using ports. Dynamic translation is a NAT firewall translation mode that allows a large group of internal clients to share a single or small group of ROUTABLE IP addresses for the purpose of hiding their identities when communicating with external hosts. Port address translation (PAT) is a dynamic NAT translation. It maps one internal IP address to an external IP address and port number combination. Thus, PAT can theoretically support 65,536 (2 16 ) simultaneous communications from internal clients over a single external leased IP address. Static translation is a NAT firewall translation mode that offers no protection from hacking attacks to an internal host. Static translation offers no protection against IP Spoofing. NAT provides network redundancy translation and load balancing translation.
Mandatory Access Control (MAC) Model
Mandatory access control (MAC) is an access policy that restricts access to objects based on the security clearance of a subject and the classification of an object. MAC systems are generally very specialized and are used to protect highly classified data. Users require the correct security clearance to access a specific classification of data. Mandatory access control (MAC) is an access policy that restricts access to objects based on the security clearance of a subject and the classification of an object. A sensitivity label is required for every subject and object when using the Mandatory Access Control (MAC) model. The sensitivity label is made up of a classification and categories. Mandatory Access control is considered nondiscretionary and is based on a security label system. Mandatory Access Control begins with security labels assigned to all resource objects on the system. These security labels contain two pieces of information - a classification (top secret, confidential etc.) and a category (which is essentially an indication of the management level, department or project to which the object is available). Similarly, each user account on the system also has classification and category properties from the same set of properties applied to the resource objects. When a user attempts to access a resource under Mandatory Access Control the operating system checks the user's classification and categories and compares them to the properties of the object's security label. If the user's credentials match the MAC security label properties of the object access is allowed. It is important to note that both the classification and categories must match. A user with top secret classification, for example, cannot access a resource if they are not also a member of one of the required categories for that object.
CHAP
One approach to remote access security is the Challenge Handshake Authentication Protocol (CHAP). CHAP protects the password from eavesdroppers and supports the encryption of communication. Challenge Handshake Authentication Protocol (CHAP) addresses some of the vulnerabilities found in PAP. It uses a challenge/response mechanism to authenticate the user instead of sending a password. When a user wants to establish a PPP connection and both ends have agreed that CHAP will be used for authentication purposes, the user's computer sends the authentication server a logon request. The server sends the user a challenge (nonce), which is a random value. This challenge is encrypted with the use of a predefined password as an encryption key, and the encrypted challenge value is returned to the server. The authentication server also uses the predefined password as an encryption key and decrypts the challenge value, comparing it to the original value sent. If the two results are the same, the authentication server deduces that the user must have entered the correct password, and authentication is granted.
Sniffing, ARP table poisoning, Smurf Attack, DDos, Pharming
Password sniffing sniffs network traffic with the hope of capturing passwords being sent between computers. ARP table poisoning is an attack that involves the altering of a systems Address Resolution Protocol (ARP) table so that it contains incorrect IP to MAC address mappings. An attacker that can modify the address table for a network device can potentially compromise the network. Modifying the address table with fake entries can cause switches to send frames to wrong nodes. An attacker can compromise the ARP table and change the MAC address so that the IP address points to his own MAC address. This type of attack is called an ARP table poisoning attack or a man-in-the-middle attack. A smurf attack is where the attacker spoofs the source IP address in an ICMP ECHO broadcast packet so it seems to have originated at the victims system, in order to flood it with reply packets. the is where an attacker has a list of broadcast addresses which it stores into an array, the attacker sends a spoofed icmp echo request to each of those addresses in series and starts again. The spoofed IP address used by the attacker as the source of the packets is the target/victim IP address. In a Smurf Attack the attacker sends an ICMP ECHO REQUEST packet with a spoofed source address to a victim's network broadcast address. This means that each system on the victim's subnet receives an ICMP ECHO REQUEST packet. Each system then replies to that request with an ICMP ECHO REPLY packet to the spoof address provided in the packets—which is the victim's address. All of these response packets go to the victim system and overwhelm it because it is being bombarded with packets it does not necessarily know how to process. The victim system may freeze, crash, or reboot. DDos is when a hacker has a collection of compromised systems, it is referred to as a botnet (network of bots). In the exhibit they are marked as zombies. The hacker can use all of these systems to carry out powerful distributed-denial-of-service (DDoS) attacks or even rent these systems to spammers. The owner of this botnet controls the systems remotely, usually through the Internet Relay Chat (IRC) protocol. Pharming is a cyber attack intended to redirect a website's traffic to another, fake site. At the fake site the user can be fooled into providing identity information such as passwords. It is mostly performed by an attacker to steal the identity information of a user such as credit card number, password etc.
