ISMN 5730 exam 2 - Cegielski
stages of BCM
(never-ending cycle) 1. understanding your business 2. BC strategies 3. develop and implement BC response 4. build a continuity culture 5. maintenance and audit
IP
- Composed of 32-bit addresses that are often displayed in the form of 4 groups of decimal digits separated by a period/dot IP fragmentation attacks o Tiny fragment attack o Overlapping fragment attack o Teardrop denial of service attack - IP address spoofing - Source routing - Smurf and fraggle - IP tunneling over other protocols
threats and attacks
- DOS - DDOS - Mobile code - Malicious code - Wireless LAN vulnerabilities - Spoofing - Sniffing - Eavesdropping - Masquerading - Instant messaging vulnerabilities
wireless LAN vulnerabilities
- Detection 1. WLAN generates and broadcasts detectable radio waves for a great distance - Eavesdropping 1. WLAN signals extend beyond physical security boundaries 2. Standard Wire Equivalent Privacy WEP encryption often not used 3. WEP is flawed and vulnerable due to no user authentication - Modification - Injection - Hijacking - WLAN architecture - Radio frequency management
DNS
- Distributed internet directory service - Global network of name servers that translate host names to numerical IP addresses - Internet services rely on DNS to work o if DNS fails, website cannot be located and email delivery stalls - Tree structured - 2 elements o name server (responds to client requests by supplying name to address conversions) o resolver (when it doesn't know the answer, the resolver element will ask another name server for the info)
backdoor/trapdoor
- Implanted intentionally in development, or by error, usually be an insider - Maintenance hook (may have been deliberate and useful) - Also bug/loophole/wormhole
Intrusion Prevention and Detection Intrusion Prevention Systems (IPS)
- Intrusions are prevented - Block attacks in real lime - Intercept and forward packets - Considered access control and policy enforcement Intrusion Detection Systems IDS - Intrusion attempts and any set of actions that attempt to gain unauthorized access are detected - Auditing for intrusion attempts in a timely basis - Considered network monitoring and audit
components of a data network
- Mainframe/server hosts - File servers - Workstations - Software - network operating system and applications - Network adaptor/network interface card - Hub/concentrator/repeater - Bridges - Switches - Router - Gateways
IM security issues
- Most lack encryption capabilities - Most have features to bypass traditional corporate firewalls - Insecure password management - Increased exposure to account hijacking and spoofing
remote access threat
- Often provides undetected access to unprotected back doors - Brute force attack on location's prefix using "war dialer" is an example - Targets of opportunity include 1. Insecure internet connections 2. Unsecured modem access 3. Diagnostic ports on various network devices 4. Admin ports on voicemail system 5. Unauthenticated sessions
system life cycle
- Project management-based method used to plan, execute, and control software development and maintenance - Framework for phases of software development projects and includes disposal stage - Involves teams of developers, analysts, owners, users, technical experts, and security experts
open system interconnection model OSI
- Seven layers - Data transfer occurs with a layer interacting with another layer above or below through the user of interface control information
network protocols
- Standard set of rules that govern the exchange of data between hardware and/or software components in a communications network - Describes the format of a message and how it is exchanged o When computers communicate with one another, they exchange a series of messages o To understand and act, computers must agree on what a message means
system life cycle stages
- Start up - Acquisition and development - Implementation - Operations and maintenance - Decommissioning
TCP (Transmission Control Protocol)
- The protocols in the TCP/IP suite work together to o Break the data into smaller pieces that can be handled by the network o Communicate the destination of the data to the network o Verify the receipt of the data on the other end of the transmission o Reconstruct the data in its original form - Transmission control protocol - Provides reliable data transmission - Retransmits lost/damaged data segments - Sequences incoming segments to match original order - Marks every TCP packet with a source host and port number, as well as a destination host and port number
Data Encapsulation
- To transmit data across a layered network, the data passes through each layer of the protocol stack - It begins at the application layer with the application software passing the data to the next lower protocol in the stack - At each layer, the data is encapsulated (the protocol processes the data in the format that the next protocol layer requires)
VPN
- dynamically established secure network link between 2 specific network nodes or subnets using a secure encapsulation method - uses tunneling AND encryption to protect private traffic over an untrusted network
tunneling
- packaging one network packet (the tunneled packet) inside another (the transport packet) - the tunnel is the vehicle for encapsulating packets inside a protocol that is understood at the entry and exit points of a given network - tunnels should be encrypted
how to stay safe when granting remote access safeguards
- publish a clear/definitive remote access policy and enforce it through audit - justify all remote users and review regularly, such as yearly - identify and periodically audit all remote access facilities, lines, and connections - consolidate all general user dial-up facilities into a central bank that is positioned on a DMZ - use phone lines restricted to outbound access for dial-out services - set modems to answer after a predetermined number of rings 1. counters "war dialers" - use secure modems for SINGLE PORT diagnostic and admin access and unplug when not in use - 2 factor user authentication and network access restrictions - use VPN when using public networks - use personal firewalls and anti-virus tools on remote computers
remote access services
- typically conducted over an untrusted network - increased risk to disclosure, modification, and denial of service - remote access security minimums o strong identification and authentication services - rapid growth of remote access via the internet o wide availability o economical
Address resolution protocol
