Académique Documents
Professionnel Documents
Culture Documents
1. Access Controls
2. Administration
3. Audit and Monitoring
4. Risk, Response, and Recovery
5. Cryptography
6. Data Communications
7. Malicious Code
Modified version of original study guide by Vijayanand Banahatti (SSCP)
Table of Content
1.0 ACCESS CONTROLS...... 03
2.0 ADMINISTRATION ... 07
3.0 AUDIT AND MONITORING...... 13
4.0 RISK, RESPONSE, AND RECOVERY....... 18
5.0 CRYPTOGRAPHY....... 21
6.0 DATA COMMUNICATIONS...... 25
7.0 MALICIOUS CODE..... 31
REFERENCES........ 33
Example
Passwords, personal identification numbers (PIN), pass phrases,
mother's maiden name, fave sports team etc
Proximity cards, Identification tokens, Keys,
Identification badges, Passports, certificates, transponders, smart
cards etc.
Fingerprints, Signatures, Eye characteristics, Facial
characteristics, Voiceprints, DNA.
These three types of authentication types can be combined to provide greater security. These combinations are called
factors of authentication. (Two factor or three factor)
Access Rights and Permissions: The owner of the data should decide any rights and permissions for a specific
account. The principle of least privilege will be used here to grant all the rights and permissions necessary to an
account to perform the required duties, but not more than required or needed.
Monitoring: The changes to accounts, the escalation of privileges should be logged and should be constantly
monitored for security.
Removable Media Security: Any removable media from the system can be the vulnerability. All removable
media should be restricted or controlled in some manner to provide for the best possible system security.
Management of Data Caches: Access control is not only for users - any type of information which is on the
system needs to be considered - e.g. temporary data caches (pagefile, dr watsons, .tmp files etc)
Detective
Corrective
Description
Polices for preventing the vulnerabilities from getting exploited.
E.g. patching policy, background checks, data classification,
separation of duties etc
This type of policy is implemented to know when an attack is
occurring. E.g. IDS, log monitoring etc
Policies that address immediate correction action, after the
vulnerabilities getting exploited. These policies include disaster
recovery plans, emergency restore procedures, password lockout
threshold etc.
Formal Models:
1. Biba
First formal model to address integrity. The Biba model bases its access control on levels of integrity. It
consists of three primary rules.
1. A subject at a given integrity level X can only read objects at the same or higher integrity levels - the
simple integrity axiom.
2. A subject at integrity level X can only write objects at the same or lower integrity levels - the * (star)
integrity axiom.
3. A subject at integrity level X can only invoke a subject at the same or lower integrity levels.
2. Clark/Wilson
This model is similar to Biba, as it addresses integrity. Protecting the integrity of information by focusing on
preventing authorized users from making unauthorized modifications of data, fraud, and errors within
commercial applications.
It uses segregation of duties or separation of duties. The principle of segregation of duty states no single
person should perform a task from beginning to end, but that the task should be divided among two or more
people to prevent fraud by one person acting alone. This ensures the integrity of the access control object by
securing the process used to create or modify the object.
3. Bell/LaPadula
This formal model specifies that all access control objects have a minimum-security level assigned to it so
that access control subjects with a security level lower than the security level of the objects are unable to
access the object. The Bell-LaPadula formal model only addresses confidentiality. It is what the MAC
model is based on. Bell-LaPadula also formed the basis of the original "Orange Book".
Note: Bell-LaPadula does not address integrity or availability. Remember: No read up / No write down.
ORANGE BOOK: Department of Defense Trusted Computer System Evaluation Criteria (TCSEC) book
or the Orange book. Orange book requires that the system to be configured as standalone.
Division
A: VERIFIED PROTECTION
B: MANDATORY PROTECTION
C: DISCRETIONARY PROTECTION
D: MINIMAL PROTECTION
Level
A1
B1
B2
B3
C1
C2
None
Definition
Verified Protection/Design
Labeled Security Protection
Structured Protection
Security Domains
Discretionary Security
Controlled Access Protection
Minimal Protection Security - Evaluated and failed
RED BOOK: Is in 2 parts Trusted Network Interpretation of the TCSEC and Trusted Network
Interpretation Environments Guideline: Guidance for Applying the Trusted Network Interpretation. The
guidelines within this book are as strict as the Orange book itself, but it is designed to work with networked
environments.
Note: The Orange book does NOT address integrity.
1.3.4 Access Control Methodologies
Centralized access control: All access control queries being directed to a central point of authentication.