PIN
Personal Identification Number (PIN) is a numeric password shared between a user and a system, which can be used to authenticate the user to the system.
Port knocking
Port knocking is where the client will attempt to connect to a predefined set of ports to identify him as an authorized client. Port knocking is an authentication method used by network administrators to control access to computers or other network devices behind a firewall. Port knocking takes advantage of firewall rules to allow a client who knows the "secret knock" to enter the network through a particular port by performing a sequence of connection attempts (called a knock sequence). The correct knock sequence for any given port is created for specific IP addresses by the network administrator. A small program called a daemon monitors the firewall log files for connection requests and determines whether or not a client seeking the network is on the list of approved IP addresses and has performed the correct knock sequence. If the answer is yes, it opens the associated port and allows access. Of course, if unauthorized personnel discover the knock sequence, then they, too, can gain access. Port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s).
Types of Controls
Preventive, Detective, Corrective, Deterrent, Recovery, Compensating The six different control functionalities are as follows: Deterrent: Intended to discourage a potential attacker Preventive: Intended to avoid an incident from occurring Corrective: Fixes components or systems after an incident has occurred. Corrective controls are used to restore systems after an incident has occurred. It is concerned with restoring controls. Recovery: Intended to bring the environment back to regular operations Detective: Helps identify an incident's activities and potentially an intruder Compensating: Controls that provide an alternative measure of control
Access Points
Putting the access points (AP) in a location protected by a firewall is not a way to secure a wireless network. A descriptive name of the Access Point is at best security neutral, but could decrease security as it makes it easier for an intruder might to gain some hints how the AP is used.
The Physical Installation of a Iris Scanner
Requires the optical unit of the iris pattern biometric system must be positioned so that the sun does not shine into the aperture. A biometric system executes a one-to-many comparison against a biometric database in attempt to establish the identity of an unknown user in identification mode. If the comparison of the biometric sample to a template in the database falls within a threshold previously set, identifying the individual will succeed. Biometrics is used for identification in physical controls and for authentication in logical controls. Physical controls are items put into place to protect facility, personnel, and resources. As a physical control, biometrics provides protection by identifying a person to see if that person is authorized to access a facility. When a user is identified and granted physical access to a facility, biometrics can be used for authentication in logical controls to provide access to resources. Controls are put into place to reduce the risk an organization faces, and they come in three main flavors: administrative, technical, and physical. Administrative controls are commonly referred to as "soft controls" because they are more management-oriented. Examples of administrative controls are security documentation, risk management, personnel security, and training. Technical controls (also called logical controls) are software or hardware components, as in firewalls, IDS, encryption, identification and authentication mechanisms. And physical controls are items put into place to protect facility, personnel, and resources. Examples of physical controls are security guards, locks, fencing, and lighting. The iris is the least likely to change over a long period of time which makes the iris pattern better suited for authentication use over a long period of time. The iris is the colored portion of the eye that surrounds the pupil. The iris has unique patterns, rifts, colors, rings, coronas, and furrows. The uniqueness of each of these characteristics within the iris is captured by a camera and compared with the information gathered during the enrollment phase. Of the biometric systems, iris scans are the most accurate. The iris remains constant through adulthood, which reduces the type of errors that can happen during the authentication process.
Dumpster Diving
Running through another person's garbage for discarded document, information and other various items that could be used against that person or company. Dumpster diving refers to the concept of rummaging through a company or individual's garbage for discarded documents, information, and other precious items that could then be used in an attack against that company or person.
SQL injection
SQL injection is an input validation problem. A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. One traditional approach to preventing SQL injection attacks is to handle them as an input validation problem and either accept only characters from a whitelist of safe values or identify and escape a blacklist of potentially malicious values. Whitelisting can be a very effective means of enforcing strict input validation rules, but parameterized SQL statements require less maintenance and can offer more guarantees with respect to security.
