SANS SEC 301

Users must know what policies and procedures say to follow them.

Training

This is far better than DES; it uses three applications of the DES cipher in EDE (Encipher-Decipher-Encipher) mode with totally independent keys. Outer-CBC is used. This algorithm is thought to be very secure (major banks use it to protect valuable transactions), but it is also very, very slow.

3DES

An IEEE standard security protocol for 802.11 wireless networks that was developed to replace the original WEP protocol. Also known as "Robust Security Network" (RSN), 802.11i provides sophisticated authentication using a variety of protocols (802.1X, EAP and RADIUS) and strong security with the AES-CCMP encryption protocol. However, in order to allow in-place upgrading of older WEP hardware, 802.11i also supports the TKIP protocol, which is less robust than AES-CCMP, but far superior to WEP (see WPA for more details). Wi-Fi Certification The Wi-Fi Alliance provides certification for 802.11i-compliant products with its Wi-Fi Protected Alliance (WPA) logo program. The WPA and WPA2 logos certify compliance with a subset of 802.11i or the full 802.11i protocol. See WPA.

802.11i

SLE * ARO - SLE annualized

Annual Loss Expectancy (ALE)

Based on research - How often will a threat occur on an annual basis - ARO examples: 0.0 (never), 0.04 (every 25 years), 0.5 (every other year), 1.0 (one a year) to 2.0 (twice a year), etc

Annual Rate of Occurrence (ARO)

Data Encryption Standard was designed in the early 1970s by IBM with input from NSA. It is OK, but a single key can be broken in three days by the Electronic Frontier Foundation, a poorly funded organization. This algorithm was provided for completeness.

DES

Financials maintained in part by confidentiality

Integrity

The BlueSecure RF sensor was designed to detect rogue access points and peer-to-peer (ad hoc) clients as soon as they appear on the network. Used with BlueSecure software, the system scans for a variety of suspicious activities such as war driving attacks. (Image courtesy of Bluesocket Inc., www.bluesocket.com)

Wireless Intrusion Detection

The management of admission to system and network resources. It grants authenticated users access to specific resources based on company policies and the permission level assigned to the user or user group. Access control often includes authentication, which proves the identity of the user or client machine attempting to log in. See network access control, authentication, access control list and information security.

access control

The protection of data, networks and computing power. The protection of data (information security) is the most important. The protection of networks is important to prevent loss of server resources as well as to protect the network from being used for illegal purposes. The protection of computing power is relevant only to expensive machines such as large supercomputers.

computer security

anything to lessen or mititgate a vulnerability

countermeasure/safeguard

The conversion of data into a secret code for transmission over a public network. Today, most cryptography is digital, and the original text ("plaintext") is turned into a coded equivalent called "ciphertext" via an encryption algorithm. The ciphertext is decrypted at the receiving end and turned back into plaintext. Keys Are the Key The encryption algorithm uses a "key," which is a binary number that is typically from 40 to 256 bits in length. The greater the number of bits in the key (cipher strength), the more possible key combinations and the longer it would take to break the code. The data are encrypted, or "locked," by combining the bits in the key mathematically with the data bits. At the receiving end, the key is used to "unlock" the code and restore the original data. Secret Vs. Public Key Secret key cryptography and public key cryptography are the two major cryptographic architectures. Secret Keys - Symmetric System The first method uses a secret key, such as the DES and AES algorithms. Both sender and receiver use the same key to encrypt and decrypt. This is the fastest computation method, but getting the secret key to the recipient in the first place is a problem that is often handled by the second method. Public Keys - Asymmetric System The second method uses a two-part key, such as RSA and El Gamal. Each recipient has a private key that is kept secret and a public key that is published for everyone. The sender looks up or is sent the recipient's public key and uses it to encrypt the message. The recipient uses the private key to decrypt the message and never publishes or transmits the private key to anyone. Thus, the private key is never in transit and remains invulnerable. Both Are Used Together Secret key and public key systems are often used together, such as the AES secret key and the RSA public key. The secret key method provides the fastest decryption, and the public key method provides a convenient way to transmit the secret key. This is called a "digital envelope." For example, the PGP e-mail encryption program uses one of several public key methods to send the secret key along with the message that has been encrypted with that secret key (see PGP). Get Faster - Get Stronger It has been said that any encryption code can be broken given enough time to compute all permutations. However, if it takes months to break a code, the war could already be lost, or the thief could have long absconded with the money from the forged financial transaction. As computers get faster, to stay ahead of the game, encryption algorithms have to become stronger by using longer keys and more clever techniques. See XOR, AES, DES, RSA, plaintext, digital signature, digital certificate, quantum cryptography, steganography and chaff and winnow. Secret Key Vs. Public Key The secret method uses the same key to encrypt and decrypt. The problem is transmitting the key to the recipient in order to use it. The public key method uses two keys: one kept private and never transmitted, while the other is made public. Very often, the public key method is used to safely send the secret key to the recipient so that the message can be encrypted using the faster secret key algorithm. Some Public History About Secret Methods The following is reprinted with permission from RSA Security, Inc. In 1518, a Benedictine monk named Johannes Trithemius wrote "Polygraphiae," the first published treatise on cryptography. Later, his text "Steganographia" described a cipher in which each letter is represented by words in successive columns of text, designed to hide inconspicuously inside a seemingly pious book of prayer. Polygraphiae and Steganographia attracted a considerable amount of attention not only for their meticulous analysis of ciphers but more notable for the unexpected thesis of Steganographia's third and final section, which claimed that messages communicated secretly were aided in their transmission by a host of summoned spirits. As might be expected, Trithemius' works were widely renounced as having magical content - by no means an unfamiliar theme in cryptographic history - and a century later fell victim to the zealous flames of the Inquisition during which they were banned as heretical sorcery.

cryptography

A type of brute force method for uncovering passwords and decryption keys. It sorts common words by frequency of use and starts with the most likely possibilities; for example, names of people, sports teams, pets and cars. For greater security, users should not use passwords that could be found in an ordinary dictionary. While a dictionary attack can be done manually by an individual, it is easily done via software and a database with millions of words.