This type of system allows for a single point of administration for the entire access control system.
Decreases the administrative effort, but also raises costs. Implementation more difficult. Example: Kerberos,
Remote Authentication Dial-In User Service (RADIUS) and Terminal Access Controller Access Control
System (TACACS), TACACS+ (allows encryption of data).
Decentralized access control:
Access control system is not centralized to a single computer system or group of systems. Offers the
advantage of providing for access control system functionality in cases where connectivity to a centralized
access control system is difficult. Difficult to maintain a decentralized access control system compared to a
centralized access control system. Some examples of this are a Windows workgroup where every member of
the workgroup handles access control, or a database system that handles its own authentication.
systems use private keys, and a Kerberos server must have copies of all keys on it, which requires a
great deal of physical security. It allows for cross-platform authentication.
Kerberos has a Key Distribution Center (KDC) which holds all keys and provides central authentication
services. It uses time-stamping of it tickets to help ensure they are not compromised (i.e. non-repudiation)
and an overall structure of control called a realm. Because of the time-stamping it is important that clocks
of systems are synchronized. Susceptible to replay attacks if ticket is compromised within an allotted time
frame.
The Authentication Service (AS) is the part of the KDC that authenticates clients. The Ticket Granting
Service (TGS) makes the tickets and issues them to clients.
User Logon process:
1. User identifies themselves and presents their credentials to the KDC (password, smart card etc)
2. The AS authenticates the credentials.
3. The TGS issues a Ticket Granting Ticket (TGT) that is associated with the client token.
The TGT expires when the user ends their session (disconnects/logs off ) and is cached locally for the
duration of the session.
Resource Access process:
As above then
4. The TGT is presented to the KDC along with details of remote resource the client requires access to.
5. The KDC returns a session ticket to the client.
6. The session ticket is presented to the remote resource and access is granted.
Note: Kerberos does NOT address availability.
2.0 ADMINISTRATION
2.1 Security Administration Principles
Authorization
Identification and
Authentication
Accountability
Non-repudiation
Least privileges
Data Classification
A process through which an access control subject is authenticated and identified, the
subject is authorized to have a specific level or type of access to the access control object.
Identification works with authentication, and is defined as a process through which the
identity of an object is ascertained. Identification takes place by using some form of
authentication.
Accountability within a system means that anyone using the system is tracked and held
accountable or responsible for their actions. Example: Authentication audit trail or log,
privilege elevation audit trail or log.
Non-repudiation is an attribute of communications that seeks to prevent future false denial
of involvement by either party. Non-repudiation is consequently an essential element of
trust in e-business.
The principle of least privilege states that a user should be given enough access to the
system to enable him/her to perform the duties required by their job. Elevated levels of
access should not be granted until they are required to perform job functions. Owners of
the information in a system are responsible for the information and are the appropriate
authority for authorizing access level upgrades for the system users under their control.
The primary purpose of data classification is to indicate the level of confidentiality,
integrity and availability that is required for each type of information. It helps to ensure
that the data is protected in the most cost-effective manner. The data owner always
decides the level of classification.
Military
Top Secret
Secret
Confidential
Sensitive but
unclassified
Unclassified
2.
3.
4.
5.
6.
7.
security clearance that authorizes their access. Although all users have access, they may not have
a need to know for all the information because there are various levels of information
classification. The levels of information classification are clearly labeled to make it clear what the
access requirements are. All users can access SOME data, based on their need to know.
2.8.2 Compartment Mode
Proper clearance required for THE HIGHEST LEVEL of information on the system. All users that
have access to the system must have a security clearance that authorizes their access. Each user is
authorized to access the information only when a need to know requirement can be justified. A strict
documentation process tracks the access given to each user and the individual who granted the access.
All users can access SOME data, based on their need to know and formal access approval.
9
based on their need to know, formal access approval and clearance level.
In addition, there are several system security architecture concepts that may be applied:
2.8.4 Hardware Segmentation
Within a system, memory allocations are broken up into segments that are completely separate from
one another. The kernel within the operating system controls how the memory is allocated to each
process and gives just enough memory for the process to load the application and the process data. Each
process has its own allocated memory and each segment is protected from one another.
2.8.5 Trusted computing base
Is defined as the total combination of protection mechanisms within a computer system. Includes
hardware, software and firmware. Originated from the Orange Book.
Security perimeter: Defined as resources that fall outside of TCB. Communication between trusted
components and un-trusted components needs to be controlled to ensure that confidential information
does not flow in an unintended way.
