SECONDEDITION
EricConrad
SethMisenar
JoshuaFeldman
TECHNICALEDITOR
KevinRiggins
Table of Contents
Coverimage
Titlepage
Copyright
Authorbiography
Chapter1.Domain1:AccessControl
Abstract
ExamObjectivesinThisChapter
Introduction
Summaryofexamobjectives
Chapter2.Domain2:TelecommunicationsandNetworkSecurity
Abstract
ExamObjectivesinThisChapter
Introduction
Summaryofexamobjectives
Chapter3.Domain3:InformationSecurityGovernanceandRisk
Management
Abstract
ExamObjectivesinThisChapter
Introduction
Summaryofexamobjectives
Chapter4.Domain4:SoftwareDevelopmentSecurity
Abstract
ExamObjectivesinThisChapter
Introduction
Summaryofexamobjectives
Chapter5.Domain5:Cryptography
Abstract
ExamObjectivesinThisChapter
Introduction
Summaryofexamobjectives
Chapter6.Domain6:SecurityArchitectureandDesign
Abstract
ExamObjectivesinThisChapter
Introduction
Summaryofexamobjectives
Chapter7.Domain7:OperationsSecurity
Abstract
ExamObjectivesinThisChapter
Introduction
Summaryofexamobjectives
Chapter8.Domain8:BusinessContinuityandDisasterRecoveryPlanning
Abstract
ExamObjectivesinThisChapter
Introduction
Summaryofexamobjectives
Chapter9.Domain9:Legal,Regulations,Investigations,andCompliance
Abstract
ExamObjectivesinThisChapter
Introduction
Summaryofexamobjectives
Chapter10.Domain10:Physical(Environmental)Security
Abstract
ExamObjectivesinThisChapter
Introduction
SummaryofExamObjectives
Index
Copyright
AcquiringEditor:ChrisKatsaropoulos
EditorialProjectManager:BenjaminRearick
ProjectManager:MohanaNatarajan
Designer:AlanStudholme
SyngressisanimprintofElsevier
225WymanStreet,Waltham,MA02451,USA
Secondedition2014
Copyright2014,2011ElsevierInc.Allrightsreserved.
Nopartofthispublicationmaybereproduced,storedinaretrievalsystemor
transmi edinanyformorbyanymeanselectronic,mechanical,
photocopying,recordingorotherwisewithoutthepriorwri enpermissionof
thepublisher.
PermissionsmaybesoughtdirectlyfromElseviersScience&Technology
RightsDepartmentinOxford,UK:phone(+44)(0)1865843830;fax(+44)(0)
1865853333;email:permissions@elsevier.com.Alternativelyyoucansubmit
yourrequestonlinebyvisitingtheElsevierwebsiteat
h p://elsevier.com/locate/permissions,andselectingObtainingpermissionto
useElseviermaterial.
Notice
Noresponsibilityisassumedbythepublisherforanyinjuryand/or
damagetopersonsorpropertyasama erofproductsliability,negligence
orotherwise,orfromanyuseoroperationofanymethods,products,
instructionsorideascontainedinthematerialherein.Becauseofrapid
advancesinthemedicalsciences,inparticular,independentvericationof
diagnosesanddrugdosagesshouldbemade.
LibraryofCongressCataloginginPublicationData
ApplicationSubmi ed
BritishLibraryCataloguinginPublicationData
AcataloguerecordforthisbookisavailablefromtheBritishLibrary
ForinformationonallSyngresspublications,visitourwebsiteat
store.elsevier.com/syngress
ISBN:9780124171428
PrintedandboundinUSA
141516171810987654321
Author biography
Seth Misenar (CISSP, GIAC GSE, CompTIA CASP, GPEN, GCIH, GCIA, GCFA, GWAPT,
GCWN, GSEC, MCSE, and MCDBA) is a Certied Instructor with the SANS Institute and coauthor
of the SANS SEC528: SANS Training Program for the CompTIA Advanced Security Practitioner
(CASP) Certication. Seth also serves as lead consultant for Jackson, Mississippi-based Context
Security. Seth's background includes security research, network and Web application penetration
testing, vulnerability assessment, regulatory compliance efforts, security architecture design, and
general security consulting. He has previously served as a physical and network security consultant for
Fortune 100 companies as well as the HIPAA and information security ofcer for a state government
agency. Seth teaches a variety of courses for the SANS Institute, including Security Essentials,
Advanced Web Application Penetration Testing, Hacker Techniques, and the CISSP and CASP
courses.