dictionary attack

(Number ONCE) An arbitrary number that is generated to provide a unique identification or for security purposes such as when logging in to a network (see initialization vector). The nonce is used only once and not repeated. Although random and pseudo-random numbers theoretically produce unique numbers, there is the possibility that the same number can be generated more than once. However, if a very large, true random number is used, the chances are extremely small. A perfect nonce is the time of day; for example, 12.53 seconds past 5:13pm on 1/18/2012 can only occur once. Pronounced like the "nons" in "nonsense," nonce is actually an English word that means "for the present occasion or time."

nonce

here is our risk; here are our countermeasures. What is the gap between? and how can we close the gap?

gap analysis

The use of secret passwords or encryption keys that are entered into both sides of the message exchange ahead of time. Preshared keys (PSK) are typed into the clients and servers (authentication servers, access points, etc.) or entered via floppy, CD-ROM or smart card. Contrast with "server-based keys," in which one side generates a key and sends it to the other side during the authentication session.

preshared keys

An alternative to the alphanumeric password for security. When prompted, users select a sequence of images from a page full of images; for example, a tree, glass of milk and red fire truck. The image sequence is easier to remember than a meaningful alphanumeric password, which should really be a mix of digits and letters and not obvious such as name or date of birth. What keeps intruders from guessing the correct image sequence is the large number of possible image permutations. Delays are also added after a wrong sequence is chosen.

graphical user authentication

The protection of data against unauthorized access. Programs and data can be secured by issuing passwords and digital certificates to authorized users. However, passwords only validate that a correct number has been entered, not that it is the actual person. Digital certificates and biometric techniques (fingerprints, eyes, voice, etc.) provide a more secure method (see authentication). After a user has been authenticated, sensitive data can be encrypted to prevent eavesdropping (see cryptography). Authorized Users Can Be the Most Dangerous Although precautions can be taken to authenticate users, it is much more difficult to determine if an authorized employee is doing something malicious. Someone may have valid access to an account for updating, but determining whether phony numbers are being entered requires a great deal more processing. The bottom line is that effective security measures are always a balance between technology and personnel management.

information security

A continuously changing number used in combination with a secret key to encrypt data. Initialization vectors (IVs) are used to prevent a sequence of text that is identical to a previous sequence from producing the same exact ciphertext when encrypted. For example, packets have address fields that are generally fixed in location within the header of the packet. If attackers view the same encrypted data over and over, it provides them with clues to interpret their original values. See nonce.

initialization vector

(Completely Automated Public Turing test to tell Computers and Humans Apart) A category of technologies used to ensure that a human is making an online transaction rather than a computer. Developed at Carnegie Mellon University, random words or letters are displayed in a camouflaged and distorted fashion so that they can be deciphered by people, but not by software. Users are asked to type in the text they see to verify they are human. CAPTCHAs were created in response to bots (software agents) that automatically fill in Web forms as if they were individual users. Bots are used to overload opinion polls, steal passwords (see dictionary attack) and, most popular, to register thousands of free e-mail accounts to be used for sending spam. CAPTCHAs were designed to circumvent non-humans from performing such transactions. The Battle of the Bots and CAPTCHAs After CAPTCHAs were deployed in 2001, the felonious bots were updated to analyze the distorted text, enter the correct text and thereby render many CAPTCHA styles ineffective. In an ongoing battle between the bots and the CAPTCHAs, the CAPTCHA text is increasingly more distorted and camouflaged, often making it difficult for humans to decode. Other approaches have been incorporated to validate humanness; for example, displaying several images and asking what object is common among them, such as a tree or dog. Or, a phrase might be displayed and the user is asked to re-type a word; for example, "Enter the second word in the phrase." See reCAPTCHA, dictionary attack and Turing test.

CAPTCHA

The cornerstone of all security: Everyting done in security addresses one or more of these three things Confidentiality, Integrity, availability Confidentiality - Only those who need to access something can; ties into principle of least privilege Integrity - data is edited correctly and by the right people. Failure ex.: Delta $5 tickets round trip tickets to anywhere Delta flies/attach on pricing database Availability - If you cannot use it, why do you have it?

CIA Triad

(Intrusion Detection System) Software that detects an attack on a network or computer system. A Network IDS (NIDS) is designed to support multiple hosts, whereas a Host IDS (HIDS) is set up to detect illegal actions within the host. Most IDS programs typically use signatures of known cracker attempts to signal an alert. Others look for deviations of the normal routine as indications of an attack. Intrusion detection is very tricky. Too much analysis can add excessive overhead and also trigger false alarms. Insufficient analysis can overlook a valid attack. Catch It at the Source The opposite of intrusion detection is "extrusion detection." Such software examines the outgoing data in the computer to determine if malware is originating in this computer. See protocol anomaly, traffic anomaly, IPS and attack.

IDS

An access control system that was developed at MIT in the 1980s. Turned over to the IETF for standardization in 2003, it was designed to operate in both small companies and large enterprises with multiple domains and authentication servers. The Kerberos concept uses a "master ticket" obtained at logon, which is used to obtain additional "service tickets" when a particular resource is required. Kerberos Checks Passwords Once When users log in to a Kerberos system, their password is encrypted and sent to the authentication service in the Key Distribution Center (KDC). If successfully authenticated, the KDC creates a master ticket that is sent back to the user's machine. Each time the user wants access to a service, the master ticket is presented to the KDC in order to obtain a service ticket for that service. The master-service ticket method keeps the password more secure by sending it only once at logon. From then on, service tickets are used, which function like session keys. From the Greeks The name comes from Greek mythology in which a three-headed dog guards the gates to Hades (Hades is the home of the dead beneath the earth, otherwise known as hell). It's About Tickets After users are authenticated, they are granted a master ticket that is used to obtain service tickets. Service tickets act like session keys in other security systems.