Reference monitor: Is an abstract machine (access control system), which mediates all access that
subjects have to objects to ensure that the subjects have the necessary access rights and to protect the
objects from unauthorized access and destructive modification. Compares access level to data
classification to permit/deny access.
Security kernel: Made up of mechanisms (h/w, s/w, firmware) that fall under the TCB and implement
and enforce the reference monitor. At the core of TCB and is the most common approach to building
trusted systems. Must be isolated from the reference monitor.
2.8.6 Data Protection Mechanisms
Layered design: Layered design is intended to protect operations that are performed within the kernel.
Each layer deals with a specific activity: the outer layer performs normal tasks (least trusted) and the
inner layer more complex and protected (most trusted) tasks. Segmenting processes like this mean that
untrusted user processes running in the outer layers will not be able to corrupt the core system.
Data abstraction: Data abstraction is the process of defining what an object us, what values it is
allowed to have, and the operations that are allowed against the object. The definition of an object is
broken down to its most essential form leaving only those details required for the system to operate.
Data hiding: Data hiding is the process of hiding information available to one process level in the
layered model from processes in other layers. Data hiding is a protection mechanism meant to keep the
core system processes safe from tampering or corruption.
10
Baselines
Guidelines
Procedures
Is a general statement written by senior management to dictate what type of role security plays
within the organization - it also provides scope and direction for all further security.
Specifies how hardware/software products are to be used. Provide a means to ensure that
specific technology, applications, parameters and procedures are carried out in a uniform way.
These rules are usually compulsory within a company and they need to be enforced.
Provides the minimum level of security necessary throughout the organization.
Are recommended actions and operational guides when a specific standard does not apply.
Are step-by-step actions to achieve a certain task.
Data Custodian
User
Ultimately responsible for security of the organization and the protection of its assets.
Functionally responsible for security and carries out senior managers directives.
Is usually a member of management and is ultimately responsible for the protection
and use of data. Decides upon the classification of the data. Will delegate the
responsibility of the day-to-day maintenance of the data to the data custodian.
Is given the responsibility of the maintenance and protection of the data.
Any individual who routinely uses the data for work-related tasks. Must have the
necessary level of access to the data to perform the duties.
Non-disclosure agreements
Job rotation
Makes sure that one individual cannot complete a risky task by herself. More
than one person would need to work together to cause some type of destruction
or fraud and this drastically reduces its probability of exploitation.
To protect the company if /when an employee leaves for one reason or another.
No one person should stay in one position for a long period of time because it
can end up giving too much control to this one individual.
11
12
Recovery
2. Determine the
existing controls
in place and the
risk profile
3. Conduct
compliance testing
4. Conduct
substantive testing
5. Determine the
materiality of
weaknesses found
6. Present findings
13
System Events provide triggers that are captured in the audit trail and used to demonstrate a pattern of
activity. The following are examples of events tracked:
- Admin/operator actions
- Resource access denials
- Resource access approvals
Sampling and Data Extraction is done when there is no original data available. In this case, the
administrator would have to use collection techniques such as interviews or questionnaires to extract
the data from a group of respondents. Data sampling allows them to extract specific information. This is
most often used for the detection of anomalous activity.
Retention periods indicate how long media must be kept to comply with regulatory constraints. The
key question is "how long is long enough"? Largely depends on regulatory/compliance issues.
3.2.5 Security Auditing Methods
The auditing methods should be well documented, and proven to be reconstructable if required. The
frequency of review depends on the type and importance of audit. The security audit report should
highlight all the findings and recommendations whenever required. The following are two types of
methods that are commonly used for security audits.
Penetration testing (p.201): Classified as proactive security audit, by testing security controls via
a simulation of actions that can be taken by real attackers.
When preparing for a penetration test, a list of attacks that will take place has to be generated or
mapped. This list of attacks can be likened to an audit checklist. A responsible penetration test
requires careful coordination and planning to minimize the likelihood of negative impact to an
organization.
14
A penetration test is the authorized, scheduled and systematic process of using known
vulnerabilities and exploiting the same in an attempt to perform an intrusion into host, network,
physical or application resources.
The penetration test can be conducted on internal (a building access or Intranet host security
system) or external (the company connection to the Internet) resources. It normally consists of
using an automated and manual testing of organization resources. The process includes.
-
Checklist Audit (p.198): Standard audit questions are prepared as template and used for a wide
variety of organizations (e.g. SPRINT).
