c

o
~
:J
o
C/)

'; :';"~ IIdministrafiYe G~()nl[()ls '" ~iI~~l

mlle2.com,

"i;~

;::.'"

"~"

';;:'

<, ,.~

"YO

::"",,',

""

;i,~~

fi~~t"r7*.~'~'!-tllUM-

...
Q)

...
o

o
a.

~o

.!Q

o
..0
Q)

-..c

--

Q)

C/)

CO
Q)

a..

Mile2 An rights reserved.

~)i!

~d.:.Iict:O::XJu:o

810

:0:;

_::::l

o
(/)
Q)

....
....

~o
0..

r--.~

~O ..0
Q)

--- ..c
.....

---.!:
.....

c
---.. os::
0..
....
~.

Q)

0)

r-r-

c
~
>.
o
tt=

ro
.-.- '5.
....
~t

A piece of code that requires a host application to

reproduce itself
Virus types
Macro virus = easy to create because of the simplicity
of the macro language
Boot sector virus
malicious code inserted into the
disk boot sector
Compression virus when decompressed, it initializes
Stealth virus
hides its footprints and the changes it
has made
Polymorphic virus makes copies and then changes
those copies in some way - uses a mutation engine
Multipartite virus
infects both boot sector and file
system
Self-garbling virus modifies own code to elude
detection

1A1{X.:::.r.>t!'IT!:C{QImat

:.J

..oo:$

"~..a'<:

....
5~~!'....J

o
0..
Q)

'-

MileZ All rights reserved.

I!Ir..

812

c::

"---0

.~

::J
o

rn

-Q)
....

....

-0

~o
0..

i'-'.!Q

Can reproduce on their own - different to

virus
Self-contained programs

,- .8X
~..c

Q)

.....

- .S;
-

.....
c

"i::
0..
....

An event triggers the execution of

specific code

-...Q)
0)

c::

it:

~ o

CO
...........
.5.

~t:::
o
0..
Q)

....

~~

Program disguised as another program

Useful program that contains hidden
code
exploiting the authorization process,
enabling it to violate security

CO

~~

a.

Mile2 All rights reserved.

-.

l!J,,.

814

r--' 0

'. :... '.

reile2.com

DDoS"AttacK TIQ.as " . ~ile~l

.:

"

"

~Ta~l1W1UtJB.I~'" C~~I'~njJ

:;::::;

::J

0
(/)

a>
...

...

~0
0
0..

(/)

X
0
.0

a>
+-'

s:

,.......".~

.;::

0..

...
a>

0)

c
~
i+=

>-

0
CO
...

.a.
t
0
0..

r-

a>
...
a>
(/)

CO

a>
a..

Mile2 All rights reserved.

816

-0

;0:;

~o ::J
(/)

~O)
~O

~
~
o
a.

- ....
o
-.~
X
=.-.0
.0
-

0)

-.-c

Tying up resources on a computer

so it cannot respond to valid
requests
Can be distributed and amplified by
using other systems to commit the
attack - distributed denial-ofservice (OOoS)

c
c
a.
~
-

0)
0>
C

,.--1::::

o
a.

-0)

0)

Masters and zombies

Ingress filtering
Does not allow packets in with
internal source addresses
Egress filtering
Does not allow packets to leave
with external source addresses

~(/)

CO

-0)

a..

Mile2 All rights reserved.

818

'-0

:.0:;

_.2
o
(/)
~

...
o

o
a.

- ....
o
-.~
X
o
.0
Q)

--

..c

http://www.owasp.org/index.php/Buffer_Overflow

Mile2 All rights reserved.

,-

-,,,

(!J.'1

820

:;::::;

::J

-0

(/)

Q)

'....
o
o
a.

--

o
(/)

~.8x
Q)

.c
....
c

....
c
c
a.
....
Q)
0>
C

>.
o
CO

- '0..
'-t

o
a.
~
Q)
(/)

ro
Q)
a..

Mile:! All rights

reserved.