Kerberos

In cryptography, it is the creation, distribution and maintenance of a secret key. It determines how secret keys are generated and made available to both parties; for example, public key systems are widely used for such an exchange. If session keys are used, key management is responsible for generating them and determining when they should be renewed. See QKD, elliptic curve cryptography, Diffie-Hellman, cryptography, session key and security protocol.

key management

how likely is it to happen and how bad will it be

likelihood and impact

A condensed text string that has been distilled from the contents of a text message. Its value is derived using a one-way hash function and is used to create a digital signature. See digital signature and MD5.

message digest

The validity of a transmitted message. It deals with methods that ensure that the contents of a message have not been tampered with and altered. The most common approach is to use a one-way hash function that combines all the bytes in the message with a secret key and produces a message digest that is impossible to reverse. Integrity checking is one component of an information security program. See one-way hash function, security protocol, Parkerian Hexad and data integrity.

message integrity

years ago: teenagers today: we face organized crime and nation states -well funded -highly motivated disgruntled insider: difficult to counter; tends to be subtle; often damaging or even devastating Accidental insider: common; also tend to be subtle; in aggregate - even ore damaging Outsider threat source - inside threat actor: a growing proble, the current most-common attack vector 2014 - 47% of U. S. adults had private data compromised in a breach (NBC News) FBI can prove it was North Korea that attacked Sony

Nature of the Threat

safety of people

Number 1 Goal of Security

An umbrella term for managing access to a network. Network access control (NAC) authenticates users logging into the network and determines what they can see and do. It also examines the health of the user's computer or mobile device (the endpoints). Network access control can be implemented with multiple software components or via an integrated package, the latter typically more specialized in one of the functions rather than all of them. See authentication, access control, endpoint security and network access server.

network access control

eCommerce Ex. Amazon make $133,000/per minute thus denial of service is critical business impact; power company need to keep lights on = availability issue

Availability

Control what they are allowed to do. Although we know Keith is Keith, what can Keith do?

Authorization

catastrophic mission failure/game over

CMF

Policy, Procedure and Training

PPT

- Identify and value all assets: Both tangible and intangible - Estimate potential loss per threat: Both physical and logical (loss of data) damage - Perform threat analysis: Attempt to determine the likelihood and impact of the threat - Derive annual loss potential: Using Qualitative Risk formulas - Reduce, transfer, avoid or accept risk: It the C-Suite business decision

- Qualititive Risk Assessment Steps

(1) The name given to various programming language interpreters. See Java Virtual Machine and Python. (2) One instance of an operating system along with one or more applications running in an isolated partition within the computer. It enables different operating systems to run in the same computer at the same time. Virtual machines (VMs) are also widely used to run multiple instances of the same operating system, each running the same set or a different set of applications. The separate VM instances prevent applications from interfering with each other. If one app crashes, it does not affect the programs in the other VMs. This approach differs from a dual-boot or multiboot environment, in which the user has to choose only one OS at startup (see dual-boot). All virtual machines in the same computer run simultaneously. VMs Are Like Machines Within the Machine Each virtual machine functions as if it owned the entire computer. The operating systems in each VM partition are called "guest operating systems," and they communicate with the hardware via the virtual machine monitor (VMM) control program. The VMM "virtualizes" the hardware for each VM (for details, see virtual machine monitor). Although a hot topic in the IT world, virtual machine technology dates back to the 1960s (see VM). The terms "virtual machine" and "virtualization" are used synonymously; however, virtualization also refers to other techniques (see virtualization). See virtualization, application virtualization and OS virtualization. Non-Virtual Versus Virtual This shows three applications running in a regular computer versus a virtualized computer. In the VM example, the guest operating systems may be the same or different. Paravirtualization and Hardware Guest operating systems can run in a virtual machine with or without modification. If changes are made to the OS to recognize the VMM, it is said to be "paravirtualized." For example, Linux and various Unix versions have been paravirtualized to run in the Xen VM environment. However, if the CPU hardware supports virtualization, Xen can run guest operating systems unmodified. In 2004 and 2006, Intel and AMD added virtualization to their CPUs, which traps the calls to the x86 hardware, making it easier to develop VMMs that run ordinary non-paravirtualized guest operating systems (see hardware virtualization). Advantages of Virtualization #1 - Consolidation Multiple operating systems can run in the same server, eliminating the need to dedicate a single machine to one application. Old and new applications can run simultaneously with their respective operating systems in multicore servers with many threads of execution, saving space and power consumption in the datacenter. New versions of an OS and new applications can be deployed without purchasing new hardware. #2 - Stability and Security Conflicts can arise between supposedly stable applications, and troubleshooting can be daunting. As a result, cautious system administrators often host each type of application in a separate server even if the server is grossly underutilized. Multiple virtual machines running bread and butter applications are kept safely separated from each other. In addition, since each VM is isolated from the rest, a security breach in one does not affect the others. The fault tolerance and security brought about by the isolation of each virtual machine is a major benefit of virtualization. #3 - Development Flexibility A virtualized computer can host numerous versions of an operating system, allowing developers to test their programs in different OS environments on the same machine. In addition, with each application running in its own virtual partition, crashing in one virtual machine will not bring down the system. #4 - Migration and Cloning Virtual machines, each with their own OS and applications, function like self-contained packages that are said to be "decoupled from the hardware." It is relatively easy to move a VM from one server to another to balance the workload, to migrate to faster hardware, as well as to recover from hardware failure. VMs can be quickly cloned and deployed. #5 - Desktop Virtualization An increasing trend is to store a user's desktop (OS and applications) in a separate virtual machine in the server and use the PC or a dedicated terminal as a "thin client" to the server. Each user is isolated from all other users due to the virtual machine technology, and the maintenance of the applications is shifted from each user's desktop to the datacenter (see thin client). See virtual machine monitor, virtualization, application virtualization and OS virtualization.

virtual machine

An IEEE standard for network access control. Used predominantly in Wi-Fi wireless networks, 802.1X keeps the network port disconnected until authentication is completed. Depending on the results, the port is either made available to the user, or the user is denied access to the network. Supplicant - Authenticator - Server The client desiring access to a network is called the "supplicant." The device that provides the network port to the client is the "authenticator." In a wireless network, the authenticator is in the access point (AP). In a dial-up network, the authenticator is in the network access server (NAS). The device that contains usernames and passwords and authorizes the user is the "authentication server." In small networks, the authentication server can be located in the same unit as the authenticator. EAP Over LAN (EAPOL) 802.1X uses the Extensible Authentication Protocol (EAP) for passing authentication messages. EAP comes from the dial-up environment, but "EAP Over LAN" (EAPOL) was created for packet networks such as Ethernet. 802.1X uses EAPOL to start and end the authentication session and pass EAP messages between the supplicant and authenticator and from the supplicant to the authentication server (via the authenticator). EAP messages from the authenticator to the authentication server typically use the RADIUS protocol. See EAP.