If an auditor relies on the checklist too much and does not perform his or her own verification of
related details based on observations unique to the environment, a major security flaw could go
unnoticed. The same is true of software tools that automate the audit process and/or check for
security vulnerabilities (see CAATs below).
Other types of security audit methods are war-dialing (to see if there are any open modems),
dumpster diving (to test the effectiveness of the secure disposal of confidential information),
social engineering (to test employees security behaviour) and war-driving (looking for unsecured
wireless access points)
3.2.6 Computer Assisted Audit Tool (CAAT)
A CAAT is any software or hardware used to perform audit processes. CAATs can help find errors,
detect fraud, identify areas where processes can be improved and analyze data to detect deviations from
the norm.
The advantage of using CAATs is the automation of manual tasks for data analysis. The danger of
using them is reliance on tools to replace human observation and intuition. Auditors should use
CAATs to exhaustively test data in different ways, test data integrity, identify trends, anomalies, and
exceptions and to promote creative approaches to audits while leveraging these tools.
Some example of (mainframe based) CAATs are: EZTrieve, CA-PanAudit, FocAudit and SAS. PC's
can also be used for spreadsheet/database programs for auditing or a Generalize Audit Software (GAS)
tool can be used to perform these audit functions - e.g. Integrated Development Environment Applicatin
(IDEA)
3.2.7 Central Logging Facility (CLF)
A CLF helps ensure that audit and system logs are sent to a secure, trusted location that is separate and
non-accessible from the devices that are being monitored.
A CLF can collect and integrate disparate data from multiple systems and help determine a pattern of
attack through data correlation. It can also reveal discrepancies between remote logs and logs kept on a
protected server - in this way it may detect log tampering.
15
Keystroke Monitoring is a process whereby computer system administrators view or record both the keystrokes
entered by a computer user and the computer's response during a user-to-computer session.
Traffic analysis allows data captured over the wire to be reported in human readable format for action.
Trend analysis draws on inferences made over time on historical data (mostly traffic). Can show how an
organization increases or decreases its compliance to policy (or whatever is being audited) over time.
Event Monitoring provides alerts, or notification, whenever a violation in policy is detected. IDSs typically
come to mind, but firewall logs, server/app logs, and many other sources can be monitored for event triggers.
Closed Circuit Television (CCTV) will monitor the physical activity of persons
Hardware monitoring is carried out for fault detection and software monitoring for detecting the illegal
installation of software.
Alarms and signals work with IDS. An alarm allows an administrator to be made aware of the occurrence of a
specific event. This can give the administrator a chance to head off an attack or to fix something before a
situation gets worse. These notifications can include paging, calling a telephone number and delivering a
message, or notification of centralized monitoring personnel
Violation Reports are used extensively in monitoring an access control system. This type of report basically
shows any attempts of unauthorized access. This could simply be a list of failed logon attempts reported. Also
see Clipping Levels p. 17
Honeypots are deliberately kept by the organizations for studying attackers' behavior and also in drawing
attention away from other potential targets.
Misuse detectors analyze system activity, looking for events or sets of events that match a predefined
pattern of events that describe a known attack. Sometimes called "signature-based detection." The most
common form of misuse detection used in commercial products specifies each pattern of events
corresponding to an attack as a separate signature
Intrusion Detection Systems (IDS) provide an alert when an anomaly occurs that does not match a predefined
baseline or if network activity matches a particular pattern that can be recognized as an attack. There are two
major types of intrusion detection:
- Network-based IDS (NIDS) which will sniff all network traffic and report on the results.
- Host-based IDS (HIDS) which will operate on one particular system and report only on items affecting that
system. Intrusion detection systems use two approaches:
Signatures based identification
(aka knowledge-based)
- Detect known attacks
- Pattern matching
- Similar to virus scan
Anomalies identification
(aka statistical-anomaly based or behaviour abased)
- Looks for attacks indicated through abnormal behavior.
- The assumption here is that all intrusive events are considered anomalies.
- A profile of what is considered normal activity must be built first.
16
Spoofing: Spoofing is a form of attack where the intruder pretends to be another system and attempts to
provide/obtain data and communications that were intended for the original system. This can be done in several
different ways including IP spoofing, session hijacking, and Address Resolution Protocol (ARP) spoofing.
Man In The Middle Attacks: Performed by effectively inserting an intruders system in the middle of the
communications path between two other systems on the network. By doing this, an attacker is able to see both
sides of the conversation between the systems and pull data directly from the communications stream. In
addition, the intruder can insert data into the communications stream, which could allow them to perform
extended attacks or obtain more unauthorized data from the host system.
