Domain 3

SDLC - Development

- Security checkpoints are created along the way - Engineering and development: developers implement determined security within the code.

Firewall: Application

1.Web proxies 2.Mail proxies 3.Application Proxies understand the application/protocol they are proxying/evaluating. 4.This allows for additional security as they can inspect the data for protocol violations or content.

Wireless Security - Authentication

802.1x: Radius or some other central server for authentication Prevents Man in the Middle attacks Note: IP Security v6 effectively prevents man-in-the-middle attacks by including source and destination Internet Protocols within the encrypted portion of the packet. The protocol is resilient to man-in-the-middle attacks.

Network Protection: Segmentation VLANS

A VLAN is the concept of creating multiple broadcast domains (LANs) on a single switch Much cheaper than a router Unable to connect different networks, unless using a Layer 3 switch

Biometrics

A desirable sensitivity setting for a biometric access control system is a high false reject rate (FRR). When tuning the solution, one has to adjust the sensitivity level to give preference either to false reject rate (FRR) (type I error rate) where the system will be more prone to err denying access to a valid user or erring and allowing access to an invalid user. The preferable setting will be in the FRR region of sensitivity.

SSL/TLS

Client initiates a secure connection Server responds by sending it's public key to the client The client then generates a symmetric session key. Client encrypts uses the server's public key to encrypt the session key. Client sends the session key (encrypted with the server's public key) to the server Server uses its private key to decrypt the session key Now that a symmetric session key has been distributed, both parties have a secure channel across which to communicate

XSS (Cross Site Scripting)

Cross-site scripting attacks inject malformed input.

PKI - Certificate Revocation List (CRL)

CA publishes CRL. Client is responsible for downloading to see if a certificate has been revoked.

XSRF (cross-site request forgery)

Cross-site request forgery (XSRF) exploits inadequate authentication mechanisms in web applications that rely only on elements such as cookies when performing a transaction. It is a type of web site attack in which unauthorized commands are transmitted from a trusted user.

Common Criteria (CC) Evaluation and Assurance Levels

EAL 1 - Functionally tested EAL 2 - Structurally tested EAL 3 - Methodically tested and checked EAL 4 - Methodically designed, tested, and reviewed EAL 5 - Semi formally designed and tested EAL 6 - Semi-formally verified designed and tested EAL 7 - Formally verified designed and tested

Controls Policy

- Apolicy defining control operational and failure modes, e.g., fail secure, fail open, allowed unless specifically denied, denied unless specifically permitted. --Fail-safe: Describes the design properties of a computer system that allows it to resist active attempts to attack or bypass it.

Information Security Program

- As defined by ISACA the goal of this domain is to "Develop and maintain an information security program that identifies, manages and protects the organization's assets while aligning to information security strategy and business goals, thereby supporting an effective security posture." - Is best coordinated by the Chief Operating Officer as this individual should properly see the need for balance between information security and business operations - The primary goal of developing an information security program is to implement the security strategy

Certification and Accreditation

- Certification is the technical evaluation of the product's security mechanisms in a particular environment. Usually performed by QA. -- Certification should yield verification - Accreditation is management's approval and acceptance of the product and the related risks. -- Accreditation yields validation

SDLC - Conceptual Phase

- Conceptual: feasibility studies and initial risk assessments. Broad understanding of security framework

Data Security - Confidentiality

- Confidentiality -- Data at rest: Encryption --- Data encrypted at the application level that is stored in a database cannot be viewed in cleartext by the database administrator.

SDLC - Design Phase

- Design: developers plan for implementation of security per requirements. Security is provided for in the budget and schedule. Design reviews will help ensure that security remains a focus.

Event Monitoring

- Event monitoring is the practice of examining the vents that are occurring on information systems, including applications, operating systems, database management systems, end user devices, and every type and kind of network device, and being aware of what is going on through the entire operating environment --Log reviews --Honeypots --IDS/IPS --SIEM tools --- Implementing a security information and event management (SIEM) process helps ensure that incidents are correctly identified and handled appropriately. Because an SIEM process depends on log analysis based on predefined rules, the most effective way to reduce false-positive alerts is to develop use cases for known threats to identified critical systems. The use cases would then be used to develop appropriate rules for the SIEM solution.

Hashes/Message Digests

- Hashing is only good for accidental modification - MAC -- Provides reasonable authenticity and integrity not strong enough to be non-repudiation (because it uses a symmetric key) - HMAC -- A pre-shared key is exchanged

SDLC - Requirements Phase

- Requirements: -- Functional analysis: customer provides the requirements of the system of product. Functional requirements should include security. -- System analysis: Developers determine the security specifications and plan for implementation of security checkpoints

Role-Based Access Control

- Role-based access control is effective and efficient in large user communities because it controls system access by the roles defined for groups of users. Users are assigned to the various roles and the system controls the access based on those roles. -- RBAC works well for mandatory vacations and job rotations

Technology Architecture

- Technology architecture describes the architectural design principles, components, relationships, and supporting infrastructure (hardware and software) needed to support mission-critical applications -- Minimum standards for securing the technical infrastructure should be defined in a security architecture document.

