Chapter 11: Security Operations - Vulnerability Testing

Main goal of penetration testing is to report identified vulnerabilities and to determine how severe the vulnerabilities are.

The five steps of penetration testing:

1. Discovery - Gather info about the system you are going to attempt to gain unauthorized access to.

2. Enumeration - Perform scans to find out ways you might be able to accomplish your penetration goals.

3. Vulnerability Mapping - Actually identify your found vulnerabilities and document them

4. Exploitation - Attempt to break into the system.

5. Report to Management - Show them what you found, if you gained unauthorized access, how sever it is, and what can be done to protect against all of these new found vulnerabilities.

Chapter 11: Security Operations - Email Security

I found a great article that describes how email works in pretty simple terms:

http://www.howtogeek.com/56002/htg-exp

Here are a few of the email attack methods hackers can use to obtain information:

Browsing- When an attacker is looking for important data but does not know what format it is in.

Sniffing - Also known as a network analyzer. When used in the wrong way, they can capture user names and passwords, but the good guy usually uses them to diagnose network problems.

Session Hijacking - Using a different IP address from their own in order to take over a session between two computers. They then spy on the connection to see if it is worthwhile to place themselves in the middle of communication between the two machines.

Loki- Utilizes ICMP to enable an attacker to to covertly communicate with another system.

Password Cracking - Using software to guess static passwords, and gain access to confidential information.

Backdoor- program that allows attackers to login, and then come back at a later date without having to supply the appropriate credentials to gain access again.

Chapter 11: Security Operations - Network and Resource Availability

Backup Technologies:

Disk Shadowing - Technology designed by Microsoft. A snapshot is taken of a disk image that can then return a drive to its previous state if need be.

Redundant Servers - Servers that possess the capability of taking over immediately if a primary server fails.

RAID - Redundant array of independent disks. The key here is redundancy. Data is stored across multiple drives but is only seen as one disk. The technique used here is known as striping.

MAID - Massive array of inactive disks. Saves on energy consumption. Drives that do not need to be in use remain powered down until they are called upon.

RAIT - Redundant array of independent tapes. Almost the same as RAID, bust uses tape drives instead of disks. An advantage of this is that it is lower cost.

Clustering - The grouping of servers that might be in a completely different places, but all of these servers can be managed as a single system.

Backups - Having a way to restore data when something bad happens. Examples include software corruption, hard drive failure, and natural disaster.

Chapter 11: Security Operations - Media Controls

Media is defined as anything that contains company data. This could be electronic (disks, CDs, DVDs, thumb drives) or it could be information that is in traditional paper form. These items should be stored in a "library" and only authorized personnel should have access to them. The media should also be protected from environmental threats, such as fire or humidity. Data from these media devices should be erased properly, and unwanted devices should be disposed of in a protected manner to ensure that unauthorized people do not obtain them. When media is erased from a device, the device is said to be sanitized. The zeroization method of sanitation is when data is overwritten with new data, and there is no possible way that the old data can be recovered. Degauassing is another method of sanitization, in which the data is scrambled so that is cannot be read. There are 7 area that a media librarian is responsible for. Media should be marked. Media should be properly logged. The integrity of the media on a device should be verified. Librarians should control physical access to the media. Librarians should ensure environmental protection of the media. They should make sure that media data is transmitted securely and to the appropriate parties. Lastly, librarians should make sure that media is disposed of properly.

Chapter 11: Security Operations - Configuration Management

There are 6 steps to the change control process as stated in the study guide.

1. Request for a change to take place - Person requesting the change should construct the change idea and present it to the party responsible for approving and implementing changes.

2. Approval of the change - Benefits of the change should be presented to the approving party and also show the potential problems that the change could cause. The approving party might make the requestor go back and do more research or development of the change be approval takes place.

3. Documentation of the change - If a change gets approved, all the appropriate information about the change should be entered into a change log. As the change develops, updates should be made to the individual record in the change log.

4. Tested and presented - Testing is necessary to uncover any unforeseen negative affects of the change. In the step, if it is a big change, a change control committee might be brought in to weigh the positives and negatives of the change and get another opinion on the change before company wide implementation occurs.

5. Implementation - Once all of the previous steps have been satisfied, it is time to put the change into action. An implementation schedule and milestones should be set up in order to keep the implementation organized.

6. Report change to management - A final report should be submitted to management that gives a summary of the implementation and the status of the change that is now in production.

Chapter 11: Security Operations - Operational Responsibilites

Operations personnel within an organization are an extremely important asset to have. They are largely responsible for ensuring that a company's systems run as they are supposed to and that these systems are protected. In the event that a system crashes, there are three steps that the department should take in order to troubleshoot and resolve the issue as quickly as possible.

1. Safe mode - Also known as 'single-user mode', logging in this way prevents the system from running services for other users on that network. Also, when in this mode, only the local console is able to be gotten to. This makes troubleshooting more effective.

2. Resolve issue and get back lost files - After logged onto the system in safe mode, the administrator can go in and attempt to correct any damage that has been done. Afterwards, it is important to try and figure out why the system shut down improperly to begin with so that it does not happen again. Changes might have to be made to applications and databases as a result of the system crash.

3. Operation and file validation - If the investigation shows that corruption to files and operations had occurred, the administrator must make sure that they validate file contents to ensure that the system configuration is in its expected state.

Chapter 11: Security Operations - Administrative Management Continued

Along with the separation of duties, there are a few other important administrative controls that are a good idea to implement within a company. The concept of job rotation refers to not only having one person that knows how to perform certain duties of a particular role. If you only have one person that has the knowledge of how to perform a key duty in your organization, and that person decides to leave the company or is unable to work, the company could be in a world of hurt. It also makes it easier to spot activities that are either criminal or go against company policy. A second important administrative control is what is known as least privilege. This means that an employee should only have access to resources they need to do their job and nothing more. For example, it wouldn't make sense to have an analyst with the ability to go into the database and alter data or tables. That is the sole responsibility of your database administrators. A third important administrative control is mandatory vacations, meaning that the employee is required to take vacation time after working continuously for a certain period of time. This is another key way in order to spot fraudulent activities and is also a great way to deploy job rotation. While the employee is on vacation, another employee will be brought in to fulfill the vacationing employee's duties. If an employee does not want to take vacation (who doesn't want to take vacation time, right?) it is usually a red flag that they are doing something that they know they are not supposed to.

Chapter 11: Security Operations - Security Operations and Administrative Management

A core principle when it comes to administrative management is the concept of separation of duties. This term means that roles are specified to only do one distinct thing. This idea ensures that one person alone could not compromise the whole company by either making a mistake or with intentions of causing harm. Common roles with their descriptions are listed below:

Control Group - Gets the information from different groups or people and passes the information along to the groups or people that need the information to do their jobs.

Systems Analyst - Designs how data will be used in a system or how the data will be transferred from system to system based upon requirements provided by the user as long as those requirements are within the scope of operation.

Application Programmer - Develop software and maintains software.

Help Desk/Support - Responsible for fixing technical issues within the organization and provides guidance to clients and employees for using systems.

IT Engineer - Responsible for doing routine operations on systems on a daily basis to keep them up and running. 

Database Administrator - Develops new data models for database implementations and maintain the databases in an organization.

Network Administrator - Installs Local Area Networks and/or Wide Area Networks for use within the company. Also responsible for maintaining these networks.

Security Administrator - Responsible for the security framework. They develop the security controls, implement them, and insure that these controls are in use effectively.

Tape Librarian - Responsible for backing up and keeping record of all important data.

Quality Assurance - Ensures that activities meet the standards of requirements. Responsible for testing the activities to find issues and pass the issues back to the appropriate group so that the problem/issue can be resolved. 

Chapter 10: Software Development Security - Malware

Malware, also known as malicious software, comes in many forms. Some examples are viruses, worms, Trojan horses, and logic bombs. Malware can be spread through a variety of methods, including email and downloads from the internet. First off, I want to identify what a virus is and the different types of viruses. A virus is an application that infects software. They cannot reproduce on their own, and must have a host program. After attaching to a host application, it then gives its payload to the host. The payload could be a few different things such as deleting files, displaying useless information, or thieving data from the application or system that it has infected. A macro virus is a form of a virus that infects macro programs; programs that are written in Word Basic, Visual Basic, or VBscript. They generally infect Microsoft Office. They are pretty easy to write and affect the templates of documents. A boot-sector virus is one that, as the name implies, affects the boot sector of a computer. They either reposition data or override data within the boot sector. A third type of virus, the compression virus, finds an uninfected executable file and attaches itself to it. It them compresses the executable using system permissions. When the user runs that executable, the virus proceeds to run. A stealth virus is one that essentially makes it look like the system is the same as it was before infection. Another common type of malware is a worm. A worm is a program that replicates itself in order to spread to other machines. It usually spreads through networks that have security flaws. While a virus has to have a host program, worms do not. They can be standalone programs. A Trojan horse is a program that disguises itself to look like an existing program. For example, the Trojan horse can look exactly like an everyday application. When a user runs makes the unknowing mistake of opening the Trojan horse (because it looks just like the app they use daily) the regular app is opened but the Trojan horse is executing its malicious actions in the background. Unlike viruses, they do not replicate themselves but can be just as devastating as viruses. A logic bomb slightly differs from the the previous types of malware discussed. It is a sting of code that is executed when certain conditions are met. For example, it could be coded in such a way that when a user visits a certain website, it triggers the logic bomb and, for example, deletes certain specified files from the system.