SESAME
Secure European System for Applications in a Multi-vendor Environment (SESAME) was developed to address some of the weaknesses in Kerberos and uses public key cryptography for the distribution of secret keys and provides additional access control support. Just like Kerberos, SESAME depends on the initial user authentication. For that reason, SESAME has the same weakness to attacks on the user's password as Kerberos does.
Remote Access, Remote Access Server, Proxy Server
Security goals include Reliable authentication of users and systems, Protection of confidential data, Easy to manage access control to systems and network resources. Doesn't include automated login for remote users. Automated login is not a goal for remote access. Installing the Remote Access Server outside the firewall and forcing legitimate users to authenticate to the firewall can best eliminate dial-up access through a Remote Access Server as a hacking vector. Containing the dial-up security problem is conceptually easy: Put your RAS server outside your firewall in the public security zone, and force legitimate users to authenticate with your firewall first to gain access to private network resources. Allow no device to answer a telephone line behind your firewall. This eliminates dial-up as a vector by forcing it to work like any other Internet connection. As client computers used to have built-in modems to allow for Internet connectivity, organizations commonly had a pool of modems to allow for remote access into and out of their networks. In some cases the modems were installed on individual servers here and there throughout the network or they were centrally located and managed. Most companies did not properly enforce access control through these modem connections, and they served as easy entry points for attackers. Installing the Remote Access Server outside the firewall and forcing legitimate users to authenticate to the firewall can best eliminate dial-up access through a Remote Access Server as a hacking vector. This solution would mean that even if an attacker gained access to the Remote Access Server, the firewall would provide another layer of protection. A primary security feature of a proxy server is content filtering. A proxy firewall is a network security system that protects network resources by filtering messages at the application layer. The application-level proxy understands the packet as a whole and can make access decisions based on the content of the packets. Advantages of proxies are that proxies provide a single point of access, control, and logging. Proxies provide services through a single access point. Proxies can be installed in order to eavesdrop upon the data-flow between client machines and the web. All content sent or accessed - including passwords submitted and cookies used - can be captured and analyzed by the proxy operator. Proxy servers act as an intermediary between the clients that want access to certain services and the servers that provide those services. The proxy server sends an independent request to the destination on behalf of the user, thereby masking the origin of the data. Proxies works by transferring a copy of each accepted data packet from one network to another, thereby masking the datas origin. An application layer firewall is also called a proxy. A network-based application layer firewall is a computer networking firewall operating at the application layer of a protocol stack, and is also known as a proxy-based or reverse-proxy firewall. Application layer firewall works at the application layer, which is layer 7 in the OSI model. The application firewall is typically built to control all network traffic on any OSI layer up to the application layer. At the lowest level the application firewall can examine each data packet. This slows down the performance. A circuit level proxy works at the session layer of the OSI model and monitors traffic from a network-based view. This type of proxy cannot "look into" the contents of a packet like an application level proxy; thus, it does not carry out deep-packet inspection. This means that, compared to an application level proxy, A circuit level proxy is faster. In a stateful inspection firewall, data packets are captured by an inspection engine that is operating at the network or transport layer. A stateful firewall filters traffic based on OSI Layer 3 (Network layer) and Layer 4 (Transport layer).
Statistical multiplexing
Statistical time-division multiplexing (STDM) transmits several types of data simultaneously across a single transmission cable or line. The communication channel is divided into an arbitrary number of variable bit-rate digital channels or data streams. is a method of multiplexing data where a communication channel is divided into an arbitrary number of variable bit-rate digital channels or data streams. This method allocates bandwidth dynamically to physical channels having information to transmit.