- used when a node knows the network layer address but needs the data link layer address to forward the encapsulating frame - the software maintains a table of translation between IP addresses and data link addresses
attack methodology
1. Identify target and collect info ♣ Map the target's network (traceroute, FIN scanning, port scanning, TCP half scanning, FIN scanning, OS fingerprinting) ♣ Trying to find: domain names, network numbers, IP addresses, names/phone numbers of personnel, network map, including services available or running, operating system type and version 2. Analyze the target to identify a vulnerability ♣ Query to gather detailed info like operating system and services running, many systems will freely volunteer the product name and version number; list of user ids, share d file systems, system info, probe telephone lines for modems that answer 3. Gain access to the target ♣ Make connection attempts using direct login attempts to reach hosts; modems to attack remote access servers and modems attached to individual computers ♣ Try to guess passwords ♣ Exploit known security vulnerabilities; perform piggybacking, hijacking, spoofing ♣ Use social engineering ♣ Perform denial of service attack 4. Escalate privileges ♣ Try to gain admin or operator privileges ♣ Try to utilize the compromised system to gain access to more valuable systems ♣ Techniques: buffer overflows, Trojan horses, password guessing or install a password ♣ Sniffing, gathering, cracking tool ♣ Exploit trust relationships 5. Complete the attack ♣ Install a backdoor mechanism that allows the attacker to bypass access control and avoid detection such as a rootkit ♣ Create rogue user account ♣ Close the original vulnerability so no one else can compromise the system ♣ Modify audit logs if they are stored locally to prevent discovery of the attack
categories of recovery strategies
1. business recovery 2. facility and supply 3. user 4. operational 5. data
5 types of BCP testing strategies
1. checklist 2. structured walk through 3. simulation 4. parallel 5. full interruption
phases of BCP
1. project management and initiation - establish need for BCP - get support from management - establish project management work plan - get members of the BCP team 2. business impact analysis 3. recovery strategy 4. plan design and development 5. testing, maintenance, awareness, and training
8 steps of the BIA
1. select interviewees 2. determine info gathering techniques 3. customize questionnaire to gather economic and operational impact information 4. analyze information 5. determine time-critical business systems 6. determine maximum tolerable downtimes 7. prioritize critical business systems based on maximum tolerable downtime 8. document finding and report recommendations
ACID test
Atomicity - either all changes take effect or none Consistency - a transaction is allowed only if it meets owner/system defined integrity constraints Isolation - the results of the transaction are not visible until the transaction is complete Durability- a completed transaction is permanent
challenges to ESA
GLOBAL ACCESS greater number of user access points END TO END SECURITY different business models, mergers, changing technologies, interfaces with legacy systems LEGAL AND REGULATORY fiduciary responsibilities, data confidentiality, upstream and downstream liability
business impact analysis
Identifies all critical business functions and the effect that a specific disaster may have upon them
threat: malformed input attacks
SQL injection: inserting a series of SQL statements into a query by manipulating data input into an application
secure shell
SSH, SSH2 - powerful method of performing client authentication - safeguards multiple service sessions between 2 systems - support for 1. host and user authentication 2. data compression 3. data confidentiality and integrity - credentials are validated by digital certificate exchange using RSA
system architecture
a high-level design used to satisfy a system's security requirements as defined in an organization's security policy
business continuity planning
addresses the preservation and recovery of the business in the event of outages to normal business operations approved set of advanced arrangements and procedures that enable an organization to - ensure the safety of the people - minimize the amount of loss - facilitate the recovery of business operations to reduce the impact of an event while resuming critical functions within a predetermined period of time - repair or replace the damaged facilities ASAP
business impact analysis measures impact by
allowable business interruption maximum tolerable downtime financial and operational considerations regulatory requirements organization reputation
Remote access technologies
allows users to access network info through a dial-in wireless connection
internet access
allows users to access network info through an ISP connection internet service provider
a complete conceptual model of systems including software, hardware, and users is known as
architecture diagram
disaster activity
assemble emergency operations team contact recovery team members to start damage assessment determine extent of damage calculate tie required to resume operations notify management declare disaster and begin continuity/recovery plans maintain log of all steps taken move backup resources to the recovery site
virus
central characteristic is reproduction generally requires some action by the user may or may not carry payloads payloads may or may not be damaging types: file infector, boot sector infector, system infector, email virus, multipartite, macro virus, script virus, hoax
threat: executable content/mobile code
code is downloaded to the user's machine and executed running programs on a computer may give the program unexpected access to resources on the machine ex: web applets: mini programs written in Java that are automatically loaded and run; a video streaming applet written in Java and downloaded to clients fro a server ex: dynamic email: active scripts/messages are included in email messages
restoration
complete assessment of all damages initiate cleanup of the primary site implement necessary replacement procedures
applications software
comprised of programs, processes, utilities, and drivers to provide user functionality and support business activities allows users to execute and perform computerized tasks
enterprise security architecture