Chapter 10: Software Development Security - Expert Systems/Knowledge-Based Systems and Artificial Neural Networks

Expert Systems - Another name for knowledge based systems. These types of systems use artificial intelligence in order to solve extremely complex problems. To put in terms that non-computer people would understand, they attempt to mirror the thought process of a human expert in the field of the particular problem.

Inference Engine - This is the center of the knowledge base system. It is a program that tries to come up with answers from the kbase for a problem. The main purpose here is to come up with legitimate conclusions based upon the retrieved data in the kbase.

Rule-based programming - A method of programming knowledge-based systems. Uses if-then logic with particular actions that must take place for individual situations.

Artificial Neural Networks - Programs or models in computing that attempt to mimic a human brain. These programs can even learn as they go, but connot deal with "fuzzy logic" well. The study guide puts it this way: ANNs cannot see the gray in the world, such as good and bad.

Chapter 10: Software Development Security - Database Management Part 2

There are four languages when dealing with relational databases.

Data definition language - Defines the database schema or structure.

Data manipulation language - defines the data and how the data can be manipulated when retrieved.

Data control language - grans access to people or systems that cab carry out certain functions within the database.

Query Language - the language commands are written in in order to retrieve data, insert data, update data, or delete data from a database.

A data dictionary is where data about the data is stored. This info is often referred to as metadata. Another concept that is important to remember about relational databases is the concept of primary and foreign keys. A primary key is a unique value that no other record can posses. When you relate two tables, the primary key attribute of one table becomes the foreign key of another. This is what relates the two tables.

Chapter 10: Software Development Security - Database Management

Types of database models:

Relational- Uses columns and rows to organize data into tables. The columns are the attributes that each record has while the row is the collection of each records individual attributes. Most widely used model of today. Uses primary keys and foreign keys to develop relationships.

Hierarchical- Uses a tree structure with parent/child relationships. Parents can have one child, many children, or no children. Not as flexible as relational databases.

Network- Similar to the hierarchical model. However, in this model, each data element can have multiple parent child records. This model is a little bit more flexible than the hierarchical model because it allows redundancy.

Object-Oriented- Can handle a variety of data types such as images, documents, and video. Really dynamic because objects are created when needed and sent with the object is the needed functionality of the object.

Object-Relational- This type is relational database with a front end designed from an object oriented programming language. Useful to have the methods already there to actually do something with the retrieved data.

Chapter 10: Software Development Security - Web Security

Threats on the web:

Information gathering- This is step one during a hacker's attempt to cause damage to your system. Usually goes unnoticed on the web server side because they can simply use search engines to find the information that they want.

Administrative interfaces- Not a very good idea to use a web-based administrative interface. Use superior authentication method rather than the simple username/password method. Also, have strong control over which systems can access the administrative system.

Authentication and access control- To protect against this threat, use multifactor authentication. Another way to protect against this threat is to encrypt info and transfer the data using a secure protocol.

Input validation- path or directory traversal: dot-dot-slash method. Attackers try to get into a web server's drive. Unicode encoding: same idea as the previous method but they use Unicode representations of characters. URL encoding: attackers bypass filters and make requests using different representations of characters. The most most famous method here is SQL injection, where an attacker puts in actual database commands to try and retrieve data from the web server.

Parameter validation- Important to validate all data that passes through the system. Client side should check for validation and then the server side should as well.

Session management- Common way to combat against this threat is to use unique session ids for every session. Do not use sequential ids as it would make it easier for the attacker to guess it.

Chapter 10: Software Development Security - Mobile Code

Mobile code is code that can be send to another location across a network and then be executed and used on the other side. In Java, Java applets are used to accomplish this. The programmer creates the applet, runs the program through a compiler and is turned into bytecode (this code is not platform specific; it can run on many platforms. This bytecode is then placed on a server available for users to download it. Once a user downloads it, the universal bytecode is then transformed into machine-level code that is specific to the type of system it was downloaded to. To accomplish this code conversion, a Java Virtual Machine is used. Usually this virtual machine is running within the users web browser. The applet is then able to be ran when it is called upson, but it is ran in what is known as a sandbox. A sandbox is an area in where potentially unsafe code from another area can be ran in a secure manner.

Chapter 10: Software Development Security - Programming Languages and Concepts

At the very lowest level, the language that a computer can read is known as binary. "Bi" meaning two, as binary is only a combination of 1's and 0's. This is also known as machine code. There were no "programming" languages in the early 1950's, so this is how programmers wrote instructions for computers. Later, assembly language came along. Assembly language is only one step above machine language. Instead of all 1's and 0's, it uses symbols to represent many 1's and 0's. Assemblers were used to convert these symbols into machine readable code. Later on in the early 60's, high level languages started to emerge. Syntax became closer to human language and introduced abstract statements. Many statements could now be reduced to single line and provide the same functionality. Later, even more abstraction became involved in fourth-generation languages. Things that used to be constructed with a ton of code could now be accomplished with one-tenth of that. Programmers do not have to know how a computer works, how memory is handled, etc. when using very high level languages. The 1990's saw the emergence of what is known as natural languages, where the main goal is that the software can solve problems by itself instead of having an algorithm based method to complete tasks. Object-Oriented programming is widely used in today's world. Objects can be instantiated, communicate with each other, and inherit behavior and attributes from parent classes. This leads to code reuse and a lot less coding for developers. Instead of code being executed in a sequential manner, execution can bounce around from class to class.

Chapter 10: Software Development Security - Capability Maturity Model Integration

CMMI is a set of guideline for developing software products. There are 5 levels and each level builds off of the ones prior to it. In other words, you cannot progress to a level if you have not met the requirements for a previous level. The idea behind this was to have a standard to make software development more organized.

http://en.wikipedia.org/wiki/Capability_Maturity_Model_Integration

Chapter 10: Software Development Security - Software Development Models

Break and Fix - Planning is not really used here. Produce working software and deal with issues as they arise.

Waterfall - Plan everything up front before a single line of code is written. Not very flexible and does not account for changes in requirements.

V-Model - Testing is used during each phase of the project, not at the very end.

Prototyping - Models of code or application are created up front before actual work takes place to develop the software.

Incremental -Many development cycles are used and each cycle produces working software. Improvements are made during each cycle.

Spiral - Iterative model that encourages client involvement. Customer feedback is important throughout these types of projects.

Rapid Application Development - A combination of prototyping and incremental. Goal is to make the process quicker.

Agile - Encourages teamwork. Anticipates that new requirements and modifications will arise throughout the project.

Chapter 10: Software Development Security - Secure Software Development Best Practices

There are many resources available to software developers that will help them make their software more secure. Most of these are available for free. Here are four that the book lists:

Web Application Security Consortium - Best practices and security standards for web application development on the world wide web
www.webappsec.org/

Open Web Application Security Project - An organization that operates from a non-profit standpoint that aides in security of software application
https://www.owasp.org/

Build Security In - Provides various resources to aid in building secure software in every phase of its development.
https://buildsecurityin.us-cert.gov/

ISO/IEC 27034 - International standard of security for all classes of applications.
http://www.iso27001security.com/html/27034.html

Chapter 10: Software Development Security - Software Development Life Cycle

Since I am already fairly familiar with the Software Development Life Cycle and it would be kind of pointless to simply explain what each phase is, I want to list things from the book that I had zero previous knowledge of in each phase of the SDLC.

Gather Requirements: A privacy Impact Rating is the classification of the data in which the software will use. There are three classifications - P1, P2, and P3 where P3 is the lowest privacy risk and P1 is the highest.

Design: During this phase, at least from a security standpoint, two things should occur. The first is that an attack surface analysis should be performed. This will show you how much code and software functionality is available to users that are untrustworthy. The second thing that should occur is to create a realistic threat model. A threat model is a visualization of how threats could affect your software and how this threat might occur.

Development: Computer aided software engineering is the use of computers to aid in development. From my understanding, an Integrated Development Environment (IDE) is a form of computer aided software engineering because you are using software to help you develop or enhance new software.

Testing/Validation: Unit Testing - A look at each piece of a program. Data structures, logic, methods,                                                         and boundaries.
                                Integration Testing - Make sure all parts work together as designed.
                                Acceptance Testing - Making sure requirements are met.
                                Regression Testing - When a change is made, make sure it nothing else is                                                                                affected.