Seth is pursuing a Master of Science degree in information security engineering from the SANS
Technology Institute and holds a Bachelor of Science degree from Millsaps College. Seth resides in
Jackson, Mississippi, with his family, Rachel, Jude, and Hazel.
Eric Conrad (CISSP, GIAC GSE, GPEN, GCIH, GCIA, GCFA, GAWN, GSEC, GISP, CompTIA
CASP, and Security+) is a partner with Backshore Communications, which provides information
warfare, penetration testing, incident handling, and intrusion detection consulting services. He is also a
Certied Instructor with the SANS Institute and coauthor of SANS Security 528: SANS Training
Program for the CompTIA Advanced Security Practitioner (CASP) Certication.
Eric's professional career began in 1991 as a UNIX systems administrator for a small oceanographic
communications company. He gained information security experience in a variety of industries,
including research, education, power, Internet, and healthcare, in roles ranging from systems
programmer to security engineer to HIPAA security ofcer and ISSO. He has taught thousands of
students in courses including SANS Management 414: CISSP, Security 560: Network Penetration
Testing and Ethical Hacking, Security 504 Hacker Techniques, Exploits and Incident Handling, and
others.
Eric is a graduate of the SANS Technology Institute with a Master of Science degree in information
security engineering. Eric currently lives in Peaks Island, Maine, with his family, Melissa, Eric, and
Emma.
Joshua Feldman (CISSP, NSA IAM) has supported the Department of Defense Information Systems
Agency (DISA), as a contractor working for SAIC, Inc., since 2002. He is a subject matter expert and
training developer for DISAs cyber security mission. During his tenure, he has contributed to the DoD
8500 series, specically conducting research and authoring sections of the DoD 8570.01-M, also
known as the DoD IA Workforce Improvement Program. He is the program manager for DISAs
Computer Network Defense training initiative (entitled, RaD-X) and has instructed well over 1000
students. He also is a subject matter expert for the Web-based Information Assurance awareness
training every DoD user is required to take each year as part of their security awareness curriculum.
He is a regular presenter and panel member at the Information Assurance Symposium, hosted by both
DISA and NSA.
Before joining the support team at DoD/DISA, Joshua spent time as an IT Sec engineer working for
the Department of State, Diplomatic Security. There, he traveled to embassies worldwide to conduct
Tiger Team assessments of the security of each embassy. Joshua got his start in the IT Security eld
when he left his position teaching science for Montgomery County Public Schools, Maryland, and
went to work for NFR Security Software. At the time, NFR was one of the leading companies
producing Network Intrusion Detection systems.
CHAPTER1
KEYWORDS
Condentiality;Integrity;Availability;Identication;Authentication;
Authorization;Accountability;Subject;Object;DiscretionaryAccessControl
(DAC);MandatoryAccessControl(MAC);RoleBasedAccessControl
(RBAC);FalseRejectRate(FRR);FalseAcceptRate(FAR);CrossoverError
Rate(CER)
AccessControlModels
AccessControlDefensiveCategoriesandTypes
AuthenticationMethods
AccessControlTechnologies
AssessingAccessControl
Introduction
Thepurposeofaccesscontrolistoallowauthorizedusersaccessto
appropriatedataanddenyaccesstounauthorizedusers.Accesscontrols
protectagainstthreatssuchasunauthorizedaccess,inappropriate
modicationofdata,andlossofcondentiality.