802.1X

Authentication, Authorization, Accountability

AAA

Monitor what has been done. Although we know Keith is Keith, what did Keith do?

Accountability

Risk score = liklihood + severity - use a least 5 SMEs

Assessment Scale/Risk Matrix

remember the intangible value

Asset Value (AV)

verify identity; is Keith really Keith? (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. Passwords, digital certificates, smart cards and biometrics can be used to prove the identity of the client to the network. Passwords and digital certificates can also be used to identify the network to the client. The latter is important in wireless networks to ensure that the desired network is being accessed. See identity management, identity metasystem, OpenID, human authentication, challenge/response, two-factor authentication, password, digital signature, IP spoofing, biometrics and CAPTCHA. Four Levels of Proof There are four levels of proof that people are indeed who they say they are. None of them are entirely foolproof, but in order of least to most secure, they are: 1 - What You Know Passwords are widely used to identify a user, but only verify that somebody knows the password. 2 - What You Have Digital certificates in the user's computer add more security than a password, and smart cards verify that users have a physical token in their possession, but both laptops and smart cards can be stolen. 3 - What You Are Biometrics such as fingerprints and iris recognition are more difficult to forge, but you have seen such systems fooled in the movies all the time! 4 - What You Do Dynamic biometrics such as hand writing a signature and voice recognition are the most secure; however, replay attacks can fool the system.

Authentication

Blowfish is a high security encryption alogorithm designed by Bruce Schneier, the author of Applied Cryptography and owner of the company Counterpane. It is very fast, is considered secure and is resistant to linear and differential analysis. This is my personal cipher of choice.

Blowfish

Pharmaceuticals and government, research

Confidentiality

25% spend 10% of their time: - company has 1,000 employess - company has a $50 weighted rate 1,000 employees * 25% = 250 people 40 hr wk *10% = 4 hrs/per 4 hr * 250 people = 1,000 hours/ week SLE $50,000/week * 50 week work year = -$2,500,000

Cost Justification

(Extensible Authentication Protocol) A protocol that acts as a framework and transport for other authentication protocols. EAP uses its own start and end messages, but then carries any number of third-party messages between the client (supplicant) and access control node such as an access point in a wireless network. EAP and LANs EAP originated with the dial-up PPP protocol in order to support protocols beyond PAP and CHAP. For use on packet networks, EAP Over LAN (EAPOL) was created. EAPOL added new message types and allowed an Ethernet header to be prefixed onto EAP messages so they could be transmitted via Ethernet. Following are various EAP methods used mostly in wireless networks, but also in wired networks. See 802.1X, WPA and 802.11i. EAP-TLS (EAP-Transport Layer Security) Uses the handshake protocol in TLS, not its encryption method. Client and server authenticate each other using digital certificates. Client generates a pre-master secret key by encrypting a random number with the server's public key and sends it to the server. Both client and server use the pre-master to generate the same secret key. EAP-TTLS (EAP-Tunneled TLS) Like EAP-TLS above except only the server has a certificate to authenticate itself to the client first. As in EAP-TLS, a secure connection (the "tunnel") is established with secret keys, but that connection is used to continue the authentication process by authenticating the client and possibly the server again using any EAP method or legacy method such as PAP and CHAP. PEAP (Protected EAP) Similar to EAP-TTLS above except it does not support legacy methods. It only moves EAP frames. Windows XP natively supports PEAP. LEAP (Light EAP, Cisco LEAP) From Cisco, first implementation of EAP and 802.1X for wireless networks. Uses preshared keys and MS-CHAP protocol to authenticate client and server to each other. Server generates and sends session key to access point. Client computes session key independently based on data received in the CHAP challenge. EAP-FAST (EAP-Flexible Authentication via Secure Tunneling) Enhancement to LEAP from Cisco that provides an encrypted tunnel to distribute preshared keys known as "Protected Access Credential" (PAC) keys. PAC keys may be continuously refreshed to prevent dictionary attacks. EAP-FAST is defined in Cisco's Cisco Compatible Extensions (see CCX). EAP-SIM (GSM Cellphones) For GSM phones that switch between cellular and Wi-Fi networks, depending on which is in range. The Subscriber Identity Module (SIM) smart card in the GSM phone (see GSM) contains the secret key used for challenge/response authentication and deriving session keys for encryption.

EAP

0% to 100% loss to AV - Percentage of asset value loss if a risk is realized (a percentage)

Exposure Factor (EF)

Harden, patch & monitor

HPM

(Public Key Infrastructure) A framework for creating a secure method for exchanging information based on public key cryptography. The foundation of a PKI is the certificate authority (CA), which issues digital certificates that authenticate the identity of organizations and individuals over a public system such as the Internet. The certificates are also used to sign messages (see code signing), which ensures that messages have not been tampered with. For more on how certificates and public keys are used, see digital certificate. Inhouse PKIs A PKI can also be implemented by an enterprise for internal use to authenticate employees accessing the network. In this case, the enterprise is its own certificate authority (CA). For details on the public key system, see cryptography. Managing the Root Key The root key is the public/private key pair of the certificate authority. If the private part of that root key is ever discovered, all the certificates issued under that key pair are compromised. Creating and keeping the private key very private is critical. All Encompassing The PKI establishes the encryption algorithms, levels of security and distribution policy to users. The PKI embraces all the software (browsers, e-mail programs, etc.) used to support the process by examining and validating the certificates and signed messages. See digital certificate, digital signature, root key, web of trust and DST. Generating the Root Key SafeNet's Luna CA3 is a hardware security module (HSM) that is used to generate the root key in a PKI system and keep the private key secure. It uses a pin entry device (PED), EEPROM-based data keys and a PC Card reader that attaches to the server via an LVDS cable and PCI adapter. Containing a processor, firewall, flash memory and RAM, the PC Card is built with extra epoxy and secured with triple DES encryption. The card will destroy its contents if compromised. The PED combines and transfers information from the data keys to the PC Card. The blue key is inserted into the PED by the security officer who sets up administrative rights, configures the HSM and determines how many people must use green keys. All parties must insert their green keys to activate the system. The black keys are used by administrators to generate and delete key pairs, and the red keys are used for grouping HSMs in domains. (Image courtesy of SafeNet, Inc., www.safenet-inc.com)