Release/Maintenance: Verification - product meets the specs.
                                     Validation - real world solution is achieved.

Chapter 10: Software Development Security - Intro

I want to begin my blog on this chapter by saying that I am very excited about broadening my knowledge of this area of security. I find software development very interesting, and I hope to one day become a software developer. To begin this chapter, I want to talk about the main reasons why insecurities within actual software exists, why this is concerning, and why software needs to be built in a secure manner, especially in today's world. In the past, security was not really an issue when it came to software development. There were not as many malicious attacks, and the technology was no where near as advanced as it is now. This is a problem because a lot of this "old" software is still in use. Another reason why insecurities exist is because the people that are in charge of keeping things secure often do not have a development background. To add to this, many developers to not view security as the most important element in software. At the end of the day, they are more concerned about what the software's functionality. If a company is trying to get to get their product to market and make money, do you think they always take all the necessary steps in order to be sure the product is as secure as possible? The short answer is, absolutely not. It has become a sort of standard for software to have flaws when it comes to the user, with fixes coming at a later date. Last, customers cannot control the software they buy. This is why perimeter protection of software is so important. As an everyday user, you really never know how secure the software is that you are running...until something bad happens. While perimeter protection is great and highly necessary, in my opinion, security should be just as important as functionality for the modern day developer. We are so reliant on computers these days, it would be absurd to let security fall behind functionality. Think of it this way. Would you want to live in a house where it was not possible to lock your doors? Heck no! That would be a security threat. The same applies for software. You don't want to purchase or use something that was not made with security in mind.

Chapter 9: Legal, Regulations, Compliance, and Investigations - Fraud and Abuse Attack Types

Salami - bunch of small crimes in hopes a larger one will be looked over.

Data Diddling - Altering data.

Password Sniffing - Trying to catch passwords being sent from place to place.

IP Spoofing - Changing IP address so that it is harder for criminal to get caught

Dumpster Diving - Looking through trash data in hopes of finding something valuable.

Wiretapping - Any form of eavesdropping that uses tech.

Cybersquatting - Good example is purchasing a domain name that is extremely similar to the company that the person wants to take away business from. Goal is to reduce traffic to real site and carry out extortion.

Chapter 9: Legal, Regulations, Compliance, and Investigations - Investigations Continued

Just like traditional criminals, computer criminals have a reason for doing the bad things that they do. There are three terms that help better put criminal activity into perspective.

Motive-why the person is committing the crime. It could be for monetary gain, or simply because they get a rush by seeing if they can get away with it.

Opportunity-Where and when the crime happens. If a criminal sees that a companies firewall is down at a certain time, this is their time to attack.

Means-Does the criminal have what it takes to commit the crime they want to? This could include intellect and the hardware necessary to commit the crime.

Types of Evidence:
Best- primary; provides the most reliability
Secondary- unreliable evidence
Direct- fact proving evidence
Conclusive- cannot be contradicted
Circumstantial- proves intermediate facts
Corroborative- supporting that helps prove something else
Opinion- opinion rule; can only testify to the facts
Hearsay- written or oral; no firsthand proof

Chapter 9: Legal, Regulations, Compliance, and Investigations - Investigations

A lot of the time, the person that is done wrong in a computer crime is not even aware of it. There is a difference between an event and an incident concerning incident management. Events can be documented and observed. An incident is many of these negative events that hurt a company. The study guide makes a point to mention that most companies do not even have an incident management program. They just have a response process. The study guide goes even further stating that companies need to have an incident management process, because there is no sense in having a plan if you do not even know the bad things thats are going on. The definition of investigation from a computer security standpoint is pretty standard. You collect data, and analyze it to find out how bad the incident was/is and figure out how the incident happened.

Chapter 9: Legal, Regulations, Compliance, and Investigations - Liability and Its Ramifications

Not only should lawmakers refine what a computer crime is and its consequences but corporations should as well. They have to take responsibility for the crimes that they might potentially be liable for, and take precautions and measures to prevent these types of things from happening. no company wants to be hit with a fine for something they did that they were not aware was against the law. This is why it is so important to stay on top of emerging computing laws and standards. When a company has done all that it can do to to prevent bad things from happening, it is known as due care. In other words, the company did everything it was supposed to do to prevent against crime. Due diligence is kind of opposite, in that it made sure that it was not in violation of any rules and regulations. Downstream liability means that companies are not unlawfully affecting other companies.

Chapter 9: Legal, Regulations, Compliance, and Investigations - Privacy

Here I want to list what the study guide states is personally identifiable information. I did not know that there was a distinct list for this and I find it interesting.

-Full Name
-National Identification Number (SSN)
-Sometimes an IP address can be used here
- Tag number of a vehicle
- DL number
- Someone's face
-Fingerprints
-A person's handwriting
-Credit card numbers
-A digital id
-Birthdate
-place of birth
-Genetic code (DNA I'm assuming)

Privacy is always threatened these days since we are so reliant on technology. Privacy must be a main concern for three main reasons. More and more data centers are being built and maintained that include a plethora of valuable, personal info. Also, globalization is occurring at a rapid pace. All of your personal data can be transferred to foreign places in an instant! Finally, BI is big these days, and information like could be very valuable to certain individuals. Privacy laws are emerging at a rapid pace. This is why becoming a CISSP might be a great career choice as they will be needed more and more as time progresses.  

Chapter 9: Legal, Regulations, Compliance, and Investigations - Intellectual Property Laws

There are four main intellectual property laws. The first is a trade secret.  These are proprietary to a company, and are vital to the success of it. Non-disclosure agreements are common if you go to work for a company with trade secrets. An example of a trade secret is the formula used in a soft drink. Second, there is copyright law. It protects an author or maker of something. The author controls the distribution, replication, and changes to their work. Even computer programs can be copyrighted. The third type is a trademark. The trademark is essentially used to protect the identity of something. This is why you see the small c or TM next to logos. The last type of intellectual property law is a patent. They are used to protect a company's or individual's inventions. After an invention is patented, others cannot make, use, or sell the invention without permission from the original inventor, or until the patent expires.

Chapter 9: Legal, Regulations, Compliance, and Investigations - Types of Legal Systems

Civil (Code) Law System
- Used in Eurpoe
- Based on rules not precedence

Common Law System
- Based on previous interpretations of the law. Uses judges and juries - what we have in the U.S.
- Broken down into criminal and civil law.
  -Criminal law: behavior that hurts other people
  -Civil law: Here, the wrongdoer "owes" the victim restitution.

Customary Law System
- Used in countries such as China or India
- Based on the traditions of a place
- Looks at a person's behavioral pattern

Religious Law System
- Laws are not created, they are "uncovered" based on particular religions
- Morality is usually included in this type of system
- Laws and rules are from God, not made and implemented by humans.
- Is often used in Islamic countries based on the Koran.

Mixed Law System
- Two or more systems are used together
- Different types of law will often be associated with different kinds of crimes
- Countries that use this type are Canada and Holland

Chapter 9: Legal, Regulations, Compliance, and Investigations - Cyber Legalities Overview

There are three distinct types of computer crime laws:

1. Computer assisted crime - Criminal uses a computer to commit the actual crime or wrongdoing.

2. Computer targeted crime - Crime in which a computer is the actual victim because the criminal intended to cause harm to the computer or the computer's owner.

3. Computer is incidental crime - When a computer happens to be involved in criminal activity.

The main point to take away from this is that computer assisted crimes are crimes in which people use computer to carry out what some would call "regular" crimes such as theft and destruction. Also, computer targeted crimes absolutely cannot take place without a computer, whereas a computer assisted crime could. An example of a computer is incidental crime would be a crime in which a computer does not cause harm to another machine, a computer is not being attacked, but a computer is still used in some way to commit a crime.

Chapter 8: Business Continuity and Disaster Recovery - Recovery and Restoration

When it comes to trying to recover from a harmful event to business processes, there should always be a restoration team and a salvage team. The restoration team will get the offsite facility ready to go, while the salvage team will begin to fix the site that was effected by the disaster. After something negative has happened that effects the continuity of business, the effects of the disaster should be analyzed. This is where the damage assessment team comes in. After there two things have been accomplished, the business is then in a state known as recovery phase. All of these processes should already be in place. That is what the BCP is for. If a company is in these states, the BCP is in action and should be carried out explicitly. After all has calmed down, the company is then in a state known as the restitution phase. They will either move back into the original site, or move to a new one.

Chapter 8: Business Continuity and Disaster Recovery - Data Backup

When backing up data, a company should use disk shadowing instead of disk mirroring because data can be stored on multiple disks. Electronic vaulting is another method of data backup that companies should use. Files are copied as they are changed, and from time to time they are sent away to a backup facility. Remote journaling can also be used. It is similar to electronic vaulting, but only the changes are backed up, not the individual files. The data can later be restored based on the changes that were saved. Another method, known is tape vaulting, is when the data is backed up on site, and then an individual physically transports the backup to offsite locations. When data is backed up in real-time it is a type of replication known as synchronous. On the other hand, when the backup up does not occur in real-time, or replicates later, it os known as asynchronous. High Availability means that a bunch of different technologies are used in order to ensure that databases and servers are always up and running, even after disaster strikes.