Condentiality,Integrity,andAvailabilityaretheCIAtriad,thecornerstone
conceptofinformationsecurity.Thetriad,showninFigure1.1,formsthe
threeleggedstoolinformationsecurityisbuiltupon.Theorderofthe
acronymmaychange(somepreferAIC,perhapstoavoidassociationwitha
certainintelligenceagency),buttheconceptsareessential.Thisbookwilluse
theCIAacronym.
FIGURE1.1 TheCIAtriad.
Confidentiality
Confidentiality
Condentialityseekstopreventtheunauthorizeddisclosureofinformation:
itkeepsdatasecret.Inotherwords,condentialityseekstoprevent
unauthorizedreadaccesstodata.Anexampleofacondentialitya ack
wouldbethetheftofPersonallyIdentiableInformation(PII),suchascreditcard
information.
Integrity
Integrityseekstopreventunauthorizedmodicationofinformation.Inother
words,integrityseekstopreventunauthorizedwriteaccesstodata.
CrunchTime
Therearetwotypesofintegrity:dataintegrityandsystemintegrity.Data
integrityseekstoprotectinformationagainstunauthorizedmodication;
systemintegrityseekstoprotectasystem,suchasaWindows2012server
operatingsystem,fromunauthorizedmodication.
Availability
Availabilityensuresthatinformationisavailablewhenneeded.Systemsneed
tobeusable(available)fornormalbusinessuse.Anexampleofa ackon
availabilitywouldbeaDenialofService(DoS)a ack,whichseekstodeny
service(oravailability)ofasystem.
Disclosure, alteration, and destruction
TheCIAtriadmayalsobedescribedbyitsopposite:Disclosure,Alteration,and
Destruction(DAD).Disclosureistheunauthorizeddisclosureofinformation;
alterationistheunauthorizedmodicationofdata,anddestructionismaking
systemsunavailable.WhiletheCIAacronymsometimeschanges,theDAD
acronymisshowninthatorder.
Identity and authentication, authorization, and accountability
ThetermAAAisoftenused,describingcornerstoneconceptsAuthentication,
Authorization,andAccountability.LeftoutoftheAAAacronymisIdentication,
whichisrequiredbeforethethreeAscanfollow.
Identity and authentication
Identityisaclaim:ifyournameisPersonX,youidentifyyourselfbysaying
IamPersonX.Identityaloneisweakbecausethereisnoproof.Youcan
alsoidentifyyourselfbysayingIamPersonY.Provinganidentityclaimis
calledauthentication:youauthenticatetheidentityclaim,usuallyby
supplyingapieceofinformationoranobjectthatonlyyouposses,suchasa
passwordoryourpassport.
Authorization
Authorizationdescribestheactionsyoucanperformonasystemonceyou
haveidentiedandauthenticated.Actionsmayincludereading,writing,or
executinglesorprograms.
Accountability
Accountabilityholdsusersaccountablefortheiractions.Thisistypically
accomplishedbyloggingandanalyzingauditdata.Enforcingaccountability
helpskeephonestpeoplehonest.Forsomeusers,knowingthatdatais
loggedisnotenoughtoprovideaccountability:theymustknowthatthedata
isloggedandauditedandthatsanctionsmayresultfromviolationofpolicy.
Nonrepudiation
Nonrepudiationmeansausercannotdeny(repudiate)havingperformeda
transaction.Itcombinesauthenticationandintegrity:nonrepudiation
authenticatestheidentityofauserwhoperformsatransactionandensures
theintegrityofthattransaction.Youmusthavebothauthenticationand
integritytohavenonrepudiation:provingyousignedacontracttobuyacar
(authenticatingyouridentityasthepurchaser)isnotusefulifthecardealer
canchangethepricefrom$20,000to$40,000(violatetheintegrityofthe
contract).
Least privilege and need to know
Leastprivilegemeansusersshouldbegrantedtheminimumamountofaccess
(authorization)requiredtodotheirjobs,butnomore.Leastprivilegeis
appliedtogroupsofobjects.Needtoknowismoregranularthanleast
privilege:theusermustneedtoknowthatspecicpieceofinformation
beforeaccessingit.