TCP
TCP is a type of traffic that can easily be filtered with a stateful packet filter by enforcing the context or state of the request. The TCP protocol is stateful. In a TCP connection, the sender sends a SYN packet, the receiver sends a SYN/ACK, and then the sender acknowledges that packet with an ACK packet. A stateful firewall understands these different steps and will not allow packets to go through that do not follow this sequence. So, if a stateful firewall receives a SYN/ACK and there was not a previous SYN packet that correlates with this connection, the firewall understands this is not right and disregards the packet. This is what stateful means—something that understands the necessary steps of a dialog session. And this is an example of context-dependent access control, where the firewall understands the context of what is going on and includes that as part of its access decision. TCP Wrappers allows you to restrict access to TCP services, but not to UDP services. It cannot control access to running UDP services. A TCP wrapper is an application that can serve as a basic firewall by restricting access to ports and resources based on user IDs or system IDs. Using TCP wrappers is a form of port - based access control. In the OSI model layer 4 is the transport layer. In the TCP/IP model, Application Layer data is encapsulated in a Layer 4 TCP segment. That TCP segment is encapsulated in a Layer 3 IP packet. Data, segments, and packets are examples of Protocol Data Units (PDUs). When referring to the data structures of a packet, the term Protocol Data Unit (PDU) is used, the proper term to refer to a single unit of TCP data at the transport layer is TCP segment.
AAA servers
The AAA term refers to authentication, authorization, and accounting/audit. These servers include Radius, TACACS, DIAMETER. They do not provide administration. TACACS has been through three generations: TACACS, Extended TACACS (XTACACS), and TACACS+. TACACS combines its authentication and authorization processes; XTACACS separates authentication, authorization, and auditing processes; and TACACS+ is XTACACS with extended two-factor user authentication. TACACS uses fixed passwords for authentication, while TACACS+ allows users to employ dynamic (one-time) passwords, which provides more protection. The original TACACS was developed during the days of ARPANET which is the basis for the Internet. TACACS uses UDP as its communication protocol. TACACS+ uses TCP as its communication protocol.
The Orange Book
The Computer Security Policy Model the Orange Book used the Bell-LaPadula Computer Security Policy model as a comparative evaluation for all systems.
IP, IPsec, Tunneling, IPS, ICMP, IGMP
The IP header contains a protocol field. If this field contains the value of 1,the type of data is contained within the IP datagram is ICMP. The IP header protocol field value for IGMP is 2. The proper term to refer to a single unit of IP data is IP datagram. The Internet Protocol (IP) is the principal communications protocol in the Internet protocol suite for relaying datagrams across network boundaries. The Internet Protocol is responsible for addressing hosts and for routing datagrams (packets) from a source host to a destination host across one or more IP networks. 128 bits is the address space reserved for the source IP address within an IPv6 header. Compared to IPv4, IPv6 increases the IP address size from 32 bits to 128 bits to support more levels of addressing hierarchy, a much greater number of addressable nodes, and simpler autoconfiguration of addresses. Correct Notation for IPv6 address is: The 128 bits of an IPv6 address are represented in 8 groups of 16 bits each. Each group is written as 4 hexadecimal digits and the groups are separated by colons (:).Consecutive sections of zeroes are replaced with a double colon (::).The double colon may only be used once in an address, as multiple use would render the address indeterminate. The address 2001:DB8::8:800::417A uses double colon twice, which is illegal. For example, 2001:0db8:0:0:0:0:1428:57ab, ABCD:EF01:2345:6789:, ABCD:EF01:2345:6789::1 Components of IPsec are Authentication Header, Encapsulating Security Payload and Internet Key Exchange. A Key Distribution Center (KDC) is not used by IPSec. Kerberos uses a KDC for authentication. For IPsec, Integrity and authentication for IP datagrams are provided by AH. ESP provides for integrity, authentication and encryption to IP datagrams. In transport mode, ESP only encrypts the data payload of each packet. One security association (SA) is not enough to establish bi-directional communication. Each device will have at least one security association (SA) for each secure connection it uses, so two security associations would be required. Authentication Headers (AH) and Encapsulating Security Payload (ESP) protocols are the driving force of IPSec. Authentication Headers (AH) provides the following: authentication, integrity and replay resistance and non-repudiations. Integrity and authentication for IP datagrams are provided by AH, but AH does not provide Confidentiality. In IPSec, if the communication is to be gateway-to-gateway or host-to-gateway then Tunnel mode of operation is required. In IPSec tunnel mode, the entire IP packet is encrypted and/or authenticated. It is then encapsulated into a new IP packet with a new IP header. Tunnel mode is used to create virtual private networks for network-to-network communications (e.g. between routers to link sites), host-to-network communications (e.g. remote user access) and host-to-host communications. IPsec Tunnel Mode is Fundamentally an IP tunnel with encryption and authentication, Have two sets of IP headers, Established for gateway service. IPSec Tunnel mode works at the Internet layer, not at the Transport layer. IPsec Transport mode: Set-up when end-point is host or communications terminates at end-points, If used in gateway-to-host communication, gateway must act as host, and When ESP is used for the security protocol, the hash is only applied to the upper layer protocols contained in the packet. Tunnel mode, not transport mode, is required for gateway services. An IP routing table is a list of station and network addresses with corresponding gateway IP address. A routing table is a set of rules, often