Chapter 8: Business Continuity and Disaster Recovery - Preventative Measures and Recovery Strategies

Hot Site - Place that is all the way ready to go for operation
Advantage - Ready and highly available.
Disadvantage- Costs a lot and equipment choice is usually limited.

Warm Site - A Hot site without the hardware.
Advantage - Less expensive
Disadvantage - Takes a little more time to get up and running.

Cold Site - A site that has basic utilities but no equipment.
Advantage - Available for a long time because it is so much cheaper than other options
Disadvantage - Takes time for operations to resume here.

I thought that this was really neat because I never knew that companies actually have these in case of a disaster.

Chapter 8: Business Continuity and Disaster Recovery - BCP Project Components

Scope of the project: Important to note that the scope of such a project is not as clear as it might appear. Big companies usually only outline the scope of a BCP for large threats.

BCP Policy: The framework of the BCP. Outlines the actual purpose of the BCP and helps people understand how it is important and why it is so important.

Project Management: SWOT (Strengths, Weaknesses, Opportunities, Threats) analysis is useful here. Each objective of the BCP can be analyzed using this method and is potentially very helpful when designing and implementing a BCP.

Business Continuity Planning Requirements: Companies need to identify the real threats that are there and not ignore them. Failure to do so could lead to greater consequences. The "That will never happen to us" attitude can be detrimental to an organization.

Business Impact Analysis (BIA): Data is collected about business functions is examined and prioritized. A company does this to see which are most critical and valuable in case of a disaster.

Chapter 8: Business Continuity and Disaster Recovery - Intro

Regarding disaster recovery, the main goal is to is to minimize the effects of the disaster. However, the good news is that there are standards and best practices for such a disaster.

1. Develop a continuity planning policy statement - Construct a policy that gives insight on how to develop a BCP. Assign roles that will support it and can carry out the tasks.

2. Conduct a BIA (Business Impact Analysis) - Prioritize critical functions and systems. Calculate risks that have to do with threats and vulnerabilities.

3. Identify Preventative Controls - Implement measures that will counter the risks.

4. Develop Recovery Strategies - Find ways that will bring systems and functions back to operating level.

5. Develop a Contingency Plan - Develop ways that the organization can remain functional in the event of a disaster.

6. Test the plan and conduct training - Test the plan in order to identify and correct flaws. Train employees so that they know exactly what to do in case of a disaster.

7. Maintain the plan - Make sure that the plan is prevalent and that people know about it. Make sure that it is updated when it needs to be.

Chapter 7: Cryptography - Types of Attacks

Ciphertext only Attacks - attacker has the ciphertext of many messages, and each is encrypted using the same encryption algorithm. Most common attack, but hardest to be successful.

Known Plaintext Attacks - Attacker has the plaintext and the ciphertext to messages.

Chosen Plaintext Attacks - attacker has plaintext and ciphertext, but chooses the palintext that gets encrypted to view the ciphertext.

Chosen Ciphertext Attacks - chooses ciphertext to be decrypted and then gains access to the plaintext

*Goal is to figure out the key

Social Engineering - Manipulating others in order to get them to provide information.

Chapter 7: Cryptography - Internet Security

The very first sentence of this section of the study guide is extremely important. The Web is not the Internet. The Web basically runs on the Internet. I have a pretty good understanding of how HTTP works, and that it is stateless by design. It is up to the web developer to handle data persistence. Data can be persisted in one use case, in one session, using cookies, or using a database. HTTP is more secure when running over Secure Sockets Layer. The reason the exchange of credit card information is secure is because of Secure Electronic Transaction technology. It is also to point out the difference between Secure HTTP and HTTP Secure. The first protects each message sent from computer to computer, where the latter protects the channel in which the messages are sent.

Chapter 7: Cryptography - Email Standards

The book describes three main email standards when it comes to cryptography. The first one is the Multipurpose Internet Mail Extension. It's acronym is MIME, and it specifies how file types in email should be transferred and the handled by the recipient of the email. From my understanding, MIME is the reason that when you receive an email with an attachment, the file type is shown before even opening it most of the time. There is an extension to MIME, known as S/MIME where the S stands for secure. At a basic level, it allows for encryption of email and its attachments. It follows the Public Key Cryptography Standards and its algorithms. A second email standard is the PGP, or Pretty Good Privacy. A quote from the study guide describes it best: "I don't know you, but my buddy says you are all right, so I will trust you". It has become the de facto standard for the Internet. The third one is way more complex than the previous two...Quantum Cryptography. Photon polarization is used to represents bits for encryption.

Chapter 7: Cryptography - Public Key Infrastructure

I have found a website that explains PKI in a way that I understand a little better than the way the book puts it. Here is the link.

http://searchsecurity.techtarget.com/definition/PKI

Also, here is a diagram from the website that is helpful in describing whose key to use and what type of key to use.

To do this	Use whose	Kind of key
Send an encrypted message	Use the receiver's	Public key
Send an encrypted signature	Use the sender's	Private key
Decrypt an encrypted message	Use the receiver's	Private key
Decrypt an encrypted signature (and authenticate the sender)	Use the sender's	Public key

Below is another diagram that shows how PKI works in digital communication from http://www.asu.edu/ecure/2002/dollar/

Chapter 7: Cryptography - Message Integrity

One-Way Hash - Process that converts an amount of data and generates a fixed length value to protect integrity.

HMAC - Hashed message authentication code. Symmetric key concatenated with the message.

CBC-MAC - message gets encrypted with a symmetric block cipher.

CMAC - Cipher based message authentication code. Pretty much the same as CBC-MAC but a lot more secure mathematically.

I want to go ahead and point out the security services provided by each of these. A Hash function purely provides integrity. There is no confidentiality or authentication. Also, only unintentional modifications can be detected. HMAC lacks confidentiality, but it has integrity and data origin authentication. The same is true for CBC-MAC.

Chapter 7: Cryptography - Types of Asymmetric Systems

Just having symmetric key cryptography has many drawbacks. This is why asymmetric systems were developed. The first one developed is called the Diffie-Hellman Algorithm. Here, two different systems can make a symmetric key in a secure manner without first having established a relationship or agreement. It is however, vulnerable to man-in-the-middle attacks. Another asymmetric algorithm, RSA, is the standard used for digital signatures. It provides key encryption and is secure because it factors large numbers into their prime numbers. A third is El Gamal, which is an extension of Diffie-Hellman. It works by calculating discrete logs in a finite field. It is usually the slowest form.

Chapter 7: Cryptography - Types of Symmetric Systems

Data Encryption Standard (DES) - Algorithm is block symmetric. 56-bit true key bit. Block size is 64-bit. Has 16 rounds of computation.

3DES (Triple DES) - When encryption occurs, applies DES three times to each block of data.

Blowfish - Block size is 64-bit and keys can vary in length. Anyone can use it.

Rijndael - Chosen for AES. Block size is 128-bit and different key lengths are used (either 128 bits, 192 bits, or 256 bits).

International Data Encryption Algorithm (IDEA) - Block size is 64-bit and uses a 128-but key.

RC4 - This is a stream cipher. Key size can change. Simple, fast, but an easy target for attackers.

RC5 - Block cipher whose block sizes can be 32-bits, 64-bits, or 128-bits.Key has a limit of 2048-bits.Round limit is 255.

RC6 - Built upon RC5 and is the same for the most part. However, it is quicker than RC5.

Advanced Encryption Standard (AES) - Standard in the United States that replaced DES. 128 block size and key lengths vary from 128, 192, and 256.

Secure ans Fast Encryption Routine (SAFER) - Similar to DES but harder to break because of the size of the key is bigger. No known successful attacks as of now. It is also patented, so you have to pay to use it.

Chapter 7: Cryptography - Ciphers and Encryption Methods

There are two types of ciphers.

1. Substitution cipher - replaces characters with different characters.
2. Transposition cipher - Moves the values around. Does not replace values but hides the original meaning.

There are also two types of algorithms that are associated with cryptography:

1. Symmetric - user and sender use two instances of same key for encryption and decryption. Also known as secret keys. Equation to determine number of keys needed: N(N -1)/2. This method is a lot faster but must have secure mechanism to deliver keys the right way.

2. Asymmetric - each entity has different keys and are the two are related mathematically. For example, if one is used to encrypt the other must be used to decrypt. Public key is known to everyone, and only the owner uses the private key. There is better key distribution here, but is is much slower than the symmetric way.

Ofter good practice to use symmetric algorithms and asymmetric algorithms together. This is known as Hybrid Encryption.