Subjects and objects
Asubjectisanactiveentityonadatasystem.Mostexamplesofsubjects
involvepeopleaccessingdatales.However,runningcomputerprograms
aresubjectsaswell.
Anobjectisanypassivedatawithinthesystem.Objectscanrangefrom
databasestotextles.Theimportantthingtorememberaboutobjectsisthat
theyarepassivewithinthesystem.Theydonotmanipulateotherobjects.
Defense-in-depth
Defenseindepth(alsocalledlayereddefenses)appliesmultiplesafeguards
(alsocalledcontrols:measurestakentoreducerisk)toprotectanasset.Any
singlesecuritycontrolmayfail;bydeployingmultiplecontrols,youimprove
thecondentiality,integrity,andavailabilityofyourdata.
DiscretionaryAccessControl(DAC)givessubjectsfullcontrolofobjectsthey
havebeengivenaccessto,includingsharingtheobjectswithothersubjects.
Subjectsareempoweredandcontroltheirdata.StandardUNIXandWindows
operatingsystemsuseDACforlesystems:subjectscangrantothersubjects
accesstotheirles,changetheira ributes,alterthem,ordeletethem.
Mandatory access controls
MandatoryAccessControl(MAC)issystemenforcedaccesscontrolbasedon
subjectsclearanceandobjectslabels.Subjectsandobjectshaveclearances
andlabels,respectively,suchascondential,secret,andtopsecret.Asubject
mayaccessanobjectonlyifthesubjectsclearanceisequaltoorgreaterthan
theobjectslabel.Subjectscannotshareobjectswithothersubjectswholack
theproperclearanceorwritedownobjectstoalowerclassicationlevel
(suchasfromtopsecrettosecret).MACsystemsareusuallyfocusedon
preservingthecondentialityofdata.
Nondiscretionary access control
RoleBasedAccessControl(RBAC)deneshowinformationisaccessedona
systembasedontheroleofthesubject.Arolecouldbeanurse,abackup
administrator,ahelpdesktechnician,etc.Subjectsaregroupedintorolesand
eachdenedrolehasaccesspermissionsbasedupontherole,notthe
individual.
RBACisatypeofnondiscretionaryaccesscontrolbecauseusersdonothave
discretionregardingthegroupsofobjectstheyareallowedtoaccessandare
unabletotransferobjectstoothersubjects.
Taskbasedaccesscontrolisanothernondiscretionaryaccesscontrolmodel,
relatedtoRBAC.Taskbasedaccesscontrolisbasedonthetaskseachsubject
mustperform,suchaswritingprescriptions,restoringdatafromabackup
tape,oropeningahelpdeskticket.Ita emptstosolvethesameproblemthat
RBACsolves,focusingonspecictasks,insteadofroles.
Rule-based access controls
Arulebasedaccesscontrolsystemusesaseriesofdenedrules,restrictions,
andltersforaccessingobjectswithinasystem.Therulesareintheformof
if/thenstatements.Anexampleofarulebasedaccesscontroldeviceisa
proxyrewallthatallowsuserstosurftheWebwithpredenedapproved
contentonly(IftheuserisauthorizedtosurftheWebandthesiteisonthe
approvedlist,thenallowaccess).Othersitesareprohibitedandthisruleis
enforcedacrossallauthenticatedusers.
Centralized access control
Centralizedaccesscontrolconcentratesaccesscontrolinonelogicalpointfora
systemororganization.Insteadofusinglocalaccesscontroldatabases,
systemsauthenticateviathirdpartyauthenticationservers.Centralized
accesscontrolcanbeusedtoprovideSingleSignOn(SSO),whereasubject
mayauthenticateonce,andthenaccessmultiplesystems.Centralizedaccess
controlcancentrallyprovidethethreeAsofaccesscontrol:Authentication,
Authorization,andAccountability.