SDLC - Testing Phase

- Unit testing ensures structure and logic of code. - Stress testing ensures that there are no scalability problems. - Testing: certification ensures the technical security features of a product meet the developer's description. If so, the product is verified. Accreditation/Authorization is senior management's decision to implement the product, as it solves the problem it was designed to solve. The product is now validated.

Third Party Providers

- When an organization enters into an outsourcing agreement with a third-party service provider, the information security manager becomes responsible for ensuring that the provider adheres to the same security requirements as apply to the organization itself and that any variances are documented and presented to senior management for an appropriate risk response. The challenge of being able to assess a provider's security behaviors on an ongoing and verifiable basis is one of the main concerns of the information security manager in any outsourcing arrangement. -- Outsourcing services to a third party in a foreign country presents the greatest consideration of laws and regulations of the country of origin potentially not being enforceable in the foreign country - Regular, ongoing risk assessments/audits are essential

Information Security Program Concepts

-An IS program includes the practical elements that make the information security strategy possible --The process of developing information security governance structures, achieving organizational adoption and developing a strategy to implement will define the scope and responsibilities of the security program. - Provides the means for closing the gap between current state and desired state - Effective strategic alignment of the information security program requires an understanding of business plans and objectives as determined by business owners. - Process flow: --Determine desired outcome --Determine desired state --Perform gap analysis (determine current state) --Develop strategy to close gaps --Develop program to implement strategy --Manage security program to ensure objectives are met

Firewall: Packet Filter

1.Black listing 2.White listing 3.Uses Access control lists (ACLs), which are rules that a firewall applies to each packet it receives. 4.Not stateful, just looks at the network and transport layer packets (IP addresses, ports, and "flags") 5. Do not look into the application, cannot block viruses, etc.

Firewall: Stateful

1.Router keeps track of a connections in a table 2.It knows which conversations are active, who is involved, etc. 3.It allows return traffic to come back where a packet filter would have to have a specific rule to define returned traffic* 4.Context dependent access control

Background Checks

Because past performance is a strong predictor of future performance, background checks of prospective employees best prevents attacks from originating within an organization.

Essential Elements of an Information Security Program

Management Commitment Risk Management Asset Inventory and Management Change Management Incident Response and Management Configuration Management Training and awareness Continuous Audit Metrics and Measurement Vulnerability Assessment Pen Testing Application Security Testing Device Management Log Monitoring, Analysis and Management

Threat & Mitigation Threat: Spoofing (MiTM)

Mitigation: --Authentication A component of STRIDE

Threat & Mitigation Threat: Escalation of Privilege

Mitigation: --Authorization A component of STRIDE

Threat & Mitigation Threat: Information Disclosure

Mitigation: --Encryption A component of STRIDE

Threat & Mitigation Threat: Denial of Service

Mitigation: --High availability/Redundancy/Fault tolerance A component of STRIDE

Threat & Mitigation Threat: Tampering

Mitigation: --Integrity verification (Message digests/CRCs) A component of STRIDE

Threat & Mitigation Threat: Repudiation

Mitigation: --Non-repudiation (Digital Signatures) A component of STRIDE

Network Protection: Segmentation NAT

Network address translation is helpful by having internal addresses that are non-routable. This can help prevent external security attacks.

SSH

Secure Shell (SSH) File Transfer Protocol is a network protocol that provides file transfer and manipulation functionality over any reliable data stream. It is typically used with the SSH-2 protocol to provide secure file transfer.

S/MIME

Secure/Multipurpose Internet Mail Extensions (S/MIME) is a standard for public key encryption and signing of email encapsulated in MIME; it is not a web transaction protocol.

Network Protection: Segmentation Routers

Segment traffic into different networks, frequently referred to as subnets Connect different network addresses Isolate Broadcast traffic (not natively done on a switch)

Network Protection: Segmentation Trust Domains

Segmentation by trust domain limits the potential consequences of a successful compromise by constraining the scope of impact.