viewed in table format that is used to determine where data packets traveling over an Internet Protocol (IP) network will be directed. The routing table stores route information about directly connected and remote networks. Tunneling is the process that takes advantages of the security provided by a transmission protocol by carrying one protocol over another. A tunneling protocol allows a network user to access or provide a network service that the underlying network does not support or provide directly. Because tunneling involves repackaging the traffic data into a different form, perhaps with encryption as standard, one use of tunneling is to hide the nature of the traffic that is run through the tunnels. IPS is a network security control deployed in line to detects, alerts, and takes action when a possible intrusion is detected. A IPS detects intrusive activity and also prevents the traffic from gaining access to the target. ICMP and IGMP work at the network layer of the OSI model.
Role-based Access Control, Discretionary Access Control, Rule-based Access Control, Identity-based Access Control, Detective Control, Preventive Access Controls, Physical Access Controls, Mandatory Access Control, Lattice-based Access Control, Directive Access Control
The access control objectives are confidentiality, integrity, and availability. The additional access control objectives are reliability and utility. Role-based (non discretionary) Access Control: Non-discretionary access control is when the system administrator or a single management body within an organization centrally controls access to all resources for everybody on a network. This type of access control can be role based or rule based, as both of these prevents users from making access decisions based upon their own discretion.Role-based access control (RBAC) is a model where access to resources is determines by job role rather than by user account. Hierarchical RBAC allows the administrator to set up an organizational RBAC model that maps to the organizational structures and functional delineations required in a specific environment. This is very useful since businesses are already set up in a personnel hierarchical structure. In most cases, the higher you are in the chain of command, the more access you will most likely have. "is a model where access to resources is determined by job role rather than by user account. In this question, a bank teller is a job role. Therefore, an access control policy for a bank teller is a role-based policy. Within an organization, roles are created for various job functions. The permissions to perform certain operations are assigned to specific roles. Members or staff (or other system users) are assigned particular roles, and through those role assignments acquire the computer permissions to perform particular computer-system functions. Since users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of simply assigning appropriate roles to the user's account; this simplifies common operations, such as adding a user, or changing a user's department. Role-based access control (RBAC) provides access to resources according to the role the user holds within the company or the tasks that the user has been assigned. Best for an employee to carry out backups. Hierarchical RBAC allows the administrator to set up an organizational RBAC model that maps to the organizational structures and functional delineations required in a specific environment. This is very useful since businesses are already set up in a personnel hierarchical structure. In most cases, the higher you are in the chain of command, the more access you will most likely have. Role relation defining user membership and privilege inheritance. For example, the nurse role can access a certain amount of files, and the lab technician role can access another set of files. The doctor role inherits the permissions and access rights of these two roles and has more elevated rights already assigned to the doctor role. So hierarchical is an accumulation of rights and permissions of other roles. A Role-based access control (RBAC) model is the best system for a company whose staff renewal rate is high. For example, if an employee who is mapped to a certain role leaves the company, then his replacement can be easily mapped to this role. This results in the administrator not having to continually change the ACLs on the individual objects. Discretionary Access Control (DAC): enables data owners to dictate who has access to the files and resources owned by them. An example of discretionary access control is Identity-based access control because it is a type of DAC system that allows or prevents access based on the identity of the subject. Access in a DAC model is restricted based on the authorization granted to the users. Users are, therefore, allowed to identify the type of access that can occur to the objects they own. An identity-based access control is a type of Discretionary Access Control (DAC) that is based on an individual's identity. Rule-based Access Control: makes use of explicit rules that specify what can and cannot happen between a subject and an object. Rule-based access control is considered nondiscretionary because the users cannot make access decisions based upon their own discretion. Identity-based Access Control: is a type of Discretionary Access Control (DAC) that is based on an individual's identity. Non-discretionary access control is when the system administrator or a single management body within an organization centrally controls access to all resources for everybody on a network. It has a central authority that determine to what objects the subjects have access to and it is based on role or on the organizational security policy. This type of access control can be role based or rule based, as both of these prevents users from making access decisions based upon their own discretion. It has a central authority that determines what objects the subjects have access to and it is based on role or on the organizational security policy. A central authority determines what subjects can have access to certain objects based on the organizational security policy. The access controls may be based on the individual's role in the organization (role-based) or the subject's responsibilities