Spamming attacks: Spamming or the sending of unsolicited e-mail messages is typically considered more of an
annoyance than an attack, but it can be both. It slows down the system, making it unable to process legitimate
messages. In addition to that mail servers have a finite amount of storage capacity, which can be overfilled by
sending a huge number of messages to the server, thus effectively leading to DoS attack on the mail server.
Sniffing: The process of listening/capturing the traffic going across the network either using a dedicated device
or a system configured with special software and a network card set in promiscuous mode. A sniffer basically sits
on the network and listens for all traffic going across the network. The software associated with the sniffer is
then able to filter the captured traffic allowing the intruder to find passwords and other data sent across the
network in clear text. Sniffers have a valid function within information technology by allowing network analysts
to troubleshoot network problems, but they can also be very powerful weapons in the hands of intruders.
3.4 TEMPEST
TEMPEST is the U.S. government codename for a set of standards for limiting electric or electromagnetic
radiation emanations from electronic equipment such as microchips, monitors, or printers. It helps ensure that
devices are not susceptible to attacks like Van Eck Phreaking.
17
Vulnerability: Weakness in an information system that could be exploited by a threat agent (e.g. software bug).
Threat: Any potential danger, which can harm an information system - accidental or intentional (e.g. hacker).
Risk: Is the likelihood of a threat agent taking advantage of vulnerability.
Risk = Threat x Vulnerability
Exposure: An instance of being exposed to losses from a threat agent.
Assets: The business resources associated with the system (tangible and intangible). These will include:
hardware, software, personnel, documentation, and information communication etc. The partial or complete loss
of assets might affect the confidentiality, integrity or availability of the system information.
Controls: Put in place to reduce, mitigate, or transfer risk. These can be physical, administrative or technical (see
p. 4). They can also be deterrent, preventive, corrective or detective (see p. 14).
Safeguards: Controls that provide some amount of protection to assets.
Countermeasures: Controls that are put in place as a result of a risk analysis to reduce vulnerability.
Risk Mitigation: The process of selecting and implementing controls to reduce the risk to acceptable levels
Note: Risks can be reduced, accepted, managed, mitigated, transferred or deemed to require additional analysis.
18
COBRA
OCTAVE
NIST Risk
Assessment
Methodology
(SP800-30)
Delphi techniques involve a group of experts independently rating and ranking business risk for
a business process or organization and blending the results into a consensus. Each expert in the
Delphi group measures and prioritizes the risk for each element or criteria.
'Consultative, Objective and Bi-functional Risk Analysis'. It is a questionnaire PC system using
expert system principles and extensive knowledge base. It evaluates the relative importance of
all threats and vulnerabilities.
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) is a risk-based
strategic assessment and planning technique for security.
Step 1.System Characterization
Step 5.Likelihood Determination
Step 2.Threat Identification
Step 6.Impact Analysis
Step 3.Vulnerability Identification
Step 7.Risk Determination
Step 4.Control Analysis
Step 8.Control Recommendations
Step 9.Results Documentation
19
Best evidence:
Secondary:
Direct:
20
5.0 CRYPTOGRAPHY
Cryptography: Science of secret writing that enables you to store and transmit data in a form that is available
only to the intended individuals.
Cryptosystem: Hardware or software implementation of cryptography that transforms a message to ciphertext
and back to plaintext.
Cryptoanalysis/Cryptanalysis: Recovering plaintext from ciphertext without a key or breaking the encryption.
Cryptology: The study of both cryptography and cryptoanalysis.
Ciphertext: Data in encrypted or unreadable format.
Encipher: Converting data into an unreadable format.
Decipher: Converting data into a readable format.
Cryptovariable (key): Secret sequence of bits (key) used for encryption and decryption.
Steganography: The art of hiding the existence of a message in a different medium (e.g. in jpg, mp3 etc)
Key Escrow: The unit keys are split into two sections and given to two different escrow agencies to maintain.
How the plain-text is
processed
Algorithms used or
number of keys used.
Key clustering = When a plaintext message generates identical ciphertext messages using the same
transformation algorithm, but with different keys.
Secure message format: Entire message encrypted by the receivers public key - only the receiver can decrypt
the message using his/her own private key, thus ensuring confidentiality. [This is the normal method]
Open message format: Entire message encrypted by the senders private key - anyone can decrypt the message
using the sender's public key, but they can be sure that the message originated from the sender.