PKI

Broad general statement of management's intent to protect information

Policy

Prevent /defense as much as you can; detect for everything else; or if the preventive measures fail, respond to what is detected -Prevention is ideal -detection is a must -detection without response is useless

Prevent/Detect/Respond (PRD)

Everyone can do everything they need to do and nothing more. Bradley Manning - WikiLeaks Target - HVAC hack

Principle of Least Privilege

Detailed steps to make policy happen

Procedure

Quantitative RA tries to assign hard costs to risk. Qualitative places risk into severity scales. - Utilizes a team of SMEs to evaluate each threat scenario, determine impact, likelihood using various methods: Delphi, brainstorming, storyboarding focus groups, surveys, questionnaires etc

Qualitative Risk Assessment (RA)

- Qualitative Risk Assessment = Quantity of $$$ (use AV, EF, SLE, ARO and ALE calculations) - Qualititive Risk Assessment = Quality of Risk Use qualitative to determine top threats, then quantitative to cost justify countermeasures

Quantitative vs Qualitative

(Remote Authentication Dial-In User Service) The de facto standard protocol for authentication servers (AAA servers). Developed by Livingston Enterprises (later acquired by Lucent), RADIUS uses a challenge/response method for authentication. See authentication server and challenge/response.

RADIUS

Fire in a building: - EF: fire est. to damage 25% of building (EF*25%) - SLE: Building is valued at $100,000 $100K * 25% EF = $25L SLE - ARO: Insurance data leads to an expectation of fire once every 10 yrs: One every 10 yrs give us an ARO of 0.1 - ALE: SLE of $25K * ARO of 0.1 = $2,500 ALE -justification to spend $2,500/yr on fire suppression Does not take into account loss of life, liability threat, lost production, etc.

Risk Formula Calculations

Only senior mgmt of an org can decide on the acceptable level of risk. CEO, Commander, Director, Secretary. The security manager (CISO) advises only.

Risk Mgmt Decision Maker

is an umbrella term that encompasses: - Asset identification/valuation -threat analysis - vulnerability analysis - likelihood and impact - gap analysis - safeguard/countermeasure identification and implementation Add all these factors together to determine the level of risk: - determine if level of risk is too high (will always be residual risk) - to make that determination: use the "standard of due care"

Risk mgmt

Prudent Man Rule: - Did the org act as a prudent man would act in protecting assets Due Dilligence: - The industry best practices followed in meeting due care - Whay you have to show in court to prove due care is met Due Care: - a legal standard - actions that a reasonalbe person would exercise to protect assets

Risk mgmt is performed in part due to the legal obligation of the company: and therefore the Senior Manager

(2) (Secure Sockets Layer) The leading security protocol on the Internet prior to TLS. Developed by Netscape, SSL has been widely used to validate the identity of a Web site, to create an encrypted connection for credit card and personal data and to ensure the transmission is without error. HTTPS and Port Number 443 An SSL session starts by sending a request to the Web server with an HTTPS prefix in the URL, which inserts SSL port number 443 into the packets. See well-known port. The Handshake After both sides acknowledge each other, the browser sends the server a list of supported algorithms, and the server responds with its choice and a signed digital certificate. From an internal list of certificate authorities (CAs), the browser uses the appropriate public key to validate the certificate. Both sides also send each other random numbers. See digital certificate. Data for Secret Keys Is Passed The browser extracts the public key of the Web site from the server's certificate and uses it to encrypt a pre-master key and send it to the server. At each end, the client and server independently use the pre-master key and random numbers passed earlier to generate the secret keys used to encrypt and decrypt the rest of the session. See TLS, server-gated cryptography, OpenSSL, security protocol and public key cryptography. SSL and TLS SSL was superseded by TLS (Transport Layer Security). TLS 1.0 came out in 1999 and is very similar to the last SSL version (SSL 3.0, 1996) but not identical. They are not interoperable; however, most Web sites and browsers support both, and the acronyms SSL/TLS and TLS/SSL are widely used. See TLS. The Lock Icon The lock icon on the browser indicates a secure SSL or TLS connection (see TLS). The SSL Handshake These steps take place to negotiate an SSL session before any user data are transmitted. Steps 5 and 6 verify the integrity of the handshake, ensuring that nobody tampered with any messages. These checksums are called "message authentication codes" (see MAC).

SSL

This is commonly used to speed up antivirus scanning, because computing and comparing an executable's checksum is considerably faster than analyzing the file each time it is loaded.

Scan and Create a Checksum (Hash)

ScramDisk encrypts data on the hard disk, and this dialog box allows for the selection of the encryption algorithm. "Mouse entropy" is the amount of randomness introduced into the creation of the key. The more the mouse is moved around in a random pattern, the more randomness.