Buffer Overflows - Overview

Many people know that buffer overflows take place when too much data is accepted as an input
value, which in turn writes over specific memory segments. A buffer can be overflowed with too
much data, but for it to be of any use to an attacker the code that is inserted into the buffer must be
of a necessary length followed up by commands the attacker wants to be executed. So a buffer
overflow can take place where arbitrary data is shoved into various memory segments, or a
carefully crafted set of data can be pushed in that will accomplish a specific task like giving an
attacker an open command shell with administrative privilege.
Let's take a deeper look at how this is accomplished. When software is written to accept data
(which can come from a user, web site, database, or another application) something needs to
happen to this data. It has been inputted for some type of manipulation, calculation, or will be used
as a parameter to be passed to a procedure. The procedure is the code that will carry out the
necessary functions on the data and return the result back to the requesting software.
When a programmer writes a piece of software that will accept data, a variable has to be
constructed to hold it. The variable, and the data within it, needs to have a place to reside in
memory. The programmer must allocate this memory space, which is referred to as a buffer. A
buffer is a contiguous segment of memory that holds several instances of the same type of data.
You can think of a buffer as a small bucket to hold water (variable that holds data). We have
several of these small buckets stacked on top of one another (memory stack) and if too much
water is poured into the top bucket, it spills over into the buckets below it (buffer overflow).

c
o
;
~
o

~ "
mile2.com

:,'. ~ .
~

E-Maill.inks'.

;~:.l'

, l~

mile~l

'v~~

a'~llrltfr'.*Mni6--':f!I'~m~

(/)

~
L-

o
o
o,

o
(/)

xo

.0
(l)

..c

.....
.....

"C

o,
L-

(l)

0)

c
~

.;;;

~
~

"a.
t

o
a..
(l)
L-

(l)
(/)

CI:l
(l)

a..

Mile2 All rights reserved.

.>),.. S'::CHtL
't'itilt.l!rttts;!:
!!~t1

824

c
o

:.;::::;

~o

:::J

(J)

~
....
o

o
0..
.....
o
(J)

.0
(J)

~
~o~

0..

...
(J)

0)

;;::::

~
~

....
0a.

t
o
0..
....
Q)
(J)
(J)

m
(J)
a..

Mile2 All rights reserved,

lit

826

~; :~:'e~ss~Sif~StEiptiAi{~ttack''~i~~J
mile2.com

~ ",

~,

::

c+

N'

:0:;

-0

(/)

...

o
o
Q.

-o

.!Q

-.8x
- .c
...
0)

Many websites use JavaScript, frames, cookies, CGI scripts,

and SSL
With this much complexity, there is bound to be security holes
Attacker slips in through an interface of how these technologies
interface and communicate

c
-....

c
Q.

...

-0)
C>
C

It=

>.
o

ca
- .0.
...

-t:

,
4: ~

withthema~s

s<cri~

S: M'I

o
Q.
~
0)
(/)

ca

0)

a..

Mile2 All rights reserved.

'lh<!~tttV7Ut!Jcl~f..~ttlmM

,"

-0

",>
miJe2.com

~>"
~

MOlie
.;

>.

Ad~anced.Attacks ,', mile~l

M

rt~lfit~"Uiltt:ttl'.&:(iI:){~ltJtlf

:;:;

_::J

o
C/)

Q)
...
...

-0

~-.~
o
0..
o
x

_0

.0
Q)

~ .!:
+'

__ 0t:
0..

...

Q)

0)

Measuring power consumption, radiation emissions, time it

takes for certain types of data processing
Power attack reviews the amount of heat that is released
Has worked against many smart cards
In 1995, RSA private keys were uncovered by measuring the
relative time cryptographic operations took
Instead of just watching inputs and outputs, look at the time
it took or the power it used to complete the action
Analogy = noninvasive biological experiment
Watch an organism - what it eats, when it sleeps, how long
it takes to carry out specific tasks
No reason to kill it by cutting it open for research purposes

/,~.:::,~(=r)'~),\
~(:;:/5 l>
.." . _

Mile2 All rights reserved,

~.:,:

c.

'W_-A-~-'''-~''''''_h'"'~'Y~

C)

Mi

p;
!Jf'

~~:~lTn'~Sl~a"s
~~c"J~'"
'."f FCl'~

c
o
~:::l
:;:J

o
(/)
Q)

''o
o
a.
o

--

(/)

~.8x
~.c

Q)

....

,--

....
c
---. ';::
a.