Chapter 7: Cryptography - Cryptography Definitions and Concepts

Plaintext is the term used for readable data, whereas ciphertext is the data in its encrypted state. It is important to note that neither humans or machines should be able to properly read the data in its encrypted state. Only when the data is decrypted should it be able to be read by either human or machine. So, the process goes like this: plaintext is encrypted, and it becomes ciphertext. Then, in order to be read, the ciphertext is decrypted and becomes plaintext once again in order to read and used. Algorithms, a set of rules, are used to encrypt and decrypt data. A crptosystem is all of the things that make up an encryption and decryption process and should always be made up of software, protocols, algorithms, and keys. A key or crypto variable, is a single value that makes up a sequence of bits that are random. The algorithm that does the encryption and decryption should always be known, and only the keys should be kept secret. Bigger keyspaces allow for more possible keys, strengthening the encryption method. The one-time pad scheme is considered to be unbreakable if used in the right way. To work correctly, it must be constructed with truly random values, only used once, distributed securely, secured by the sender and the recipient, and must be as long as the message. This is a very basic description of how encryption works, and it does get more complicated than this.

Chapter 7: Cryptography - History of Cryptography

The first known use of cryptography can be dated back to 2000 B.C. in ancient Egypt. One of the earliest applications of cryptography was a hebrew method that replaced each letter of the alphabet with a different letter. We now have a term for this, and it is known as substitution cypher. Here is an example of this, with the letter 'A' being replaced with 'Z', 'B' being replaced with 'Y' and so on. So the word 'CRYPTOGRAPHY' would become 'XIBKGLTIZKSB'.  This is also known as a monoalphabetic substitution cypher because only one alphabet is used. If more than alphabet is used, it is then referred to as polyalphabetic. As time moved forward, algorithms were developed to improve methods of encryption. Today, there is the science of cryptanalysis, in which breaking down encryption is studied as well as reverse engineering the algorithms that encrypt data.

Chapter 6: Telecommunications and Network Security - OSI Layers

OSI stands for Open Systems Interconnection. There are various functions and protocols of the OSI model and the study guide states that if you want to take the exam, you will need be be pretty familiar with these.

Application - in charge of file transfer, network management, and fulfilling network requests. My favorite protocol example here is HTTP, because I am familiar with it and understand how it works for the most part.

Presentation - Handles data formats, and encryption. ASCII is one standard that is concerned with the presentation aspect of OSI.

Session - This layer sets up the connection of applications. A good protocol example here is SQL.

Transport - This is like an agreement between two computers. How much stuff will be sent is a concern, as well as how the receiving end will verify and handle the data.

Network -Main responsibility here is to tell the packet where it needs to go, and to get it to its correct destination. An IP address is a good example for this one.

Data Link - Changes the data into LAN or WAN frames for transfer and sets up how a computer will gain access to a network. Ethernet is one protocol that is associated with this layer.

Physical - The conversion of bits to actual electrical signals for transmission. A familiar term that you is in use here would be a digital subscriber line (DSL).

http://compnetworking.about.com/od/basicnetworkingconcepts/l/blbasics_osimod.htm

Chapter 6: Telecommunications and Network Security - Intro

At our day in age, networking has become increasingly complex. A network used to have boundaries, but now, since we basically have a computer in our pocket that is capable of networking, there is no clear cut boundary of individual networks. As technology increases, so do threats from attackers. Because of this, the security professionals of today must understand networks on various levels. Telecommunications is the transmission of data through systems. The data can be carried through cables, or it can be wireless. There are two main organizations that govern telecommunications. The International Telecommunications Union (ITU) and the International Standards Organization (ISO).

Chapter 5: Physical and Environmental Security - Proximity Protection

Proximity protection is put into place to provide four main services. First, it is used to control flow of vehicles and pedestrians. Different places on the property require different levels of protection as well. Buffers and delaying mechanisms are used in case of intrusion. The last service proximity protection is used for is control the entry points. These services can be provided using the various means describes below.

Access control - access systems, locks and keys. Also, educating personnel to be aware of their surroundings.

Physical barriers - walls, doors, fences, etc.

Intrusion detection - alarms, sensors that detect motion

Assessment - Cameras or security guards

Response - The ability to quickly get in touch with law enforcement

Deterrents - smart environmental design of an area

Chapter 5: Physical and Environmental Security - Locks

From a physical security standpoint, locks are used to delay intruders. They should never be the only method used for physical protection. There are many different kinds of locks, and they can be used for various things. However, the right type of lock should be used for each purpose. For example, you would not want to use a simple tumbler lock for the main door of your facility because it can be easily picked. In this post, I want to focus on ways a particular device can be physically locked. Switch controls cover up on/off switches so that important hardware is not powered off by accident or when it not supposed to be off. Slot locks are used to make sure that pieces of hardware stay in the same physical location. Port controls are used to prevent the unauthorized use of disk drives or other ports such as a USB port. Peripheral switch controls are used to make sure that items such as keyboards as mouse are not taken away from where they are supposed to be. Another method to do this is called cable traps, which lock up the device's cable so that it cannot be removed from its station.

Chapter 5: Physical and Environmental Security - Protecting Assets

To protect against potential power issues, there are a few best practices that all organizations should use to prevent fires, blackouts, or data loss. Surge protectors prevent excessive current and should be used whenever possible. When shutting down equipment, a process should be in place to ensure that machines are powered off properly and orderly. This is essential for devices to be protected from voltage changes that disorderly shut down can cause. Voltage and amplitude should always be monitored, and unauthorized access to breakers and transformers should always be prevented. When it comes to potential water damage, positive drains should be implemented. This term means that the flow of water should always be directed outside. To add to this, fire protection and proper ventilation should also be used to successfully protect a company's computerized assets.

Chapter 5: Physical and Environmental Security - Designing a Physical Security Program

To design a proper physical security program, all aspects of your physical surroundings should be surveyed and assessed. This goes for everything; an obvious example would be the construction material of walls. A more obscure or less obvious example would be the vehicle activity outside of the building. It is also very important to understand how a certain facility is used, identify potential vulnerabilities, and decide what the best ways are to protect against these vulnerabilities. For example, if you have a building that houses some of your company's servers in an area that has high burglary rates, it might be a good idea to have security systems within the actual building as well as security guards within the actual building. The person that is in charge of making sure an organization's physical assets are protected is known as the facility safety officer. A person in this position should understand what physical components make up a facility and discover the best ways to protect it while staying in compliance with regulations.

Chapter 5: Physical and Environmental Security - Developing A Plan

When developing a physical security plan, there are five goals that an organization to look to achieve. First off, crime prevention should be addressed by having physical deterrents in place. Some examples of these are fences, guards, and waring signs. Second, delaying mechanisms should be implemented if the perpetrator gets past your primary line of defense. Some examples here would be having locks, inside security personnel, or other barriers. Next, you must include detectors inside the buildings if your organization such as detectors that can sense motion and others that detect physical disasters such as fires and floods. Fourth, if an incident does occur, certain personnel should be responsible for assessing the damage that has been done. Lastly, a proper response plan should be in place to assist in the mitigation process of the infiltration.

Chapter 5: Physical and Environmental Security - Overview

Physical security is just as important as all of the other types of security that has been previously discussed. There are various physical threats that companies face when it come to protecting the hardware on which companies' systems run. Proper countermeasures to physical threats should be in place in order to keep an organization's assets safe. Without physical security, there would be no need for all of the other types of information security. The threats to physical security are as follows:

Natural environmental threats: Any natural disaster including fires. (Tornadoes, floods, etc.)

Supply system threats: Anything that could disrupt the system such as lack of power and water and gas leaks.

Manmade threats: Employee errors, physical theft of hardware, vandalism.

Politically motivated threats: terrorist attacks, strikes, riots.

When it comes to physical security, protecting human life is the first priority above anything else. Referred to as life safety.

Chapter 4: Security Architecture and Design - Final Notes

I want to hit a few key concepts near the end of chapter 4 here. Fist of all, the difference between certification and accreditation. Certification is a technical evaluation that can lead to accreditation. Accreditation is a formal acceptance of system security. Next, the difference between an open system and a closed system. Open systems follow standards and published specs. Closed, on the other hand, do not follow specific, industry standards. In other words, it is proprietary, and there might be room for more advanced security. Systems will always have flaws, bugs, and "open doors". Hackers are always trying to identify these imperfections and exploit them. The book puts it a good way. No matter how many laws and improvements society makes, there are always going to be cops and robbers. In the same sense, there are always going to be hackers that will try to get into systems.

Chapter 4: Security Architecture and Design - Systems Evaluation Methods

Trusted Computer Systems Evaluation Criteria (TCSEC) - used to evaluate products, apps, and operating systems. Developed by the US Department of Defense.