ScramDisk Encryption

Senior Mgmt: -Has legal responsibility to protect the assets of the org: That give him the ultimate responsibility for security -Authority can be delegated - responsibility cannot be Data owner - person or office with primary responsibility for data; owners determine classification, protective measures and more Data custodian - the person/group that implement the controls; make the decisions of the owner happens Users - use data; are also automatically data custodians

Security Roles and Responsiblities

A security professional needs to be: 1/3 technologist 1/3 manager 1/3 lawyer -Tkhis is the perfect summation of the career field. -Technology supports security efforts -Management decisions (and budgets) drive security -Legal issues mandate security requirements

Security by Thirds

AV * EF% - What does it cost each time the threat materializes

Single Loss Expectancy (SLE)

(2) (Transport Layer Security) A security protocol from the IETF that is based on and supersedes Secure Sockets Layer 3.0 (SSL 3.0). Very similar to SSL, TLS uses digital certificates to authenticate the user as well as authenticate the network (in a wireless network, the user could be logging into a rogue access point). TLS adopted a more secure message authentication code (see HMAC) and added new alert messages. The TLS client uses the public key from the server to encrypt a random number and send it back to the server. The random number, combined with additional random numbers previously sent to each other, is used to generate a secret session key to encrypt the subsequent message exchange. For more details, see SSL. See EAP and TLS.

TLS

The "acid test" of true artificial intelligence, as defined by the English scientist Alan Turing. In the 1940s, he said "a machine has artificial intelligence when there is no discernible difference between the conversation generated by the machine and that of an intelligent person." A computing pioneer, Turing cracked Germany's Enigma encryption code in World War II, helping end the war and saving millions of lives. In 2014, The Imitation Game movie of this achievement was released starring Benedict Cumberbatch and Keira Knightley. In the best selling book, "The Singularity Is Near," Ray Kurzweil expressed the opinion that computers will pass the Turing test in the late 2020s. See CAPTCHA, chatbot and computer generations.

Turing test

(Wired Equivalent Privacy) An IEEE standard security protocol for wireless 802.11 networks. Introduced in 1997, WEP was found to be very inadequate and was superseded by WPA, WPA2 and 802.11i. Its authentication method was extremely weak and even helped an attacker decipher the secret encryption key. As a result, WEP authentication was dropped from the Wi-Fi specification. Passwords Are Required WEP uses passwords that are entered manually at both ends (see preshared keys). Using the RC4 encryption algorithm, WEP originally specified a 40-bit key, but was later boosted to 104 bits. Combined with a 24-bit initialization vector, WEP is often touted as having a 128-bit key. See WPA, 802.11i and initialization vector.

WEP

(2) See Windows Product Activation. (1) (Wi-Fi Protected Access) A security protocol for wireless 802.11 networks from the Wi-Fi Alliance that was developed to provide a migration from WEP. The WPA logo certifies that devices are compliant with a subset of the IEEE 802.11i protocol. WPA2 certifies full support for 802.11i. Strong Security WPA and WPA2 use a sophisticated key hierarchy that generates new encryption keys each time a mobile device establishes itself with an access point. Protocols including 802.1X, EAP and RADIUS are used for strong authentication. A RADIUS server provides automatic key generation and enterprise-wide authentication. For home and small business users who do not have an authentication server, WPA can be used in preshared keys (PSK) mode, which requires that a shared secret key be manually entered into the access points and each user's computer. The shared secret is used to automatically generate the encryption keys. WPA - 802.11i Subset for Migration Upgrades WPA's Temporal Key Integrity Protocol (TKIP) uses the same RC4 algorithm as WEP for encryption, but adds sophisticated key management and effective message integrity checking. TKIP was designed to be efficient enough to work in older WEP devices by updating their firmware to WPA. See WEP. WPA2 - Full 802.11i In addition to TKIP, WPA2 supports the AES-CCMP encryption protocol. Based on the very secure AES national standard cipher combined with sophisticated cryptographic techniques, AES-CCMP was specifically designed for wireless networks. AES-CCMP requires more computing power than TKIP, and migration from WEP to WPA2 requires new hardware. Devices running in WPA2 mode are not backward compatible with WEP. See 802.11i, AES-CCMP, 802.1X, EAP and RADIUS. 802.11 Encryption Methods As 802.11 security protocols evolved, the encryption methods became more robust. The Wireless Security Primer Jon Edney and William Arbaugh's "Real 802.11 Security" (Pearson Education, 2004, ISBN 0-321-13620-9) covers every technical detail you will ever need to know about 802.11i, WPA, WEP and other related protocols. It is also a great primer on wireless security in general.

WPA

Software that searches for viruses. Also known as a "virus scanner." As new viruses are discovered by the antivirus vendor, their binary patterns and behaviors are added to a database that is downloaded periodically to the user's antivirus program via the Web. Popular antivirus programs are Norton, McAfee, Sophos, Bitdefender, AVG and Kaspersky. Windows Defender is Microsoft's own antivirus software that comes with Windows, starting with Windows 8. Antivirus programs are used on all Windows machines, but most Mac users do not install them. However, as more Macs are acquired, the Mac has slowly but surely become a target of attacks, and Mac antivirus programs are being installed at a more rapid rate than in the past. See virus, quarantine, disinfect and scareware. Multiple Detection Approaches Early antivirus scanning matched the binary signature (pattern) of executable files against a database of known malware signatures before they were allowed to run. This "scanning" process was vastly speeded up by doing a one-time scan of all the executables in the computer and also when a new one is installed. If the executable is virus free, a checksum (hash) of its binary pattern is computed and stored in a checksum database. The next time the executable is launched by the user, its checksum is recomputed and compared with the virus-free checksum. If they match, the file was not adulterated. Because malware may generate a unique signature each time it is downloaded to an unsuspecting user, antivirus programs also use behavior detection, which looks for suspicious activities such as copying and deleting files when launched (see behavior detection). See Symantec, McAfee, Sophos, Bitdefender, AVG, checksum, virus, polymorphic virus and Reputation-based Security.

antivirus program

An assault against a computer system or network as a result of deliberate, intelligent action; for example, denial of service attacks, penetration and sabotage. See attacker, attack vector, brute force attack, dictionary attack, denial of service attack, replay attack, piggybacking, penetration and sabotage.

attack

A person or other entity such as a computer program that attempts to cause harm to an information system; for example, by unauthorized access or denial of service. Human attackers are also called "crackers" and "hackers.