,-

'Q)

C>
C

---...l+=

!t:::

--. >o
ro
''0..
,.-...1:::

o
a.
~
Q)
(/)

tU
~Q)

CL

Mile2 AI! rights reserved,

832

 Patch management
Configuration management
Q)
(/)

C\'l

Q)

CL

Mile2 All rights reserved.

r!J,,,,

834

 Mile2 All rights reserved.

836

-5

:;:;

r---,

. . ..
~."""
..SecllIrU!Adminislrator . ....mile~1
mUe2.com:

:~:.;,
"

~~
"

,hN,,"

~
,:;

N
~

~)
V

x-

'""

11':&e!,"l@1n.a~llln04~~IUntJ

'"

.2
o
(/)

-Q)
I-

...
-0

--

o
0o
(/)

-0
.0
Q)

'--..c

.....
.....

c
- os::

0I-

-Q)
O'l
C

It=

~
~

~
>o

co
...

"a.

<lmplements and maintains security devices and software

- Carries out security assessments
Creates and maintains user profiles
- Implements and maintains access control mechanisms
Configures and maintains security labels in MAC environments
Best if this is a different role than a network administrator
The security administrator should not report to the network
administrator!
Should report to a security officer
Separate chains of command should exist to avoid conflicts of
interest

.---.t::
r--

o
0Q)

...

Mile2 All rights reserved.

!In.

838

C)

I"-_""'~<W".,f~

.....;..l'I')O<"~II.NtU""'''''."Jf

'>-0

:~~,::,,;;I.1tiaif~ntf8~m~~iaDc'e:,.
. ~ile_'

::T
mile2.com

"

...'

'l

"

'

'"

t1'61\t!JttWn,ll)!nQ'a.

ClSfJ,Putng

:;:::J
_____
..2

C/)

~
...
o
o
c..

-o

~O

.!Q
X
.0

-.=:.-.-c
~

Q)

.s::

_c

c..

...

>--Q)
0>

-- ~

;,;:::

>-

o
>--- <tl
.
'0.
.........,~

o
o,

,~

---~
<tl

~
Il..

Mile2 All rights reserved.

840

-0

:.;::;

~:::l

o
en

...
...

----.Q)

o
a..

- ....
o

.!!!

_0

..0

----.cQ)

+-'

"-'

.~

C
-L:

+-'

a..

...
Q)
0>
C

Implementation and
maintenance
Updating virus signatures

-~

Mile2 All rights reserved.

Virus Detectors from NIST

All organizations are at risk of "contracting" computer viruses, Trojans and worms15 if they are
connected to the Internet, or use removable media (e.g., floppy disks and CD-ROMs), or use
shareware/freeware software. The impact of a virus, Trojan, or worm can be as harmless as a popup message on a computer screen, or as destructive as deleting all the files on a hard drive. With
any malicious code, there is also the risk of exposing or destroying sensitive or confidential
information.
There are two primary types of anti-virus programs available: those that are installed on the network
infrastructure and those that are installed on end-user machines. Each has advantages and
disadvantages, but the use of both types of programs is generally required for the highest level of
security.
The virus detector installed on the network infrastructure is usually installed on mail servers or in
conjunction with firewalls at the network border of an organization. Server based virus detection
programs can detect viruses before they enter the network or before users download their e-mail.
Another advantage of server based virus detection is that all virus detectors require frequent
updating to remain effective. This is much easier to accomplish on the server-based programs due
to their limited number relative to client hosts.

c
o

:;::;

::l

o
rJ)
Q)

....
....

o
o
a.

_ x
0
..0
Q)

~..s:::.
+oJ

....

_cc
a.
....
~

Q)

C>
C

- '+=
-

Set thresholds for recording

~
>o

-.~
ctI

a.

t::

o
a.
~

?--~

ctI

Q)

a..

Mile2 All rights reserved.

844

c:

-0

mile2.com

'.~:'.~.'. . eJi~DgeCoDkol
~

>

III

~Q) ....

....

-0

.-o
~.~
_

x
0

..c
Q)

'-"""..c:
+-'

--- .E:

-c:

~c 0..
....