These criteria are published in what is known as the "Orange Book". Used for customers to compare different products, as well as for manufacturers so that they have direct access to specs used to build. It os broken down into seven different categories:

-Security Policy
-Identification
-Labels
-Documentation
-Accountability
-Life-cycle Assurance
-Continuous protection

*Moving to Common Criteria instead of the Orange Book, but Orange Book is still important

Trusted Network Interpretation (TNI) - a.k.a. the "Red Book". Discusses the eval. of security of networks and what makes up the network. Compares how things really work compared to how they should theoretically. Includes:

-Communication integrity
-Denial of service prevention
-Compromise protection

Chapter 4: Security Architecture and Design - Security Modes of Operation

A mode of operation are conditions under which the system is allowed to function. Systems can use different modes depending on what is going on in the system. The four modes are outlined below.

Dedicated Security Mode - When all uses are able to access all data being processes within a system. Users have normally signed a non-disclosure  agreement in this one.

System High Security Mode - All users have the need to know about some of the data, not every bit of it.

Compartmented Security Mode - Every user can access some data, but only based on a need to know or if they go through a formal access approval process.

Multilevel Security Mode - Users can only get to the data that they have explicitly cleared to access. Bell-LaPadula model is good example that uses this mode.

Chapter 4: Security Architecture and Design - Security Models

A security policy was discussed in my previous post. Basically, it is a plan to implement required security. The security model describes the do's and font's that will accomplish what the security policy has outlines. There are many different models used for security. I will focus on that that I felt were interesting. The first is the Biba model. Bia is concerned with the integrity of data within applications. There are three rules that this model follows: no "write up", no "write down", and subjects can't get service from a higher integrity. Another important concept in this model is that dirty data should not be mixed with clean data. The Brewer and Nash model lets access control change at dynamic level, according to what the user has done in the past. It is based upon information flow. No subject-object interaction that is conflicting is allowed.

Chapter 4: Security Architecture and Design - System Security Architectures

Everything that should be captured in a security policy (tool that shows how info is secured and protected) is listed below straight from the CISSP exam guide. I felt the need to include this list here as a visual for potential study notes in case I want to someday take the exam, as I feel they are important enough to reiterate.

1. Acces control based OS id discretionary
2. Role based access control is provided
3. Data can be classified public and confidential or private
4. No unauthorized access allowed
5. Separation of duties is enforced
6. Auditing is capable of being performed
7. Trusted paths are there for activity processing
8. Identification, authentication, and authorization are used properly
9. Capability based authentication methodology is used
10. No covert channels allowed
11. Contains integrity on files that are considered critical

Multi-Level Security policy - Subject security >= object classification

Chapter 4: Security Architecture and Design - OS Architectures

There are five different OS Architectures discussed in the study guide. The first is monolithic, where all OS procedures run in kernel mode. Next is the layered architecture, where the processes run in kernel mode, but in addition, implement a hierarchical model. In the microkernel architecture, only core processed run in kernel mode. The remainder of the processes run in in what is known as user mode. The final OS architecture discussed in the CISSP exam guide is the Hybrid microkernel. In this architecture, all operating system processes run in kernel mode, but core process have a specified microkernel or run within a client/server model.

Important to note that there days the terms monolithic OS and monolithic kernel are used in the industry interchangeably.

Chapter 4: Security Architecture and Design - Input/Output Device Management and CPU Architecture

Different methods for carrying out I/O are listed below. After the I/O list,  I will discuss basic CPU architecture from a high level.

Programmed - CPU sends data to a device, and then waits to see if the device is ready for the next bit of data. Can waste a lot of time.

Interrupt-driven - Book puts this one in nice wording: send character -> go do something else -> interrupt -> send another character.

DMA - Direct memory access. Does not even use the CPU. Uses a controller instead. Really speeds up I/O.

Premapped - Deals with security. OS trusts the device to behave properly. CPU does not control interactions. Could be a problem.

Fully Mapped - Also deals with security pertaining to I/O. OS does not trust device interaction with memory directly.

In CPU architecture, lower level ring process are more trusted.
Level 0 - OS Kernel
Level 1- OS
Level 2 - OS Utilities and File System Drivers
Level 3 - Other Applications

Chapter 4: Security Architecture and Design - Memory Types

For this section of chapter 4, I want to discuss the various types of Random Access Memory (RAM). Prior to this reading, I was not aware that so many different types existed. With Dynamic RAM, it must be continually refreshed so that the capacitor does not lose its electrons and become corrupt. Since all of this refreshing has to take place, it is slower than static RAM. Static RAM does not have to refresh all of the time, which in turn makes it faster. However, more transistors are required in order to use it. After these two basic types of RAM there are four more. Synchronous DRAM which connects with the CPU so that the timing is right, which in turn makes executing data faster. Extended data out DRAM allows the next bit of data to get ready while the current data is being sent to the CPU. I kind of like to refer to this as "On Deck RAM". Just like a batter in baseball is preparing to step into the batter's box as the current batter is hitting. Burst EDO DRAM does exactly what it sounds like. It is capable of sending bursts of data. A type of RAM that can double the speed of SDRAM is called Double data rate SDRAM. It carries out two operations per clock cycle.

Chapter 4: Security Architecture and Design - Operating System Components Part 2

The memory manager is the part of the OS that keeps track of how memory is allocated and used. Below is a summary its five responsibilities.

1) Relocation - contents of RAM go to the HD and give pointers to apps when needed.

2) Protection - Allows process to interact only with memory assigned to it and gives access control to memory.

3) Sharing - Implements controls when various processes have to access the same memory segments and allows different application users access when the app is running in one segment of memory.

4) Logical Organization - Segment memory types abstractly and allows sharing between software mods.

5) Physical Organization - Segment physical space for applications or OS processes.

I seem to always get the two of these mixed up. Here is a reminder:
RAM - place where data can be temporarily held.
ROM - Nonvolatile.  Data is still help in chips when the computer is turned off.

Chapter 4: Security Architecture and Design - Operating System Components Part 1

A process is a program that is in memory that can be executed. When more than one process is interleavedly executed at one time, it is referred to as multiprogramming. Similarly, when more than one process is simultaneously executed, it is referred to as multitasking. There are three states a specific process can be in within a computer system: ready, running, and blocked. Ready means that the process is waiting on input, running means that it is currently being executed by the CPU, and blacked means that there is one or more impediments that are keeping the process from running. Interrupts within an operating system are important because they make running process more efficient by using a method known as time slicing. To carry out activities within the OS, threads are created by processes. One the activity is complete, the thread is destroyed. Sometimes, a software deadlock occurs. This is consequence of two process waiting on computer resources simultaneously.

Chapter 4: Security Architecture and Design - Computer Architecture

A computer architecture are all parts of a computer system that make it functional, including all hardware, software, and interfaces. The components that make up a computer are below, and this will be helpful since I am not all that familiar with what the hardware actually does in a computer

CPU (Central Processing Unit) - fetches instructions form memory and processes these instructions

ALU (Arithmetic Logic Unit - where the actual execution takes place.

Control Unit - Manages the system while multiple processes are taking place.

General Register - Holds variables and temporary results as the ALU is working.

Program Counter - Contains the address of the instructions to be fetched next.

Special Register - Holds PSW, counters, and stack pointers.

PSW - Holds conditions and determines whether the computer should be in user mode or privilege mode.

Address Bus - connection between RAM chips and I/O devices.

Data Bus - Used to transmit data during processes.

Chapter 4: Security Architecture and Design - Overview

ISO/IEC 42010:2007

Architecture - How a system and its components are organized and the way that they interact with one another. Also the principles used to design it and how it is improved.

Architectural Description - Documents that formally describe a system architecture.

Stakeholder - A person, group, or company that have interests in a system.

View - Represents a whole system to a particular stakeholder

Viewpoint - A template in order to develop a certain view by taking into consideration who the view is being produced for. Analysis and techniques used to produce a view are also included

Chapter 3: Access Control - Threats to Access Control

There is more of a risk from attacks with the organization than from outside of the organization. A dictionary attack is designed to steal passwords. All passwords should be encrypted and never stored in clear-text. Brute force attacks are where a hacker uses many different input to reach their goal. A successful countermeasure for these types of attacks might be to use an IDS that scans for this type of malicious activity. Spoofing is also a technique used by hackers, in which the hacker presents a fake logon screen to a user in order to obtain user information. Attackers user phishing to lure for data by tricking users into clicking links and directing them to dangerous websites. Email is a popular tool hackers often use for phishing. A way to help prevent attacks is threat modeling, which tries to uncover who might want to attack the organization and how they might attack. Instead of trying to fix access control, the organization uncovers ways the current controls could be attacked. There are two types of identity theft. True name, where thieves use personal information of others to open new accounts, and account-takeover, where they use obtained info to gain access to a user's existing accounts.