and duties (task-based). In an organization where there are frequent personnel changes, non-discretionary access control is useful because the access controls are based on the individual's role or title within the organization. These access controls do not need to be changed whenever a new person takes over that role. Another type of non-discretionary access control is lattice-based access control. In this type of control, a lattice model is applied. In a lattice model, there are pairs of elements that have the least upper bound of values and greatest lower bound of values. To apply this concept to access control, the pair of elements is the subject and object, and the subject has the greatest lower bound and the least upper bound of access rights to an object. The pair of elements is the subject and object, and the subject has an upper bound equal or higher than the upper bound of the object being accessed. Detective control is an access control type that is effective during and after an attack. It is used to record and analyze the events of a breach to expose the source and target of the attack, the vulnerability targeted, and the specific tools and methodology used to commit the attack. Preventive Access Controls are intended to prevent an incident from occurring. Duplicate checking of a calculation is not an example of a preventive control. A user login screen which allows only authorized users to access a website is an example of preventive/technical control. The preventive/technical pairing uses technology to enforce access control policies. These technical controls are also known as logical controls and can be built into the operating system, be software applications, or can be supplemental hardware/software units. Encrypting the data so that only authorized users can view it is another example of preventive/technical control. The preventive/technical pairing uses technology to enforce access control policies. Some typical preventive/technical controls are protocols, encryption, smart cards, biometrics (for authentication), local and remote access control software packages, call-back systems, passwords, constrained user interfaces, menus, shells, database views, limited keypads, and virus scanning software. Nonrepudiation is a preventive control. Nonrepudiation is the assurance that someone cannot deny something. Typically, nonrepudiation refers to the ability to ensure that a party to a contract or a communication cannot deny the authenticity of their signature on a document or the sending of a message that they originated. For example, if a user sends a message and then later claims he did not send it, this is an act of repudiation. When a cryptography mechanism provides nonrepudiation, the sender cannot later deny he sent the message (well, he can try to deny it, but the cryptosystem proves otherwise). It's a way of keeping the sender honest. Nonrepudiation is a preventive control - it prevents someone having the ability to deny something. Physical access control like locks and doors are an example of preventive/physical controls. These measures are intended to restrict the physical access to areas with systems holding sensitive information. Mandatory Access control is considered nondiscretionary and is based on a security label system. Mandatory Access Control begins with security labels assigned to all resource objects on the system. These security labels contain two pieces of information - a classification (top secret, confidential etc.) and a category (which is essentially an indication of the management level, department or project to which the object is available). Similarly, each user account on the system also has classification and category properties from the same set of properties applied to the resource objects. When a user attempts to access a resource under Mandatory Access Control the operating system checks the user's classification and categories and compares them to the properties of the object's security label. If the user's credentials match the MAC security label properties of the object access is allowed. It is important to note that both the classification and categories must match. A user with top secret classification, for example, cannot access a resource if they are not also a member of one of the required categories for that object. Mandatory access control (MAC) is an access policy that restricts access to objects based on the security clearance of a subject and the classification of an object. A lattice-based access control is used to implement MAC. Two methods are commonly used for applying mandatory access control: Rule-based (or label-based) access control: This type of control further defines specific conditions for access to a requested object. A Mandatory Access Control system implements a simple form of rule-based access control to determine whether access should be granted or denied by matching: An object's sensitivity label A subject's sensitivity label Lattice-based Access Control is a mathematical model that allows a system to easily represent the different security levels and control access attempts based on those levels. Every pair of elements has a highest lower bound and a lowest upper bound of access rights. A lattice-based access control model, which is a type of label-based mandatory access control model, is used to define the levels of security that an object may have and that a subject may have access to. It is an example of mandatory access control. A lattice is a mathematical construct that is built upon the notion of a group. The most common definition of the lattice model is "a structure consisting of a finite partially ordered set together with least upper and greatest lower bound operators on the set." Lattice-based access control: These can be used for complex access control decisions involving multiple objects and/or subjects. A lattice model is a mathematical structure that defines greatest lower-bound and least upper-bound values for a pair of elements, such as a subject and an object. A directive access control is deployed to direct the actions of subject to encourage compliance with security policies. Policies stating rules of acceptable behavior in the organization are directives. Therefore, they are known as Directive Access Controls.