~Q)
OJ

- '+=

Performed after a change has been approved

through a change control process
Ensures that the changes to production systems
are done properly
Ensures that changes do not take place
unintentionally or unknowingly
Security issues
Identifying, controlling, accounting for, and
auditing changes made to the baseline
Ensure that changes do not bypass or disable
security measures
Documentation and maintenance of documents
pertaining to system and software changes
Reflects changes in contingency plans

res

Mile2 All rights reserved.

mile~l
>

:;::;
...-.,:::J

o
Co

'.
,

l"~j)ti'tY!t~"~OOno.a. r;O,,.wtiM

~5:.;:::;

.~

::J
o
en

...
...
o
a.

------0)
~O

~
-

~~

o
en
X

0
.0

+-'

~.~
+-'
C

--""c

a.
Q)
OJ

,~

-t

t;::

>-

o
CO
...
.0.
o
a.
~
0)

en
CO

0)

a...

Mile2 All rights reserved.

Contingency Planning from NIST

The modern networked computing environment brings significant challenges to the development of
contingency plans. Networked computing has changed the scope and focus of what has traditionally
been a local issue. Contingency planning is designed to reduce the consequences of any loss of
data or infrastructure. Contingency planning enables organization personnel to restore critical IT
functions and connectivity rapidly, effectively, and safely. The contingency plan defines the
procedures, resources, tasking, and information required for performing recovery actions in
response to a broad range of events. A well-executed and tested contingency plan also gives
confidence that critical resources will be available when needed and facilitates an organization's
continuity of operations in an emergency situation. The plan is a living document that must be
updated regularly to reflect changes to the system's configuration and operations. Additional
information on contingency planning is provided in NIST SP 800-34, Contingency Planning Guide
for Information Technology Systems. This guide discusses various contingency plans that will help
sustain and recover critical IT services following an emergency.
The contingency plan should address, at a minimum, the following five main components:
supporting information, notification/ activation, recovery, reconstitution, and supporting appendixes.