defines the information security strategy that consists of layers of policy, standards, and procedures and the way they are linked across an enterprise - Longer life than a blueprint, design specification, topology, or configuration - Constrained by current or changing circumstances if too specific - Cannot provide good guidance if too general - Support long term view of technical direction, not short term technical constraints - Not invalidated by changes in technical direction COMPONENTS - Strategic alignment - Process enhancement - Business enablement - Security foundation - Aligned with best practices
database
developed to manage information from many sources in one location eliminates need for duplication of information in the system preserves storage space prevents unnecessary inconsistency in data by making changes in one central location
DDOS zombie
expands effect of denial of service middle of master/attackers - agent - target structure hides attacker and multiplies attack
business continuity management
framework to review the way an organization provides its products and services while increasing its resilience to disruption
logic bomb
generally implanted by an insider waits for condition or time triggers negative payload
database security issues
inference aggregation unauthorized access improper modifications of data access availability database views query attacks bypass attacks interception of data web security data contamination
RAT
installed, usually remotely, after system is installed and working
spyware and adware
intended as marketing, not malice installed with other software as a separate function or program generates unwanted or irrelevant advertising reports on user activities
disaster
interrupts normal business processes sudden, unplanned, calamitous event that brings about great damage or loss event that creates an inability on an organization's part to support critical business functions for some predetermined period of time
if the time estimated to resume operations exceeds the MTD for critical business functions...
management should consider declaring a disaster and implementing the BCP
actions
move unused backup materials from alternate site to primary site do least critical work first perform installations and updates of the programs and data certify and accredit the system at the primary site initiate normal processing
enterprise
multiple internal networks, internal areas or domains, and various internal devices and systems, applications, and a diverse user presence as a single collective unit
types of disasters
natural system/technical supply systems (electrical power problem) human-made/political
botnets
networks of infected machines
classes of maximum tolerable downtime
non essential normal important urgent critical/essential
O/S
operating system first layer of software objective is to control the use of system resources provide a convenient, easy to understand view of the computer to users
data diddler
payload in a trojan horse or virus that deliberately corrupts data, generally by small increments over time
Zachman Framework
popular choice to define an enterprise architecture Provides a two dimensional classification scheme for descriptive representations of an enterprise ROWS represent 6 levels of architectures with increasing levels of detail COLUMNS represent different areas of interest for each view
threat: buffer overflow
process of exploiting a program weakness by sending long strips of input data into a system that is not prepared to truncate it through proper bounds checking ex: typing your name into a box and holding down the y key for a long time
trojan horse
purported to be a positive utility hidden a negative payload social engineering
wireless
radio frequency, infrared, optical, satellite
online transaction processing OLTP
recording transactions in real time security controls: - concurrency (ensure two users cannot simultaneously change the same data) - atomicity (if one step fails, then all steps should not complete)
worm
reproduces generally uses loopholes in systems doesn't use user often attacks server software
BCP requirements
response to emergencies ensure survivability of the business provide procedures and resources to assist in recovery identify vendors that may be needed
threat: denial of service
result of another person or process consuming the resources on the system and thus denying the resources for the use of others when testing programs, test for how the application would respond to a DoS attack
view based access controls
security achieved through the appropriate use of "views" allows the database to be logically divided into pieces so sensitive data is hidden from unauthorized users controls are located in the front end application that the user interfaces with and not the back end query engine
malicious software
software or programs intentionally designed to include functions for penetrating a system, breaking security policies, or to carry malicious or damaging payloads programming bugs or errors are not generally included in malware ex: backdoors, data diddles, DDOS zombie, hoax warnings, logic bombs, pranks, RATs, trojans, viruses, worms, zombies, spyware/adware, botnets
recovery site
space needs security needs fire protection infrastructure requirements resume critical business functions at recovery site
infrastructure
supporting elements needed for functionality; includes items such as hardware, software, operating system, applications, utilities, network environment
architecture
the highest level concept of a system in its environment cohesive design of the elements; includes items such as principles, concepts, methods, practices, standards - Are fundamental statements of value, operation, or belief that defines the overall approach to IT security - Define the philosophy of the organization that directs security policies - Requires formal commitment from the executives to be relied upon for guidance - Often hard to define - May require assistance with scope definition and management, issue validation, and the definition of the resulting security principles
database management system provides
transaction persistence fault tolerance and recovery sharing by multiple users security controls
physical cabling
twisted pair, coaxial cable, fiber optics
lock controls
used to control read and write access to specific rows of data in a relational system or objects in object-oriented systems ensure only one users at a time can alter data better programming logic and testing reduce deadlocking problems
hoax
uses uses rather than programming meme or mind virus social engineering usually warns of a "new virus" can be bigger problem than the viruses themselves
threat: time of check/time of use
when control info is changed between the time the system security functions check the contents of the variables and when the variables are actually used