Network Inspection and Detection

Sniffers IDS/IPS Honeypots/Honeynets -- Decoy files, often referred to as honeypots, are the best choice for diverting a hacker away from critical files and alerting security of the hacker's presence. Log reviews Internal audit External audit

SQL Injection

Structured query language (SQL) injection involves the typing of programming command statements within a data entry field on a web page, usually with the intent of fooling the application into thinking that a valid password has been entered in the password entry field. The best defense against such an attack is to have strict edits on what can be typed into a data input field so that programming commands will be rejected. Code reviews should also be conducted to ensure that such edits are in place and that there are no inherent weaknesses in the way the code is written; software is available to test for such weaknesses.

Virus

The effectiveness of virus detection software depends on frequent updates to its virus signatures, which are stored on antivirus signature files so updates may be carried out several times during the day. At a minimum, daily updating should occur.

Traditional Evaluation Criteria

Trusted Computer System Evaluation Criteria (TCSEC) -- Evaluates Confidentiality Information Technology Security Evaluation Criteria (ITSEC) -- Evaluates Confidentiality, Integrity, and Availability Common Criteria (CC) -- Provided a common structure and language -- It is an international standard (ISO 15408)

Service Level Agreements (SLAs)

Usually a legally binding contract that offers guarantees usually centering on performance and reliability of procured systems, as well as response times from the vendor. Could also be used internally from department to department A form of risk transference Metrics should be clearly defined in the SLA Usually offer some sort of financial compensation if the metrics are not met The access control matrix is the best indicator of the level of compliance with the service level agreement (SLA) data confidentiality clauses. It is essential to have defined responsibilities in SLAs for when issues arise SLAs will contain a right to terminate clause, limitations of liability, and financial penalties clause An indemnity clause is a compensating control that serves to reduce impact if the provider causes financial loss.

Endpoint Protection - VDI

VDI relies on highly controlled servers running the apps users work with. Client systems work as terminals or thin clients. The major benefit of introducing a virtual desktop infrastructure (VDI) is to establish remote desktop hosting while keeping personal areas in a client personal computer (PC) separate.

Network Access Control (NAC)

Verifies health of system Relies on client-side and server-side software Uses a System Health Validator (SHV) on server Client presents certificate of health Can provide denial of access, quarantine or redirection to a remediation network

Vulnerability Management

Vulnerability management is the practice of periodically examining information systems for the purpose of discovering exploitable vulnerabilities, related analysis, and decisions about remediation. Organizations employ vulnerability management as a primary activity to reduce the likelihood of successful attacks on their IT environment

Wireless Security - Encryption

WEP: Poor choice. Weak keys, weak algorithm, weak implementation WPA: Also deprecated WPA II: Best choice. Strong keys, strong algorithm, good implementation

Network Protection: Segmentation DMZ

A web server should normally be placed within a DMZ to shield the internal network. Screened subnets are demilitarized zones and are oriented toward preventing attacks on an internal network by external users. An extranet server should be placed on a screened subnet, which is a demilitarized zone.

Core Elements of an Information Security Program

An IS program allows the execution of a well-planned IS strategy, which is closely aligned with business goals Management and key stakeholders must be directly involved in its development Effective metrics must be established to determine the efficacy of the program and implemented controls An information security program is established to close the gap between the existing state of controls (as identified by a risk assessment) and the state desired on the basis of business requirements, which will be obtained through the meeting of control objectives.

PKI - Registration Authority (RA)

Authenticates the certificate holder prior to certificate issuance If the RA's private key is compromised, it can be used to register anyone for a certificate using any identity, compromising the entire public key infrastructure for that certificate authority (CA).

Auditing

Ensures security controls are in place and are performing as expected

Asymmetric Encryption

Every user has a key pair. --Public key is made available to anyone who requests it --Private key is only available to that user and must not be disclosed or shared The keys are mathematically related so that anything encrypted with one key can only be decrypted by the other.

Security Awareness Training

General security training and awareness is the responsibility of HR and is often associated with employee orientation and initial new-hire training

IP Security (IPsec)

IP Security (IPSec) is a standardized framework for securing Internet Protocol (IP) communications by encrypting and/or authenticating each IP packet in a data stream. There are two modes of IPSec operation: transport mode and tunnel mode.

Network Protection: Segmentation Firewalls

If there are many firewall rules, there is a chance that a particular rule may allow an external connection although other associated rules are overridden. Due to the increasing number of rules, it becomes complex to test them and, over time, a loophole may occur. Types: Packet Filter Stateful Application

Vicarious Liability

Imposes legal responsibility on an entity when the entity had nothing to do with actually causing the injury.

Cryptography Concepts

Initialization Vector (IV) adds randomness to the beginning of the process Algorithm is a collection of math functions that can be performed Key: Instruction set on how to use the algorithm Key management is the weakest link in encryption. If keys are in the wrong hands, documents will be able to be read regardless of where they are on the network.