Secure and signed format: Signed by the senders private key and entire message encrypted with the receiver's
public key. Only the receiver can decrypt the message using his/her own private key, thus ensuring
confidentiality. By signing the message with the sender's private key, the receiver can verify its authenticity
using the sender's public key. [Most secure]
21
International Data Encryption Algorithm (IDEA): 128-bit key is used. Block cipher operates on 64 bit blocks
of data. The 64-byte data block is divided into 16 smaller blocks and each has eight rounds of mathematical
functions performed on it. Used in PGP.
Skipjack: Used for electronic encryption devices (hardware). This makes it unique since the other algorithms
might be implemented in either hardware or software. SkipJack operates in a manner similar to DES, but uses an
80-bit key and 32 rounds, rather than 56-bit keys and 16 rounds (DES).
Blowfish: A block cipher that works on 64-bit blocks of data. The key length can be up to 448 bits and the data
blocks go through 16 rounds of cryptographic functions.
RC4/5: A block cipher that has a variety of parameters it can use for block size, key size and the number of
rounds used. Block sizes: 32/64/128 and key size up to 2048 bits.
Symmetric system
One key for encryption and decryption
Out of band
Speed
Key length
Practical Use
Security
Faster algorithm
Fixed key length
For encryption of large files
Confidentiality and integrity
Asymmetric system
Two keys, one for encryption another for decryption
Symmetric key is encrypted and sent with message; thus, the
key is distributed by inbound means
More complex and slower (resource intensive)
Variable key length
For key exchange (secret key) and distribution of keys
Confidentiality, integrity, authentication and non-repudiation
22
HAVAL: Is a variable length one-way hash function and is the faster modification of MD5. Processes
text in 1024-bit blocks. HAVAL compresses a message of arbitrary length into a digest of 128, 160,
192, 224 or 256 bits. In addition, HAVAL has a parameter that controls the number of passes a message
block (of 1024 bits) is processed. A message block can be processed in 3, 4 or 5 passes.
Hash Salting: Refers to the process of adding random data to the hash value. Many hashes have weaknesses or
could be looked up on a hash lookup table (if the table were big enough and the computer fast enough). Salting
the hash negates this weakness. Cryptographic protocols that use salts include SSL.
traffic encryption.
Provides data encryption, server authentication, message integrity and client authentication. Keeps the
communication path open until one of the parties requests to end the session (use TCP). Lies beneath the
application layer and above the transport layer of the OSI model. Originally developed by Netscape - version 3
designed with public input. Subsequently became the Internet standard known as TLS (Transport Layer
Security). If asked at what layer of OSI SSL operates, the answer is Transport.
SET - Secure Electronic Transaction: System for ensuring the security of financial transactions on the Internet.
Mastercard, Visa, Microsoft, and others supported it initially. With SET, a user is given an electronic wallet
(digital certificate) and a transaction is conducted and verified using a combination of digital certificates and
digital signatures in a way that ensures privacy and confidentiality. Uses some but not all aspects of a PKI. SSH:
Used to securely login and work on a remote computer over a network. Uses a tunneling mechanism that
provides terminal like access to computers. Should be used instead of telnet, ftp, rsh etc.
IPSec (Internet Protocol Security): A method of setting up a secure channel for protected data exchange
between two devices. Provides security to the actual IP packets at the network layer. Is usually used to establish
VPN. It is an open, modular framework that provides a lot of flexibility. Suitable only to protect upper layer
protocols. IPSec uses two protocols: AH and ESP.
23
AH (Authentication Header): Supports access control, data origin authentication, and connectionless
integrity. AH provides integrity, authentication and non-repudiation - does NOT provide confidentiality.
ESP (Encapsulating Security Payload): Uses cryptographic mechanism to provide source
authentication (by IP header), confidentiality and message integrity.
IPSec works in two modes:
1.
Transport mode: Only the payload of the message is encrypted. (for peer-to-peer)
2.
Tunnel mode: Payload, routing and header information is encrypted. (for gateway-to-gateway)
of the other, issuing a public-key certificate to that other CA, enabling users that are certified under
different certification hierarchies to validate each other's certificate
Note: A key is renewed at or near the end of key's lifetime, provided none of the information has changed. If any
information used to issue the key changes it should be revoked and a new key issued.
Certificate Revocation List (CRL): A list of every certificate that has been revoked for whatever reason. This
list is maintained periodically and made available to concern parties. CRL's are usually based on an LDAP server.