Chapter 3: Access Control - Access Control Practices

These practices insure that the the level of access control that you have set stays at the same level as originally designed. You should be careful when reusing an object. All old info that is stored on an object should be deleted before the object is used to assess new subjects. This ensures that info is not disclosed to individuals and systems that should not have access to the old subject data. TEMPEST is a standard that suppresses electrical signals that devices emit to prevent others from having access to these signals. This tech is expensive, so it is usually only used in highly sensitive areas. Intrusion detection is a practice used to mitigate hacks. If the IDS suspects something, it notifies the proper parties immediately. There are three types of IDS. Signature-based, Anomaly-based, and Rule-based.

Chapter 3: Access Control - Accountability

It is a must to track all use within a system. This way, the person that is responsible for wrong-doing can be held accountable for their actions. To keep from overloading an audit log, an audit reduction tool can be used to help spot suspicious activity. It gets rid of info that was recorded such as redundant task information. SEM and SIEM systems provide analysis for audits. To protect audio data, write-once media is often utilized within organizations. An auditing tool that is very in depth is keystroke monitoring. Each key a user hits is recorded! Usually this only needs to be implemented for a short period of time in order to help uncover suspicious activity.

Chapter 3: Access Control - Access Control Methods

Again, access control can be broken down into three broad categories of controls. Administrative, Physical, and Technical. I will elaborate on a couple of methods of each category that I find interesting below.

Administrative
Supervisory structure - Each employee within an organization must report to someone above them, and that superior must be responsible for their employees actions. The idea is that there is a vested interest in employee actions.

Testing - All controls must be tested on a periodic basis to see if they are working the way they should be. Because change is constant in technology, it is a must to test regularly. Management should be responsible for this and make sure it is done properly.

Physical
Network segregation - Only allowing certain individuals the ability to gain physical access to certain parts of the system. For example only network admins should be allowed access to networking hardware and others should only have physical access to their workstations.

Cabling - All cables should be out of the way so that they are not exposed to potential danger. Also. protective sheaths should be used to deter electrical interference.

Technical
Network Architecture - Should be segregated physically and logically. Physically by walls and location of hardware and logically by controlling communication in segments.

Auditing - Tracks network activity on devices. Used to inform the administrator of any fishy activity that might be going on within the network.

Chapter 3: Access Control - Access Control Administration

After a model is chosen, and the techniques and technologies are in place, an organization must decide how they want to administer access. Centralized access control administration is that one individual (rather it be one person or department) has the role of giving access to all of the resources in the organization. A couple of protocols for this that the study guide outlines are listed below.

RADIUS - Remote Authentication Dial-in User Service. A network protocol that authenticates and authorizes on the client/server and keeps a watch on remote users. ISPs use this to allow customers access to the internet. Uses UDP as its transport protocol.

TACACS -  Terminal Access Controller Access Control System. Uses TCP as its transport protocol. Used if more advanced authentication is necessary. One example would be corporate networks.

Chapter 3: Access Control - Access Control Techniques and Technologies

After determining the framework that will be used for access control, it is then appropriate to decide appropriate techniques, along with the technology, to support the chosen framework. The first technique is called rule-based access. It is kind of like an if statement in object oriented programming. If a certain condition is true, then the subject can access objects within the predefined rules. Another technique would be a restricted interface, which limits a user's access to objects as the name implies. Access that is context based looks at situations rather than being only based on identity. Content based access makes decisions based on data. One that is really straightforward is the compatibility table. The subject shows what objects and operations the subject can access. The same is true for an access control list. Another technique that is related to the latter but not completely the same is the matrix. It is a table that shows subject object relationships.

Chapter 3: Access Control - Access Control Models

Access control models are frameworks that allow subjects access objects. I described what a subject and an object is relating to access control in a previous post. A couple of key terms in this section that are worth reiterating are DAC and MAC, where the AC in there abbreviations stand for access control. The first letter of each of there is where their difference comes into play. DAC allows a resource owner to determine which subjects can access specific objects. MAC does not allow owners this discretion. MAC is a lot more strict than DAC in that a MAC system is used for an explicit purpose and nothing more. A third framework after used is role-based (RBAC) in which a central controls are set to determine subject-object interaction.

Chapter 3: Access Control - Authorization

After appropriate authentication has taken place, the next step to access control is authorization. This step is important once the user has gained access to the system, to make sure that that they should be there. Roles, groups, location, and time of day are often used to grant authenticated users authorization. This section of the study guide also goes into more detail about single sign on technologies. They are:

Kerberos - Utilizes tickets and a KDC. Deals with symmetric key cryptography.
SESAME - Utilizes PAS and PACs, both systemic and asymmetric cryptography.
Security domains - Managed by the same group and the same security policies.
Directory services - Access control maintained centrally and resources are standardized.
Thin clients - Relies on a central server for access control, processing, and storage.

Chapter 3: Access Control - Other Identification Methods

There are a few methods is this section of the exam guide that are somewhat self explanatory and I have heard of them before. I want to elaborate on a few that I am not so familiar with or that I have never heard of before by definition. The first is a method known as password hashing. Salts are used in order to add more complexity to add more randomness to the process of encrypting the authentication technique. Hashing makes it a lot harder for a hacker to get to the correct format of the system that implements this technique of identification. Another technique that I have never had the chance use in a real life situation for authentication and identification are the use of cards to gain access to systems. There is one main difference here concerning cards. Memory cards cannot process information whereas smart cards can.

Chapter 3: Access Control - Identity Management Solutions Part 2

This is a follow up to my previous post concerning the six technologies relating to identity management. The first three were described in a previous post, and the next three are examined below.

Legacy single-sign on- Commonly abbreviated to SSO. Idea behind this one is that a user only has to  authenticate once to access information while not having to re-authentencate while in that environment.

Account management- Deals with the delegation of user accounts. Create accounts for all systems, modify privileges, and getting rid of the accounts whenever it comes to point in time in which a specific account is no longer needed.

Profile update- Basically refers to the fact that more than a name is used for an individual profile. A lot of info about the user should be captured. When this collection is associated with a user, it is called a profile. The data for profiles should be centrally located.

Chapter 3: Access Control - Identity Management Solutions Part 1

This post is part one of a two part post. I will identify and briefly describe the technologies that a person who wants take the CISSP exam should be aware of relating to identity management. There are six total. I will describe three here, and the other three will be examined in my following post.

Directories- Usually follow a hierarchical database format that keep track of network resources and users.

Web access management- Controls what users can view and do when utilizing a web-browser to interact with organization or company assets.

Password management - Three technologies that you should be aware of:
1. Password Synchronization - Allows users to use one password for many systems.
2. Self-Service Password Reset - Allows users to reset their own passwords
3. Assisted Password Reset - Includes other forms of authentication for a password reset such as tokens or biometrics.

Chapter 3: Access Control - Overview Part 2

When dealing with access control, it is important to realize what the three main things are that can be used for authentication. The three keywords here are knows, is, and has. These keywords correlate to authentication by knowledge, by ownership, and by characteristic. A couple of other ideas that should stand out from this section is the idea of strong authentication. All these means is that the authentication process has to contain nit one, but two of the identification characteristics described above.

Chapter 3: Access Control - Overview Part 1

As this chapter opened, I immediately noticed that there was one key concept that I need to comprehend in order to understand the remainder of the chapter. First off, Access Controls are features of security that will determine how users and systems are going to interact with one another. Access means how a subject and an object will share info. A subject is the part that is requesting access, whereas the object is what is actually being accessed. The book also puts it this way; subjects are active and objects are passive. The three main principles of security that were discussed in chapter two are expanded on a bit. A little more about them relating to chapter three:

Availability - resources must be able to be accessed in a secure and timely manner.

Integrity - prevent resources from being changed in a malicious manner or accidentally.

Confidentiality - info cannot be disclosed to individuals or other systems that are not  authorized to view or change it.

I felt the need to reiterate these three principles of security because of their importance.

Chapter 2: IS Governance and Risk Management - Layers of Responsibility

Most of these terms in this section of chapter two I have heard of, but did not understand their role when it comes to security. There is a link below that I found that would be extremely helpful while studying for this portion of the CISSP exam.

http://www.cram.com/flashcards/cissp-layers-of-responsibility-personnel-security-2644286

This site provides descriptions of each of the roles that apply to information security in a flashcard format.

In a nutshell, each role is an important piece to maintaining security within an organization. Some need to be clearly defined from the start in order to implement a successful security effort. Also, rotation of these duties can be helpful when attempting to uncover fraudulent activities.

Chapter 2: IS Governance and Risk Management - Information Classification

Table 2-11 in book helpful for in-depth descriptions. Below is a basic view. 1 = most sensitive.