Access control lists
Accesscontrollists(ACLs)areusedthroughoutmanyITsecuritypolicies,
procedures,andtechnologies.Anaccesscontrollistisalistofobjects;each
entrydescribesthesubjectsthatmayaccessthatobject.Anyaccessa emptby
asubjecttoanobjectthatdoesnothaveamatchingentryontheACLwillbe
denied.
Access provisioning lifecycle
Oncetheproperaccesscontrolmodelhasbeenchosenanddeployed,the
accessprovisioninglifecyclemustbemaintainedandsecured.Whilemany
organizationsfollowbestpracticesforissuingaccess,manylackformal
processesforensuringtheentirelifetimeofaccessiskeptsecureasemployees
andcontractorsmovewithinanorganization.
IBMdescribesthefollowingidentitylifecyclerules:
Passwordpolicycompliancechecking
Notifyinguserstochangetheirpasswordsbeforetheyexpire
Identifyinglifecyclechangessuchasaccountsthatareinactiveformore
than30consecutivedays
Identifyingnewaccountsthathavenotbeenusedformorethan10days
followingtheircreation
Identifyingaccountsthatarecandidatesfordeletionbecausetheyhave
beensuspendedformorethan30days
Whenacontractexpires,identifyingallaccountsbelongingtoabusiness
partnerorcontractorsemployeesandrevokingtheiraccessrights
Accessaggregationoccursasindividualusersgainmoreaccesstomore
systems.Thiscanhappenintentionally,asafunctionofSingleSignOn(SSO).
Itcanalsohappenunintentionally:usersoftengainnewentitlements(also
calledaccessrights)astheytakeonnewrolesorduties.Thiscanresultin
authorizationcreep:usersgainmoreentitlementswithoutsheddingtheold
ones.Thepoweroftheseentitlementscancompoundovertime,defeating
controlssuchasleastprivilegeandseparationofduties.Userentitlements
mustberoutinelyreviewedandaudited.Processesshouldbedevelopedthat
reduceoreliminateoldentitlementsasnewonesaregranted.
Access control protocols and frameworks
Bothcentralizedanddecentralizedmodelsmaysupportremoteusers
authenticatingtolocalsystems.Anumberofprotocolsandframeworksmay
beusedtosupportthisneed,includingRADIUS,Diameter,
TACACS/TACACS+,PAP,andCHAP.
RADIUS
TheRemoteAuthenticationDialInUserService(RADIUS)protocolisathird
partyauthenticationsystem.RADIUSusestheUserDatagramProtocol
(UDP)ports1812(authentication)and1813(accounting).
RADIUSisconsideredanAAAsystem,comprisedofthreecomponents:
authentication,authorization,andaccounting.Itauthenticatesasubjects
credentialsagainstanauthenticationdatabase.Itauthorizesusersbyallowing
specicusersaccesstospecicdataobjects.Itaccountsforeachdatasession
bycreatingalogentryforeachRADIUSconnectionmade.
Diameter
DiameterisRADIUSsuccessor,designedtoprovideanimproved
Authentication,Authorization,andAccounting(AAA)framework.RADIUS
provideslimitedaccountabilityandhasproblemswithexibility,scalability,
reliability,andsecurity.Diameterismoreexible,allowingsupportfor
mobileremoteusers,forexample.
TACACS and TACACS+
TheTerminalAccessControllerAccessControlSystem(TACACS)isacentralized
accesscontrolsystemthatrequiresuserstosendanIDandstatic(reusable)
passwordforauthentication.TACACSusesUDPport49(andmayalsouse
TCP).Reusablepasswordshavesecurityvulnerability:theimproved
TACACS+providesbe erpasswordprotectionbyallowingtwofactorstrong
authentication.
TACACS+isnotbackwardcompatiblewithTACACS.TACACS+usesTCP
port49forauthenticationwiththeTACACS+server.
PAP and CHAP
ThePasswordAuthenticationProtocol(PAP)isinsecure:auserentersa
passwordanditissentacrossthenetworkincleartext.Whenreceivedbythe
PAPserver,itisauthenticatedandvalidated.Sningthenetworkmay
disclosetheplaintextpasswords.