Registration authority (RA): Performs the certification registration duties. A RA is internal to a CA and
provides the interface between the user and the CA. It authenticates the identity of the users and submits the
certificate request to the CA.
PKI provides confidentiality, access control, integrity, authentication and non-repudiation. PKI enabled
applications and standards that rely on PKI include SSL, S/MIME, SET, IPSec and VPN.
24
Application
6
5
OSI
Application
Presentation
Session
Transport
Transport
Internet
3
2
Network
(packets)
Datalink (frame)
Physical (bits)
Network
Description
Provides different services to the applications (HTTP, FTP, Telnet, SET,
HTTP-S). Provides non-repudiation at application level.
Converts the information (ASCII, JPEG, MIDI, MPEG, GIF)
Handles problems which are not communication issues (PPP, SQL,
Gateways, NetBEUI)
Provides end to end communication control (TCP, UDP, TLS/SSL)
Routes the information in the network (IP, IPX, ICMP, RIP, OSPF, IPSec,
Routers)
Provides error control between adjacent nodes (Ethernet, Token Ring,
FDDI, SLIP, PPP, RARP, L2F, L2TP, PPTP, FDDI, ISDN, 802.11,
switches, bridges)
Connects the entity to the transmission media (UTP, coax, voltage
Levels, signaling, hubs, repeaters) converts bits into voltage for
transmission.
The session layer enables communication between two computers to happen in three different modes:
1. Simplex: Communication takes place in one direction.
2. Half-duplex: Communication takes place in both directions, but only one system can send information at a time.
3. Full-duplex: Communication takes place in both direction and both systems can send information at a time.
Datalink (Layer 2) primarily responsible for error correction at the bit-level
Transport (layer 4) primarily responsible for error correction at the packet level
Note: The IP header contains a protocol field. Common values are 1=ICMP 2=IGMP 6=TCP 17=UDP
TCP Handshake:
1. Host sends a SYN packet 2. Receiver answers with a SYN/ACK packet 3. Host sends an ACK packet
UDP: Is a best-effort and connectionless oriented protocol. Does not have packet sequencing, flow and
congestion control and the destination does not acknowledge every packet it receives. There are fewer overheads
in UDP packet.
TCP and UDP use port numbers of 16-bit length
Remember, only TCP is connection-oriented (IP is NOT)
25
6.4 Cabling
Coaxial Cable: Resistant to EMI (electromagnetic interference), provides a higher bandwidth and longer cable
lengths compared to twisted pair. Can transmit using both baseband and broadband methods. 10base2: ThinNet,
coax cable, maxlength 185m, provides 10 Mbps. 10base5: Thicknet, coax cable, maxlength 500m, provides 10
Mbps
Twisted pair: Cheaper and easier to work with than coaxial cable and is a commonly used cable. Shielded
twisted pair (STP - 2 wires) has an outer foil shielding, which is added protection from radio frequency
interference. Unshielded twisted pair (UTP - 4 wires) has different categories of cabling with varying
characteristics. The physical connector used to connect PCs and network devices, is called an RJ-45. 10base-T:
Uses twisted-pair wiring, provides 10 Mbps, max length 100m.
Fast Ethernet: Uses twisted-pair wiring, provides 100 Mbps.
Fiber-optic cabling: It has higher transmission speeds that can travel over longer distances and is not affected by
attenuation and EMI when compared to cabling that uses copper. It is used to connect two LANs. It does not
radiate signals like UTP cabling and is very hard to tap into. The complexity of making connections using fiber is
one of its major drawbacks and also it is expensive.
26
Broadcast: A packet goes to all computers on its subnet. Broadcast transmission is supported on most LANs,
and may be used to send the same message to all computers on the LAN (e.g. the address resolution protocol
(ARP) uses this to send an address resolution query to all computers on a LAN). The data is sent to a special
broadcast address. Network layer protocols (such as IP) also support a form of broadcast which allows the same
packet to be sent to every system in a logical network.
6.6.1 LAN access methods
Carrier-Sense Multiple access and collision detection (CSMA/CD): Monitors the
transmission/carrier activity on the wire to determine the best time to transmit data. Computers listen
for the absence of a carrier tone, which indicates that no one else is transmitting date at the same time.
Collisions can still happen, but they are detected and the information re-sent.
Token passing: A 24-bit control frame used to control which computers communicate at what
intervals. The token grants a computer the right to communicate. Do not cause collisions because only
one computer can communicate at a time, which has the token.