Commercial Businesses:
1. Confidential - if it got out could seriously effect the company
2. Private - potentially hurt the company
3. Sensitive - extra precautions to avoid accidental modification or deletion
4. Public - Still do not want it disclosed, but not at all detrimental

Military:
1. Top secret - could cause grave damage to national security
2. Secret - if disclosed, leads to security breach
3. Confidential - no one should no about it except people who need to
4. Sensitive but unclassified - minor security breach
5. Unclassified - No sensitive data here

These are just common models of information classification. There could be a lot of variance here depending on the company. Even whole systems should sometimes be classified, not just data. These classifications should exist no matter what form the data is in. Whether it's electronic, on paper, etc. it should all be treated in the same manner.

Chapter 2: IS Governance and Risk Management - Policies, Standards, Baselines, Guidelines, and Procedures

Security Policy -  What role security has in an individual organization. Usually in the form of a statement made by upper management. There are a few different ones. Organizations specific, issue specific, and system specific.

Standards - Directions and mandatory actions within an organization. Really helpful in defining expected user behavior of a system.

Baselines - Used to determine when future changes should be made. A good example is showing the minimum level of protection that should be used in a system.

Guidelines - To me, these are best practices. They are more flexible than explicit standards.

Procedures - Detailed steps to help attain a goal. Companies have a myriad of procedures and steps to get certain things done. Often used in configuration and installation of systems.

All of theses are often in place for auditing purposes. Employees should be informed and aware of all of these in order to be effective.

Chapter 2: IS Governance and Risk Management - Risk Handling

I was fairly familiar with the terms used in this portion of chapter two because I took a risk management class earlier in my college career. Basically, companies have various methods of handing risk available to them such as avoidance, transfer, mitigation, and acceptance. Each method has various costs associated with it. Risk transfer is the safest, but it is improbable that every single risk needs to be transferred. Avoidance is the easiest to use in my opinion, but you cannot always avoid every single aspect of a risk. This is where mitigation comes into play. The company will introduce measures to reduce the risk. A firewall is a good example of mitigation. Acceptance merely means that the risk is simply just dealt with and nothing to protect against it is used. If a risk is accepted, it is usually a small risk with not very many negative consequences associated with it. If the loss is not that big of a deal and the countermeasure is considerably more expensive than the loss, then this risk handling measure would be used.

Chapter 2: IS Governance and Risk Management - Risk Analysis Approaches

Two approaches exist in analyzing risk: quantitative and qualitative. Basically quantitative deals with number calculations while qualitative is a little less logical. It is more focused on opinions and a rating system and the opinions of those conducting the analysis. Equations are associated with the quantitative side. The equations are on page 87 of the study guide. On the qualitative side, scales are often used. As with everything else, there are pros and cons to using each of these approaches. The two that stood out most to me are as follows. Qualitatively, standard do not exist. Different companies use different ways and scales to interpret results. Quantitatively, the calculations can be extremely complicated. Every person involved may not be able to understand what goes into each risk evaluation.

Chapter 2: IS Governance and Risk Management - Risk Assessment Methodologies

In this post, I want to outline the risk methodologies presented in the book. Each will be paired with a brief description about them as well as what their abbreviations stand for.

NIST -  "Risk Management guide to Information Technology Systems". Mostly used for computer systems and IT security issues.

FRAP - Facilitated Risk Analysis Process. Only focus on the risks that need the most attention. Goal is to save time and money. Only to be used to analyze one thing at a time.

OCTAVE - Operationally Critical Threat, Asset, and Vulnerability Evaluation. Used to look at all systems within an organization.

FMEA - Failure Modes and Effect Analysis. Uncovers flaws and the effects of these flaws.

CRAMM - Central Computing and Telecommunications Agency Risk Analysis and Management Method. This is the most generic approach in that it covers everything in risk analysis.

Chapter 2: IS Governance and Risk Management - Risk Assessment and Analysis

A risk assessment is used to identify risks and their potential impact. After completing it, it will help an organization identify where they need to put in security controls. It also helps with prioritization of the identified risks, and shows the analysis team which risks should be dealt with first. The third major thing that risk analysis accomplishes is that it will show a company what resources and how much of a particular resource should be used to protect against individual identified risks. Four main goals exist in information security risk analysis. First, you have got to identify your assets and what value they bring to the company or organization. Next, you find out what your potential threats are. After that you figure out what the probability of each of the threats occurring is. Finally you calculate what the cost of protecting against the threat will be, and determine if it is worth the resources you put in to protect each asset.

One term that I found while reading the section that I though was interesting was project sizing. I do not recall ever learning about this, so I thought it would be helpful to put it here...it simply means determining which assists and threats should be looked at prior to initiating risk analysis.

Chapter 2: IS Governance and Risk Management - Risk Management

Risks are everywhere. There is absolutely no such thing as no risk in any area of life. When it comes to information systems security, risks can be broken down into 7 main categories.

1. Physical damage
2. Human interaction
3. Equipment malfunction
4. Inside and outside attacks
5. Misuse of data
6. Loss of data
7. Application error

In order for a fitting risk management plan to be in place from a security standpoint, each of these categories must be analyzed. Then, potential damage should be calculated. Of course, you never really know how much damage not managing a certain risk will have on your organization until something bad actually occurs. The main objective here is to identify which risks are potentially more damaging, and then take precautions in that order.

Chapter 2: IS Governance and Risk Management - Security Frameworks

The thing that I found the most interesting in this section of chapter two is the difference between enterprise and system architectures. I had never really thought about the similarities and differences of the two before reading this section and I feel as if it is pretty important to understand. Enterprise architecture is generally centered around an organization's structure. On the other hand, system architecture has to do with software and computing. I had been using these two terms kind of synonymously. Although they are not exactly the same thing, one supports the other in a direct fashion. Basically, an application for a business cannot be designed without first knowing how the business works and what the company wants the system to do. This is how the two architectures are intertwined, but are not the same thing like I had originally thought.

Chapter 2: IS Governance and Risk Management - Controls

There are three major control types: administrative, technical, and physical. Administrative controls (a.k.a. soft controls)  are mostly management oriented. Common examples include security documentation, risk management, and training. Technical controls usually have to do with software and hardware. My two favorite examples of there types of controls are encryption and firewalls because I am familiar with both of these. Physical controls are exactly what they sound like. Security guards, cameras, locks and high fences with barbed-wire are examples of this last type of control.

The 6 control functionalities are as follows (most are self explanatory):
-Deterrent
-Preventative
-Corrective
-Recovery
-Detective
-Compensating -- Alternative control that provides similar protection as the original

Important for all controls to work together. If they do not do so in an effective manner, or if they contradict each other, security gaps will be prevalent.

Chapter 2: IS Governance and Risk Management - Security Definitions

I feel as is the best way for me to summarize this section of chapter two is to basically define all of the terms. This will be helpful if I ever decide to actually take the CISSP exam, as these security terms will be here for me to view.

1.) Vulnerability - No measure to counter potential attacks, or an inferior countermeasure is in place.
2.) Threat - Danger that is associated with a vulnerability.
3.) Threat Agent - An entity that takes advantage of a vulnerability.
4.) Risk - The probability of a threat agent exploiting a vulnerability and the associated impact.
5.) Control - Something that is put in place to reduce a risk. Also known as a countermeasure.
6.) Exposure - When a vulnerability is present that might expose one or more threats to an organization.

Figure 2-1 in the text gives a great graphical representation of how all of the above terms are connected and how they relate to one another.

Chapter 2: IS Governance and Risk Management - Fundamental Principles of Security

There are three main objectives of security.
- Integrity
-Availability
-Confidentiality

Integrity from a security perspective means that there is assurance that information provided by the system is reliable and accurate. This also means that modification that is unauthorized, or not supposed to happen, is prevented.


The second main objective, availability, means that authorized users are able to access their data and resources in a timely manner. Proper precautions should be in place that will prevent outsiders from affecting availability of data and resources.

Confidentiality refers to the goal of only allowing authorized individuals the ability to view and edit parts of the system that they should see. It should prevail while data is hanging out in a system, being moved around, as well as when it is received by another person or system.

All three are of equal importance and sort of "feed" off one another.

CISSP Study Guide - Chapter 1

During the fall semester 2014, I will be involved in a directed study that is focused on Security and Governance. The study is centered around eventual understanding of concepts related to information security, and my study group will use a CISSP exam guide as the backbone of the study. I have never been exposed to information security in depth, so I am excited to have the opportunity to broaden my knowledge of this topic. At the end of the semester, I want to be able to comprehend what IT professionals are saying when discussing security. As of now, the security aspect of information systems is probably my weakest point. This course will help me better understand the terms used by IS professionals, and hopefully I will get to the point in which I can have security-related discussions with others in my industry. If I find IS security interesting, this course will also assist me in beginning a security career path. After obtaining the CISSP exam guide, I quickly realized that there is much more than I thought that goes into this topic. Ten separate domains is a lot to learn, and the book is massive. At the end of the chapter 1, I wrote down my answers for the pre-quiz.....I didn't do so well. I am confident that that at the conclusion of the study I will be able to go back and take the pre-quiz again and do much better. I look forward to next week as we really get started studying the world of information security.