Bridge, Router, Gateway
The bridge connects multiple networks at the data link layer, while router connects multiple networks at the network layer. Bridges and routers both connect networks. While bridges works only up to the data link layer, routers work at the network layer. A Gateway acts as a translator and is used to connect two networks or applications from layer 4 up to layer 7 of the ISO/OSI model. A gateway works at OSI Application layer, where it connects different types of networks; performs protocol and format translations.
Memory Cards/Smart Cards
The main difference between memory cards and smart cards is their capacity to process information. A memory card holds information but cannot process information. A smart card holds information and has the necessary hardware and software to actually process that information. A smart card is a preventive/technical control. A memory card can hold a user's authentication information so the user only needs to type in a user ID or PIN and present the memory card, and if the data that the user entered matches the data on the memory card, the user is successfully authenticated. If the user presents a PIN value, then this is an example of two-factor authentication—something the user knows and something the user has. A memory card can also hold identification data that are pulled from the memory card by a reader. It travels with the PIN to a back-end authentication server. An example of a memory card is a swipe card that must be used for an individual to be able to enter a building. The user enters a PIN and swipes the memory card through a card reader. If this is the correct combination, the reader flashes green and the individual can open the door and enter the building. Another example is an ATM card. If Buffy wants to withdraw $40 from her checking account, she needs to enter the correct PIN and slide the ATM card (or memory card) through the reader. Smart cards are a preventive/technical control.
honeypot system
The primary goal is to know when certain types of attacks are in progress and to learn about attack techniques so the network can be fortified. A honeypot system is a computer that usually sits in the screened subnet, or DMZ, and attempts to lure attackers to it instead of to actual production computers. To make a honeypot system lure attackers, administrators may enable services and ports that are popular to exploit. Some honeypot systems have services emulated, meaning the actual service is not running but software that acts like those services is available. Honeypot systems can get an attacker's attention by advertising themselves as easy targets to compromise. They are configured to look like regular company systems so that attackers will be drawn to them like bears are to honey. Honeypots can work as early detection mechanisms, meaning that the network staff can be alerted that an intruder is attacking a honeypot system, and they can quickly go into action to make sure no production systems are vulnerable to that specific attack type. Organizations use these systems to identify, quantify, and qualify specific traffic types to help determine their danger levels. The systems can gather network traffic statistics and return them to a centralized location for better analysis. So as the systems are being attacked, they gather intelligence information that can help the network staff better understand what is taking place within their environment.
Authentication Mechanisms
Three general factors for authentication include something a person knows, something a person has and something a person is. Includes Mechanisms based on IP addresses, Mechanisms with reusable passwords, one-time password mechanism, challenge response mechanism. Authentication mechanisms based on IP addresses are useful if a user has a fixed IP address. This could be a fixed IP address at work or even a fixed IP address at home. With authentication mechanisms based on IP addresses, a user can access a resource only from a defined IP address. However, authentication mechanisms based on IP addresses are a problem for mobile users. This is because mobile users will connect to different networks on their travels such as different WiFi networks or different mobile networks. This means that the public IP address that the mobile user will be connecting from will change frequently. Authentication involves verifying a user's identification information using a passphrase, PIN value, biometric, one-time password, or password. Two-Factor Authentication, also known as strong authentication, must include two out of the three authentication types.