attacker

A device used in network access control. It stores the usernames and passwords that identify the clients logging in, or it may hold the algorithms for token access (see authentication token). For access to specific network resources, the server may itself store user permissions and company policies or provide access to directories that contain the information. RADIUS is the most widely used protocol for authentication servers. TACACS+ is a Cisco-developed product that has also been popular. The authentication server may be a stand-alone system or software that resides in an Ethernet switch, wireless access point (AP) or network access server (NAS). See AAA server, RADIUS and 802.1x.

authentication server

The combination of authentication server and authenticator, which may be separate devices or both reside in the same unit such as an access point or network access server. The authentication server contains a database of user names, passwords and policies, and the authenticator physically allows or blocks access. See 802.1X.

authentication system

The device in an authentication system that physically allows or blocks access to the network. It is typically an access point in a wireless system or a network access server (NAS) in a dial-up system. See 802.1X and authentication.

authenticator

The systematic, exhaustive testing of all possible methods that can be used to break a security system. For example, in cryptanalysis, trying all possible keys in the keyspace to decrypt a ciphertext. See dictionary attack. See also brute force programming.

brute force attack

The digital equivalent of an ID card used in conjunction with a public key encryption system. Also called a "digital ID," "digital identity certificate," "identity certificate" and "public key certificate," digital certificates are issued by a trusted third party known as a "certification authority" (CA) such as VeriSign (www.verisign.com) and Thawte (www.thawte.com). The CA verifies that a public key belongs to a specific company or individual (the "subject"), and the validation process it goes through to determine if the subject is who it claims to be depends on the level of certification and the CA itself. Creating the Certificate After the validation process is completed, the CA creates an X.509 certificate that contains CA and subject information, including the subject's public key (details below). The CA signs the certificate by creating a digest (a hash) of all the fields in the certificate and encrypting the hash value with its private key. The encrypted digest is called a "digital signature," and when placed into the X.509 certificate, the certificate is said to be "signed." The CA keeps its private key very secure, because if ever discovered, false certificates could be created. See HSM. Verifying the Certificate The process of verifying the "signed certificate" is done by the recipient's software, which is typically the Web browser. The browser maintains an internal list of popular CAs and their public keys and uses the appropriate public key to decrypt the signature back into the digest. It then recomputes its own digest from the plain text in the certificate and compares the two. If both digests match, the integrity of the certificate is verified (it was not tampered with), and the public key in the certificate is assumed to be the valid public key of the subject. Then What... At this point, the subject's identity and the certificate's integrity (no tampering) have been verified. The certificate is typically combined with a signed message or signed executable file, and the public key is used to verify the signatures (see digital signature and code signing). The subject's public key may also be used to provide a secure key exchange in order to have an encrypted two-way communications session (see SSL). See PKI. Major Data Elements in an X.509 Certificate Version number of certificate format Serial number (unique number from CA) Certificate signature algorithm Issuer (name of CA) Valid-from/valid-to dates Subject (name of company or person certified) Subject's public key and algorithm Digital signature created with CA's private key

digital certificate

A digital guarantee that information has not been modified, as if it were protected by a tamper-proof seal that is broken if the content were altered. The two major applications of digital signatures are for setting up a secure connection to a Web site and verifying the integrity of files transmitted (more below). An Encrypted Digest The digital signature is an encrypted digest of the file (message, document, driver, program) being signed. The digest is computed from the contents of the file by a one-way hash function, such as MD5 and SHA-1, and then encrypted with the private part of a public/private key pair (see RSA). To prove that the file was not tampered with, the recipient uses the public key to decrypt the signature back into the original digest, recomputes a new digest from the transmitted file and compares the two to see if they match. If they do, the file has not been altered in transit by an attacker. See MD5.

digital signature

A formula used to turn ordinary data, or "plaintext," into a secret code known as "ciphertext." Each algorithm uses a string of bits known as a "key" to perform the calculations. The larger the key (the more bits), the greater the number of potential patterns can be created, thus making it harder to break the code and descramble the contents. Most encryption algorithms use the block cipher method, which codes fixed blocks of input that are typically from 64 to 128 bits in length. Some use the stream method, which works with the continuous stream of input. The dialog box below from the ScramDisk encryption program shows the various algorithms offered to encrypt data on your hard disk. The free, open source, legacy version of ScramDisk is available at www.samsimpson.com. The accompanying descriptions and performance comparisons from the ScramDisk documentation manual are provided because they provide a brief and clear summary of current-day secret key encryption algorithms. The following is reproduced with permission, courtesy of Sam Simpson and Aman. See mode of operation, cryptography, security protocol, stream cipher, block cipher and algorithm.

encryption algorithm

(1) An umbrella term for security in the user's machine (client machine). (2) Diagnosing the status of a user's computer or mobile device when it connects to the network. Also called, "network access protection" (NAP), the security software is deployed in both the client and server side. It determines if the operating system, Web browser and other applications are up-to-date. It also checks the status of the antivirus, firewall and other security components. If a device is deemed non-compliant, it is either updated, or access to the network is declined. See network access control, lock down and vSentry.

endpoint security

The primary method for keeping a computer secure from intruders. A firewall allows or blocks traffic into and out of a private network or the user's computer. Firewalls are widely used to give users secure access to the Internet as well as to separate a company's public Web server from its internal network. Firewalls are also used to keep internal network segments secure; for example, the accounting network might be vulnerable to snooping from within the enterprise. In the home, a personal firewall typically comes with or is installed in the user's computer (see Windows Firewall). Personal firewalls may also detect outbound traffic to guard against spyware, which could be sending your surfing habits to a Web site. They alert you when software makes an outbound request for the first time (see spyware). In the organization, a firewall can be a stand-alone machine (see firewall appliance) or software in a router or server. It can be as simple as a single router that filters out unwanted packets, or it may comprise a combination of routers and servers each performing some type of firewall processing. For more about the various firewall techniques, see firewall methods.