,~

~~~

,-

._

:;:.

::J
o
(/)

-Q)
~O

~
~
o
a.

Fault-Tolerance

~
,-

.!Q

RAID
Disk duplexing
Disk shadowing (mirroring)
Software check pointing
Redundant servers
Clustering
Backups
Dual backbones
Redundant power
Mesh network topology instead of star, bus,
or ring

0
.0

-~
....
~.;:
....
c
,--. 0i::
a.
~
-

Q)

OJ
C

- '+=
-

~
>o
CO
~
'0..

Mechanisms

LAN

-1::
o
a.

~
Q)
(/)

CO

Q)

Q.

Mile2 All rights reserved.

(.>),,,

l!lM

850

c
o

~::J

o
tJ)
~
....
o
o
0..

~o

,-

tJ)

X
0
.0

-~
....
,~ .!:

....
c

~- c

0..

....
~Q)

0)

i+=

>.
o

m
....

"a..

-'"t:

o
0..

Backup device has more

than one disk controller

Uses one disk controller

Controller is the single
point of failure

If the system
experiences ..a glitch,
then system state data
is used to try and
recoverstatean
user
.data

Controller is not t
. single pointof fail

~
Q)

tJ)

m
Q)
0...

Mile2 All rights reserved.

852
o.tU;."tt~i"tf~roJt'j:f

1~A1H:m
-:!t'XJ1l:r~

....stn.mAM:1i

:;;

::l

o
(/)
~
'o
o
o,

-(/)

.0
Q)

.c:

System Configuration

_ c

>U

ell
- "0.
'-

-1::

o
o,
~
Q)
(/)

ell

Q)

a..

Mile2 All rights reserved.

854

~o c
:;::;

~o

:::J

(/)
~(])

...

:'

...
o
0..
~ .....
o

~.~
x

-.8
(])

~.L::.

....

....
c

-"L:
0..

...

~(])

tn

"......-t;::

"

/,,;WiliL/;;) ~ ,~ >l'::;~

~, ,

101.t&'

"'

'\~t,;~:
'",

: ~

:~,. Ba'tctl'Bacl(ups:c(,k;7P

~O

, Real-time, orr-ear
real-time, backups
Usually used for
critical databases
e,Electronic,va ulting
technology

"

'"

Frequency of
backup depends
upon how often
datacha nges
e Backing up of ...
Data
Software products
Databases
Utility programs

Mile2 All rights reserved.

856

1;",;

a~tt*

~:rolt"M'

1tW'~;;'i'!QW A!<!a.H'tAAcf
Ri!fil;z;J.

c0

+:;

:::J

en

<D
...

...
0
0
0...

r'_

en
><

0
.0

<D
.c
....
c
....
c

"C
0...

...
<D

C>
C

'~+=

>-

o
m
...
"a..
t:::
0
0...

<D
...
<D

en
ro

<D
0...

MileZ All rights reserved.

858

o
:;:;

.'
mi1e2.com

.?a .. ...
h

.
,

~aGsimile SeGLlr;it~i....:v.' ~ileY];

h

;.:

"'~,

'

"

f't>8"~u:tiWTUll\lrl4J ~U~

:::l

(5
CJ)
Q)

...
...

o
0..

CJ)

.0
Q)

L:.
....

...

c
';::
0..
...
Q)

0>
C

i+=
~

~
es
...
'0..
t::
o
0..
Q)

...
Q)
CJ)

m
Q)
a..

MileZ All rights reserved,

860

~'.al~ij's~f6at
N'eel'la'~:Bi!'~greel III'ao"JLi.:
!Ii'

~ ....
o
-

.!Q

-.8x
Q)

.~..c

....
c
.....

c
--co,
....
-Q)
C)
C

,:?::~"o/.,

":?~~:'

'i.~~

.,.

Goals of the assessment

Evaluates the true security posture of an environment
Identifies as many vulnerabilities as possible
Test how systems react to certain circumstances and
attacks
Written agreement from management
Protects the tester
Ensures there are no misunderstandings
Explaining testing ramifications
Vulnerable systems could be knocked offline
Production could be negatively affected
Results from test are just a "snapshot in time"
r-:")
As the environment changes, new vulnerabilities can eu~fi:ve i.

("\1 ~ : //(~':~}'~\:'\_

//--

/l

U:J'\':::5 ,/
Mile2 All rights reserved.

Security Testing from NIST

There are several different types of security testing. The following section describes each testing
technique, and provides additional information on the strengths and weakness of each. Some
testing techniques are predominantly manual, requiring an individual to initiate and conduct the test.
Other tests are highly automated and require less human involvement. Regardless of the type of
testing, staff that setup and conduct security testing should have significant security and networking
knowledge, including significant expertise in the following areas: network security, firewalls,
intrusion detection systems, operating systems, programming and networking protocols (such as
TCP/IP).

From: Special Publication 800-42 GUIDELINE ON NETWORK SECURITY TESTING

p21

c::

-0
:;::;

~o
~Q)

:::J

en

...
...

_0

~o
a.

o
.!!?
><

-.8

-~
Q)

-.~

Q)

en

CO
Q)

-a.

Mile2 All rights reserved.

Penetration Testing from NIST

Penetration testing is security testing in which evaluators attempt to circumvent the security
features of a system based on their understanding of the system design and
implementation. The purpose of penetration testing is to identify methods of gaining
access to a system by using common tools and techniques used by attackers.
Penetration testing should be performed after careful consideration, notification, and
planning.
Penetration testing can be an invaluable technique to any organization's information security
program. However, it is a very labor-intensive activity and requires great expertise to
minimize the risk to targeted systems. At a minimum, it may slow the organization's