TheChallengeHandshakeAuthenticationProtocol(CHAP)providesprotection
againstplaybacka acks.
Itusesacentrallocationthatchallengesremote
users.AsstatedinRFC1994,CHAPdependsuponasecretknownonlyto
theauthenticatorandthepeer.Thesecretisnotsentoverthelink.Although
theauthenticationisonlyoneway,bynegotiatingCHAPinbothdirections
thesamesecretsetmayeasilybeusedformutualauthentication.
FastFacts
Theseaccesscontroltypescanfallintooneofthreecategories:
administrative,technical,orphysical.
1.Administrative(alsocalleddirective)controlsareimplementedby
creatingandfollowingorganizationalpolicy,procedure,orregulation.
Usertrainingandawarenessalsofallintothiscategory.
2.Technicalcontrolsareimplementedusingsoftware,hardware,or
rmwarethatrestrictslogicalaccessonaninformationtechnologysystem.
Examplesincluderewalls,routers,andencryption.
3.Physicalcontrolsareimplementedwithphysicaldevices,suchaslocks,
fences,gates,andsecurityguards.
Preventive
Preventivecontrolspreventactionsfromoccurring.Itappliesrestrictionsto
whatapotentialuser,eitherauthorizedorunauthorized,cando.Anexample
ofanadministrativepreventivecontrolisapreemploymentdrugscreening.It
isdesignedtopreventanorganizationfromhiringanemployeewhoisusing
illegaldrugs.
Detective
Detectivecontrolsarecontrolsthatalertduringorafterasuccessfula ack.
Intrusiondetectionsystemsalertingafterasuccessfula ack,closedcircuit
televisioncameras(CCTV)thatalertguardstoanintruder,andabuilding
alarmsystemthatistriggeredbyanintruderareallexamplesofdetective
controls.
Corrective
Correctivecontrolsworkbycorrectingadamagedsystemorprocess.The
correctiveaccesscontroltypicallyworkshandinhandwithdetectiveaccess
controls.Antivirussoftwarehasbothcomponents.First,theantivirus
softwarerunsascanandusesitsdenitionletodetectwhetherthereisany
softwarethatmatchesitsviruslist.Ifitdetectsavirus,thecorrectivecontrols
takeover,placethesuspicioussoftwareinquarantine,ordeleteitfromthe
system.
Recovery
Afterasecurityincidenthasoccurred,recoverycontrolsmayneedtobetaken
inordertorestorefunctionalityofthesystemandorganization.Recovery
meansthatthesystemmustberecovered:reinstalledfromOSmediaor
image,datarestoredfrombackups,etc.
Deterrent
Deterrentcontrolsdeterusersfromperformingactionsonasystem.Examples
includeabewareofdogsign:athieffacingtwobuildings,onewithguard
dogsandonewithout,ismorelikelytoa ackthebuildingwithoutguard
dogs.Alargeneforspeedingisadeterrentfordriverstonotspeed.A
sanctionpolicythatmakesusersunderstandthattheywillberediftheyare
caughtsurngillicitorillegalWebsitesisadeterrent.
Compensating
Acompensatingcontrolisanadditionalsecuritycontrolputinplaceto
compensateforweaknessesinothercontrols.
AUTHENTICATION METHODS
Akeyconceptforimplementinganytypeofaccesscontroliscontrollingthe
properauthenticationofsubjectswithintheITsystem.Asubjectrst
identieshimselforherself;thisidenticationcannotbetrusted.Thesubject
thenauthenticatesbyprovidinganassurancethattheclaimedidentityis
valid.Acredentialsetisthetermusedforthecombinationofboththe
identicationandauthenticationofauser.
D i d Yo u K n o w ?
Therearethreebasicauthenticationmethods:Type1(somethingyou
know),Type2(somethingyouhave),andType3(somethingyouare).A
fourthtypeofauthenticationissomeplaceyouare.