firewall

(1) A wireless access point (AP) installed by an employee without the consent of the IT department. Without the proper security configuration, users have exposed their company's network to the outside world. Ethernet jacks are ubiquitous, and it is a simple task to plug in a Wi-Fi (802.11) access point in order to provide wireless connectivity to anyone in the vicinity. For example, marketing might want wireless access for their traveling sales reps who always bring laptops. Consumer-oriented access points often do not have management interfaces and do not identify themselves on the network. Rogue access points can be detected by performing a walking audit around the facility with sniffer software in a laptop or mobile device. More reliable approaches are to install probes that constantly monitor the wireless network looking for changes or install server software that monitors both wired and wireless sides of the network. See also rogue site. (2) An access point (AP) set up by an attacker outside a facility with a wireless network. Also called an "evil twin," the rogue AP picks up beacons (signals that advertise its presence) from the company's legitimate AP and transmits identical beacons, which some client machines inside the building associate with. As long as wireless security is enabled, this type of attack cannot compromise the user's machines. However, it can cause harm by slowing down the connections or causing users to lose connections with the real network.

rogue access point

(1) A server on the Web that supports a security protocol, which is typically SSL. Order forms with credit card numbers and other sensitive data transmitted to and from a Web server must be encrypted for the user's protection. Even if a third party were able to capture the transmission, it would be extremely difficult to decipher the data. See SSL, security protocol and cryptography. (2) A Web server used only for employees in a local network that is fortified against attack from the public Internet. See firewall.

secure Web server

An examination of networks and computer systems by an independent consultant. It determines an organization's vulnerability to criminal invasion (hackers, viruses, arson, etc.) as well as natural disasters (fire, tornados, earthquakes, etc.). See security scan, security suite and information security.

security audit

A sequence of operations that ensure protection of data. Used with a communications protocol, it provides secure delivery of data between two parties. The term generally refers to a suite of components that work in tandem (see below). For example, the 802.11i standard provides these functions for wireless LANs. For the Web, SSL is widely used to provide authentication and encryption in order to send sensitive data such as credit card numbers to a vendor. Following are the primary components of a security protocol. See cryptography, information security, HTTPS, SSL, PCT and IPsec. Access Control Authenticates user identity. Authorizes access to specific resources based on permissions level and policies. See access control and authentication. Encryption Algorithm The cryptographic cipher combined with various methods for encrypting the text. See encryption algorithm. Key Management Create, distribute and maintain the keys. See key management. Message Integrity Ensures that the encrypted message has not been tampered with. See message integrity.

security protocol

A temporary key used to encrypt data for only the current session. The use of session keys keeps the secret keys even more secret because they are not used directly to encrypt the data. The secret keys are used to derive the session keys using various methods that combine random numbers from either the client or server or both. See key management and security protocol.

session key

In an authentication system, supplicant refers to the client machine that wants to gain access to the network. See 802.1x.

supplicant

anything that can do anything bad to our stuff

threat

A service from a carrier that links remote Ethernets together. It is called "transparent" because the connected Ethernets are viewed as one Ethernet by the customer, regardless of the technology employed by the carrier in between. Transparent LAN service between two sites, more accurately known as a "LAN interconnect," has been successful, but multipoint transparent LANs have been problematic due to the difference in architecture between the broadcast-based Ethernet and the carrier's point-to-point network. The VPLS standard was developed to resolve the problem using IP and MPLS routers (see VPLS). See virtual private network.

transparent LAN service

An endpoint security architecture from Bromium (www.bromium.com), introduced in 2012. Residing in the user's machine, and based on the Xen virtual machine software, vSentry creates a micro virtual machine (micro-VM) for each user task such as opening an e-mail attachment or Web page. Throughout the day, hundreds of micro-VMs may be created in real time, and like traditional VMs, each micro-VM is an isolated entity. Suspicious activity is blocked within the micro-VM, and when the task is completed, it is dissolved. If a virus does manage to activate, it cannot cross over and infect other applications or processes in the computer. In addition, Bromium's Live Attack Visualization & Analysis (LAVA) reports malicious activity so that the organization's security can be tightened. See endpoint security and virtual machine.

vSentry

Software used to infect a computer. After the virus code is written, it is buried within an existing program. Once that program is executed, the virus code is activated and attaches copies of itself to other programs in the computer and other computers in the network. Infected programs continue to propagate the virus, which is how it spreads. The effect of the virus may be a simple prank that pops up a message on screen out of the blue, or it may destroy programs and data right away or on a certain date. For example, the famous Michelangelo virus contaminated the machine on Michelangelo's birthday. Viruses Must Be Run to Do Damage A virus is a self-contained program that attaches itself to an existing application in a manner that causes it to be executed when the application is run. Macro viruses are similar. The virus code has replaced some or all of the macro commands. Likewise, it is in the execution of the macro that the damage is done (see macro language). "In the Wild" The term "computer virus" was coined in the early 1980s, supposedly after a graduate student presented the concept of a program that could "infect" other programs. Since then, more than a million viruses have been defined. However, the bulk of the infections are from only a few hundred active variants, said to be "in the wild." Since 1993, the WildList Organization has been keeping track of virus attacks around the world. For more information, visit www.wildlist.org. For a sampling of different virus infections, see virus examples. See in the wild, dangerous extensions, quarantine, disinfect, macro virus, e-mail virus, behavior detection, polymorphic virus, stealth virus, worm, boot virus, vandal, virus hoaxes and crypto rage. Virus Theory John von Neumann theorized that a computer program could replicate itself in his 1949 paper "Theory and Organization of Complicated Automata," and computer scientist Fred Cohen described the logic for several types of viruses in his 1984 paper "Computer Viruses - Theory and Experiments." See von Neumann architecture. Windows Vs. Mac Almost all Windows users install an antivirus program in their computers, while many Mac users do not. Windows computers are attacked constantly, because they make up the huge majority of personal computers and are therefore the low-hanging fruit. In addition, the Mac is a Unix-based machine, and the Unix architecture separates the operating system from the applications, which makes it harder to crack, although not impossible. While the majority of Mac users do not use antivirus software, there have indeed been successful virus attacks against Macs, and Mac users are installing antivirus more than they have in the past. See antivirus program.

virus

anything that allows the threat to happen

vulnerability