networks response time due to network scanning and vulnerability scanning.
Furthermore, the possibility exists that systems may be damaged in the course of
penetration testing and may be rendered inoperable, even though the organization
benefits in knowing that the system could have been rendered inoperable by an
intruder. Although this risk is mitigated by the use of experienced penetration testers, it
can never be fully eliminated.
Since penetration testing is designed to simulate an attack and use tools and techniques
that may be restricted by law, federal regulations, and organizational policy, it is
imperative to get formal permission for conducting penetration testing prior to starting.
This permission, often called the rules of engagement, should include:

1!J'>1 864

~o c::
~

""."
""
. ".~.:,;'.~'.:
J~~llet[alion:;!1esti
aig: ";~~' odle'll
: ~ ~ "

mUe2.com

>

y~

~~>,>'

"'i

,"

;:.

',,,,

~,

".j

}'U~ntnv:Tt.I":!nOi.~~mM

~o ::l
If)
~Q)

...
...

_0

--

o
0..
o

~.~

-.8x
Q)

-- .~

-.t::,

-...

c::
__ 0;::

0..

-0)
0>

r--

c::

Ii=

Goal is to carry out activities as the enemy would

Usually using the same toolset of most hackers
Identifies vulnerabilities and exploits them
Only way to gauge if the vulnerability is real and to what
degree
Ethical hacker should have same access as a normal user
Carries out many activities
Password capturing and cracking
War dialing
War driving
More, depending upon the customer's
request

Mile2 All rights reserved.

r!l,,,

866

-0
:z:;

... ~:~......Brotection MecHanism -:. ..:. ~.~I

:'h',:: /~:,'aoneYAot ,::':', ',\",
,!'!I!!!''T-l'"'''''

mile2.co~', "

,'"

":':

'~',,','

::J

r-o
(/)

,~~

~oo

--

a.

o
~.~

-..8x
Q)

-...

~..c

-.!:

c
a.

--."C

-Q)
0>

Usually placed in a DMZ

Must not be connected to internal
network
Sacrificial lamb system on the network
The goal is that hackers will attack this
system instead of production systems
Can gather data for possible prosecution
It is enticing because many ports are open
and services are running
Could be just emulating services

MileZ All rights reserved,

~o c

+='::l

'"'""'0

en

,-.... (I)
L..

...
o
c..

-0

---

o
.!a

(I)
..c

-.8x

c
...........-

Characteristics

Convincing people that you are

authorized to access sensitive data
Skillful lying with the goal of obtaining
information
Kevin Mitnick's attack of choice
Examples:
Spoofing e-mail
Impersonating a repair person to
gain access to segments in the
facility
Calling an administrator
impersonating a user who needs his
password
Calling users and impersonating the
administrator to have them give out
or changing passwords
Impersonating a law enforcement
agent inquiring about certain
security defenses or recent
violations

MlleZ All rights reserved.

t!J",

870

~-.~
o

,-Ex

0>

.~~

....

0t:

...
0-

-0>
--

C>

i,i:

Degaussing
Machine that works as a large magnet

Returns electrons to their original state, meaning

the polarization of electrons is changed
Returning magnetic flux to initial state or zero
Zeroization
Software tool that writes NULL values continually
over media
Government use requires tool to write NULL values
over media 7 times
Physical destruction
If media cannot be properly erased any other way

Mile2 All rights reserved.

I!JrM 872

c::

--0
:0:;
r--- -:::l

. .." ..Data meakag~:..:~q~t..Qle

EoggillQ mile~J
mile2.c:on1

"~

<',,,

"

Jt tUlltlty

"IUllWtlo;

A~tAtlmf'4J

o
II)

...
...

,-

Q)

-r-r-

0
o
0..

~o

r-

.~

X
_0
.D
Q)

~~ ....
-

.!:
....
c::
.;---.. "i:::

c..

...

.-Q)
0>

c::

,,-- ij::

~
~

>-

access
Physical loggers
Connector between keyboard. and
computer
Holds all data that user types in
Attacker plants logger and retrieves it at a
later

m
...

'0.

-1:::

o
0..

------

...
Q)

Mile2 All rights reserved.

!ITM

874

~o c

_:l

o
en

~(1)

....
....

~-0

o
a.

o
en

_0><

.o
~- ~

~
-t

U.S. government started a study on how

data can be leaked and captured
through electrical signals
TEMPEST went from a study to a
standard for equipment vendors
Equipment has a metal mesh to reduce
the device's radiation
Faraday cage
TEMPEST equipment is expensive and
specialized
Selling and purchasing this type of
equipment is highly controlled by the
government

>-

ctI
....

"0..
o
a.

-(1)
....

Mile2 All rights reserved.

(.),~

876

~oc
:;::::;

~::I
~Q)

o
c/)

'o
c..

- '0

~o

c/)

X
-0
.0

~~
-

.....

o!:
.....
c

A device that emits a uniform spectrum

of random electrical signals
Makes it more difficult for attacker to
decipher real data from bogus data
Jams signals being continually sent

00..

~t::
o
o,
--Q)

'-

Mile2 All rights reserved.