Carrier-Sense Multiple Access with Collision Avoidance (CSMA/CA): Instead of detecting collision
it tries to avoid them by having each computer signal its intention to transmit before actually
transmitting. Although CSMA/CA avoids collisions (guaranteed) there is an additional overhead from
each workstation broadcasting its intention prior to transmitting by sending a jam signal. Thus,
CSMA/CA is slower than CSMA/CD. CSMA/CA is used on Apple Talk networks and also in wireless.
6.7 Networks
Local Area Network (LAN)
Spans a relatively small geographical area. Most LANs are confined to a single or group of buildings. Network
Interface Card (NIC) connects computers. Two types of LAN (1) Wired LAN and (2) Wireless LAN
Wide Area Network (WAN)
LANs connected together over distance via telephone lines/radio waves/fibre. High-speed dedicated networks
(leased lines or point to point network). Secured WANs can be created using IPSec.
Metropolitan Area Network (MAN)
Similar to WAN - MANs are high-speed communication lines and equipment covering a metropolitan area.
Intranet: A network belonging to an organization, usually a corporation, accessible only by the organization's
members, employees, or others with authorization (Private network). Intranets are used to share information.
Internet: A global network connecting millions of computers (global interconnection of LAN, WAN, and
MAN). Internet is decentralized by design. Each Internet computer, called a host, is independent.
Extranet: An Intranet that is partially accessible to authorized outsiders. An extranet provides various levels of
accessibility to outsiders, very popular means for business partners to exchange information.
27
Physical Layer
(OSI Layer 1)
Bridge
Switches
Routers
Network Layer
(OSI Layer 3)
Screenedsubnet
6.12 Protocols
Internet Protocol (IP): See previous (p.25)
Transmission Control Protocol (TCP): See previous (p.25)
User Datagram Protocol (UDP): See previous (p.25)
NetBios Extended User Interface (NetBEUI): It is an enhanced version of the NetBIOS protocol used by
network operating systems such as LAN Manager. NetBIOS works at layer 5 (Session).
28
29
Starts with
0-127 (128)
128-191 (64)
192-223 (32)
224-239 (16)
30
Worm
Trojan Horses
Logic bomb
Is program or piece of code, which has been loaded without permission, it can hide itself, can
reproduce itself, and can attach to any other program. Virus will try to do
undesirable/unwanted things.
A program, which can replicates itself over a computer network and usually performs
malicious actions.
A destructive program, which has been inserted inside an apparently harmless program. This
program can do the intended function in foreground as well as undesirable function in the
background.
A logic bomb is a program, or portion of a program, which lies dormant until a specific piece
of program logic or system event is activated. If the specific logic is fulfilled then it will
generally perform security-compromising activity.
7.2 How malicious code can be introduced into the computing environment
-
Network attacks: Trying to get the username and password by brute forcing or dictionary attack. After
successful exploitation introducing virus file or malicious code.
Spoofing (masquerading): Sending email that appears to have originated from one source when it actually
was sent from another source.
Alteration of authorized code and introducing malicious code.
Email Spamming or bombing: sending email to hundreds or thousands of users with attached virus file.
Active-X: Set of platform independent technologies developed by Microsoft that enable software
components to interact with one another in a networked environment. This functionality of Active X
components can be exploited by malicious mobile code.
Mobile code: Code that can be transferred from a system to another system to be executed (i.e. Java,
ActiveX etc)
Trap doors: mechanism, which is intentionally built often for the purpose of providing direct access.
Hidden code or hardware device used to circumvent security controls.
7.3 Mechanisms that can be used to prevent, detect malicious code attacks
Generally anti-virus software program will be used in combination with Scanning, Integrity Checking and
Interception. You should also try to ensure:
31
32
References
International Information Systems Security certification Consortium (www.isc2.org)
The CISSP and SSCP Open Study Guide Web site (www.cccure.org)
CERT Coordination Center (www.cert.org)
NIST CSRC (www.csrc.nist.gov)
Google (www.google.com)
Tom Sheldons Linktionary.com (www.linktionary.com)
Online Computer Dictionary for computer/Internet terms & Definitions (www.webopedia.com)
Computer Knowledge Virus Tutorial (www.cknow.com/vtutor/)
Free online dictionary and thesaurus (http://encyclopedia.thefreedictionary.com/)
SANS Institute - Computer Security Education & Information Security Training (www.sans.org)
Wikipedia (www.wikipedia.org)
33