Strongauthentication(alsocalledmultifactorauthentication)requiresthatthe
userpresentmorethanoneauthenticationfactor.Forexample,ausermay
possessanATMcardinordertowithdrawmoneyoutofthebank,buthe/she
mustalsoinputthecorrectPIN.
Type 1 authentication: something you know
Type1authentication(somethingyouknow)requirestestingthesubjectwith
somesortofchallengeandresponsewherethesubjectmustrespondwitha
knowledgeableanswer.Thesubjectisgrantedaccessonthebasisof
somethingtheyknow,suchasapasswordorPIN(PersonalIdentication
Number,anumberbasedpassword).Thisistheeasiest,andoftenweakest,
formofauthentication.
Passwords
PasswordshavebeenthecornerstoneforaccesscontroltoITsystems.They
arerelativelyeasyandcheaptoimplement.Manyonlinebanking,stock
portfolioservices,privateWebmail,andhealthcaresystemsstilluseauser
nameandpasswordastheaccesscontrolmethod.
Therearefourtypesofpasswordstoconsiderwhenimplementingaccess
controls:staticpasswords,passphrases,onetimepasswords,anddynamic
passwords.
Staticpasswordsarereusablepasswordsthatmayormaynotexpire.Theyare
typicallyusergeneratedandworkbestwhencombinedwithanother
authenticationtype,suchasasmartcardorbiometriccontrol.
Passphrasesarelongstaticpasswords,comprisedofwordsinaphraseor
sentence.Anexampleofapassphraseis:IwillpasstheCISSPin6
months!Passphrasesmaybemadestrongerbyusingnonsensewords
(replacingCISSPwithXYZZYinthepreviouspassphrase,forexample),
bymixingcase,andbyusingadditionalnumbersandsymbols.
Onetimepasswordsmaybeusedforasingleauthentication.Theyarevery
securebutdiculttomanage.Aonetimepasswordisimpossibletoreuse
andisvalidforjustonetimeuse.
Dynamicpasswordschangeatregularintervals.RSAsecuritymakesa
synchronoustokendevicecalledSecurIDthatgeneratesanewtokencode
every60seconds.TheusercombinestheirstaticPINwiththeRSAdynamic
tokencodetocreateonedynamicpasswordthatchangeseverytimeitis
used.Onedrawbackwhenusingdynamicpasswordsistheexpenseofthe
tokensthemselves.
Password hashes and password cracking
Inmostcases,cleartextpasswordsarenotstoredwithinanITsystem;only
thehashedoutputsofthosepasswordsarestored.Hashingisoneway
encryptionusinganalgorithmandnokey.Whenausera emptstologin,
thepasswordtheytypeishashed,andthathashiscomparedagainstthehash
storedonthesystem.Thehashfunctioncannotbereversed:itisimpossibleto
reversethealgorithmandproduceapasswordfromahash.Whilehashes
maynotbereversed,ana ackermayrunthehashalgorithmforwardmany
times,selectingvariouspossiblepasswordsandcomparingtheoutputtoa
desiredhash,hopingtondamatch(andtoderivetheoriginalpassword).
Thisiscalledpasswordcracking.
Dictionary attacks
Adictionarya ackusesawordlist:apredenedlistofwords,andthenruns
eachwordthroughahashalgorithm.Ifthecrackingsoftwarematchesthe
outputfromthedictionarya ackoutputtothepasswordhash,thea acker
willbeabletoidentifytheoriginalpassword.
Hybrid attacks
Ahybrida ackappends,prepends,orchangescharactersinwordsfroma
dictionarybeforehashing,toa emptthefastestcrackofcomplexpasswords.
Forexample,ana ackermayhaveadictionaryofpotentialsystem
administratorpasswordsbutalsoreplaceseachle erowiththenumber
0.
Brute-force attacks
Arainbowtableisaprecomputedcompilationofplaintextsandmatching
ciphertexts(typicallypasswordsandtheirmatchinghashes).Rainbowtables
greatlyspeedupmanytypesofpasswordcrackinga acks,oftentaking
minutestocrackwhereothermethods(suchasdictionary,hybrid,andbrute
forcepasswordcrackinga empts)maytakemuchlonger.