PKI - Certificate Authority (CA)

Issues and revokes certificates The CA is a trusted third party that attests to the authenticity of a user's public key by digitally signing it with the CA's private key. To establish the contractual relationship between entities using public key infrastructure, the certificate authority provides a certification practice statement. The certification practice statement provides the contractual requirements between the relying parties and the certificate authority. The role of the CA is not needed in implementations such as Pretty Good Privacy, where the authenticity of the users' public keys are attested to by others in a "circle of trust."

Policy vs. Policy Control vs. Standard vs. Procedure

Policy Objective: Describes 'what' needs to be accomplished Policy Control: Technique to meet objectives Procedure: Outlines 'how' the Policy will be accomplished Standard: Specific rule, metric or boundary that implements policy

Third Party Accountability

Often applied through "Respondeat Superior" when a superior is liable for the actions of his or her employees

Hashing

One way algorithm Collision: when two different sets of data produce the same hash Birthday Attack: an attempt to cause collisions. It's easier to find two hashes that match than to produce a specific hash

DDoS

Packet filtering techniques are the only ones which reduce network congestion caused by a network denial-of-service (DoS) attack.

Security Awareness

Part of due care Reported incidents should increase as a result of effective training Training is best when customized to job roles Role-based training that includes simulation of actual information security incidents is the most effective method to teach employees how their specific function can impact information security. To truly judge the effectiveness of security awareness training, some means of measurable testing (e.g., quantitative evaluation) is necessary to confirm user comprehension. People tend to think that security awareness training can be completed once and it is good forever. It is important for everyone, including management and the general workforce, to understand that threats and vulnerabilities change constantly, and that regular refresher training is an important part of security awareness. A diverse culture and differences in the levels of IT knowledge and IT exposure pose the most difficulties when developing a standard training program because the learning needs of employees vary.

Endpoint Protection - Patching

Patches should be applied whenever important security updates are released after being tested to ensure compatibility. Having the patch tested prior to implementation on critical systems is an absolute prerequisite where availability is a primary concern because deploying patches that could cause a system to fail could be worse than the vulnerability corrected by the patch.

Procedures

Procedures at the operational level must be developed by or with the involvement of operational units that will use them. This will ensure that they are functional and accurate.

Common Criteria Protection Profile

Protection profile -- a set of security requirements and objectives for the system A Protection Profile consists of: -- Descriptive elements - contains the name of the profile and the description of the security problem to solved. -- Rationale - justifies the profile and provides a detailed description of the real-world problems that need to be solved. -- Functional requirements - establishes a protection boundary that the product must provide. -- Development assurance requirements - Identify the requirements for the various development phases of the product. -- Evaluation assurance requirements - establish the type and intensity of the evaluation

An Information Security Program Should...

Provide strategic alignment with business objectives Use risk management as the foundation for security related decisions Deliver value to stakeholders Manage resources efficiently and effectively Provide integration with other assurance functions (operational security, physical security, facility security, etc.) Use performance measurements to provide a means of measuring progress and monitoring activities

Common Criteria (CC)

Provides a structured methodology for documenting security requirements, documenting and validating security capabilities, and promoting international cooperation in the area of IT security.

Digital signatures

Provides integrity and non-repudiation Message is hashed - the hash is encrypted using the sender's private key SHA-1 is typically used RSA is the asymmetric encryption algorithm that encrypts the hash with the sender's private key

Symmetric vs. Asymmetric

Symmetric --Fast --Out of band key exchange --Does NOT provide authenticity, integrity, or non-repudiation -Not scalable Asymmetric --Slow --Scalable --Provides non-repudiation --Key exchange does not require exchange of secret information

Discretionary Access Control

Systems allow the owners of objects to modify the permissions that other users have on those objects (i.e. delegation)

Mandatory Access Control

Systems enforce predefined policies that users may not modify. Mandatory access controls require users to have a clearance at or above the level of asset classification -- Mandatory access controls restrict access to files based on the security classification of the file. This prevents users from sharing files with unauthorized users.

Information Security Program Elements

Technology -- Pen testing, IPS, Biometric access, firewalls, etc. People -- Training, Awareness, Policies, etc. Process -- Risk Management, Access Management, Incident Response, etc.

Symmetric Encryption

The same key is used to encrypt and decrypt the data Also called "Private Key", "Secret Key", or "Shared Key" Requires out of band key exchange Does NOT provide authenticity, integrity, or non-repudiation

PKI - Certificates

X.509 v4 Provides authenticity of a server's public key Needed to avoid MITM attacks Digitally signed by Certificate Authority The certificate authority's (CA) private key is the single point of failure for the entire public key infrastructure (PKI) because it is unpublished and the system cannot function if the key is destroyed, lost or compromised.