Emanation Attack
To protect you must ensure all cables are shielded, builds concrete walls that extend from the true floor to the true ceiling and installs a white noise generator. Shielding is used to protect against electromagnetic emanation by reducing the size and strength of the propagated field. This makes shielding an effective method for decreasing or eliminating the interference and crosstalk. White noise is also used to protect against electromagnetic emanation. It achieves this by drowning out the small signal emanations that could normally be identified and used by unauthorized users to steal data.
Tripwire
Tripwire is a tool that detects when files have been altered by regularly recalculating hashes of them and storing the hashes in a secure location. The product triggers when changes to the files have been detected. By using cryptographic hashes, tripwire is often able to detect subtle changes. Contrast: The simplistic form of tripwire is to check file size and last modification time. l0phtcrack, OphCrack and John the Ripper are password cracking tools and are therefore more likely to be used by hackers than Tripwire.
Firewall
Used to reduce the risk to a local area network (LAN) that has external connections by filtering Ingress and Egress traffic. Egress filtering is the practice of monitoring and potentially restricting the flow of information outbound from one network to another. TCP/IP packets that are being sent out of the internal network are examined via a router, firewall, or similar edge device. Similarly, ingress filtering is used to ensure that incoming packets are actually from the networks from which they claim to originate. Firewalls can be useful in restricting the negative impacts of viruses, but an anti-virus program is the only way to prevent the spread of viruses. Not able to prevent the spread of viruses. Firewalls create bottlenecks between the internal and external network. Firewalls allow for centralization of security services in machines optimized and dedicated to the task. Firewalls are used to create security checkpoints at the boundaries of private networks. Packet filtering firewalls work at the network level of the OSI model. If you filter specific ports, you can say you're filtering at layer 4. If your firewall inspects specific protocol states or data, you can say it operates at layer 7. Firewalls do not work at layer 1, layer 2, or layer 3 of the OSI model. SNMP should not normally be allowed through a firewall. SNMP is used for monitoring network traffic. SNMP would monitor the traffic on a single segment and there would be no reason to allow SNMP traffic through a firewall. Outbound packets with an external destination IP address should not be dropped at a firewall protecting an organizations internal network. Internal users access the internet will create outbound packets with external IP addresses. These legit packets should not be dropped.
War Dialing
War dialing is a technique of using a modem to automatically scan a list of telephone numbers, usually dialing every number in a local area code to search for computers, Bulletin board systems and fax machines. Hackers use the resulting lists for various purposes: hobbyists for exploration, and crackers - malicious hackers who specialize in computer security - for guessing user accounts (by capturing voicemail greetings), or locating modems that might provide an entry-point into computer or other electronic systems. It may also be used by security personnel, for example, to detect unauthorized devices, such as modems or faxes, on a company's telephone network. To prevent possible intrusion or damage from wardialing attacks, you should configure the system to require authentication before a network connection can be established. This will ensure that an attacker cannot gain access to the network without knowing a username and password. A countermeasure to prevent this is to require user authentication.
RAID
When data are written across all drives, the technique of striping is used. This activity divides and writes the data over several drives. With RAID Level 0 data is striped over several drives creating one single logical disk. Striping is the process that RAID Level 0 uses as it creates one large disk by using several disks. With RAID Level 1 data are written to two drives at once. If one drive fails, the other drive has the exact same data available. Level 1 mirrors the data from one disk or set of disks. RAID Level 1, disk mirroring, uses a one-for-one setup, where data are written to two drives at once. If one drive fails, the other drive has the exact same data available. With RAID level 5 data are written in disk sector units to all drives. Parity is written to all drives also, which ensures there is no single point of failure. Level 5 stripes the data and the parity information at the block level across all the drives in the set.
White-Box Penetration Testing, Pivoting Method Zero-Day Attack
With white box testing, the testers are provided with complete knowledge of the infrastructure being tested. Pivoting is a method that makes use of the compromised system to attack other systems on the same network to avoid restrictions that might prohibit direct access to all machines. A zero-day attack takes advantage of a previously unpublished vulnerability. It is an undisclosed computer application vulnerability that could be misused to harmfully affect the computer programs, data, additional computers or a network. A computer software attack that takes advantage of a previously unpublished vulnerability.