Thoughrainbowtablesactasadatabase,theyaremorecomplexunderthe
hood,relyingonatime/memorytradeotorepresentandrecoverpasswords
andhashes.Mostrainbowstablescancrackmost,butnotall,possiblehashes.
Salts
Asaltallowsonepasswordtohashmultipleways.Somesystems(like
modernUNIX/Linuxsystems)combineasaltwithapasswordbefore
hashing:ThedesignersoftheUNIXoperatingsystemimprovedonthis
methodbyusingarandomvaluecalledasalt.Asaltvalueensuresthatthe
samepasswordwillencryptdierentlywhenusedbydierentusers.This
methodoerstheadvantagethatana ackermustencryptthesameword
multipletimes(onceforeachsaltoruser)inordertomountasuccessful
passwordguessinga ack.
Thismakesrainbowtablesfarlesseective(ifnotcompletelyineective)for
systemsusingsalts.Insteadofcompilingonerainbowtableforasystemthat
doesnotusesalts(suchasMicrosoftLANManagerhashes),thousands,
millions,billions,ormorerainbowtableswouldberequiredforsystems
usingsalts,dependingonthesaltlength.
Type 2 authentication: something you have
Type2authentication(somethingyouhave)requiresthatuserspossess
something,suchasatoken,whichprovestheyareanauthenticateduser.A
tokenisanobjectthathelpsproveanidentityclaim.
Synchronous dynamic token
Synchronousdynamictokensusetimeorcounterstosynchronizeadisplayed
tokencodewiththecodeexpectedbytheauthenticationserver:thecodesare
synchronized.
Timebasedsynchronousdynamictokensdisplaydynamictokencodesthat
changefrequently,suchasevery60seconds.Thedynamiccodeisonlygood
duringthatwindow.Theauthenticationserverknowstheserialnumberof
eachauthorizedtoken,theuseritisassociatedwith,andthetime.Itcan
predictthedynamiccodeoneachtokenusingthesethreepiecesof
information.
Counterbasedsynchronousdynamictokensuseasimplecounter:the
authenticationserverexpectstokencode1,andtheuserstokendisplaysthe
sametoken.Onceused,thetokendisplaysthesecondtoken,andtheserver
alsoexpectstoken#2.
Asynchronous dynamic token
Asynchronousdynamictokensarenotsynchronizedwithacentralserver.The
mostcommonvarietyischallengeresponsetokens.Challengeresponsetoken
authenticationsystemsproduceachallengeorinputforthetokendevice.
Thentheusermanuallyenterstheinformationintothedevicealongwith
theirPIN,andthedeviceproducesanoutput.Thisoutputisthensenttothe
system.
Type 3 authentication: something you are
Type3authentication(somethingyouare)isbiometrics,whichusesphysical
characteristicsasameansofidenticationorauthentication.Biometricsmay
beusedtoestablishanidentityortoauthenticate(proveanidentityclaim).
Forexample,anairportfacialrecognitionsystemmaybeusedtoestablishthe
identityofaknownterrorist,andangerprintscannermaybeusedto
authenticatetheidentityofasubject(whomakestheidentityclaimandthen
swipeshisorherngertoproveit).
Biometric enrollment and throughput
Enrollmentdescribestheprocessofregisteringwithabiometricsystem:
creatinganaccountforthersttime.Userstypicallyprovidetheirusername
(identity),apasswordorPIN,andthenprovidebiometricinformation,such
asswipingngerprintsonangerprintreaderorhavingaphotographtaken
oftheiririses.Enrollmentisaonetimeprocessthatshouldtake2minutesor
less.
Throughputdescribestheprocessofauthenticatingtoabiometricsystem.This
isalsocalledthebiometricsystemresponsetime.Atypicalthroughputis6
10seconds.
Accuracy of biometric systems
Theaccuracyofbiometricsystemsshouldbeconsideredbeforeimplementing
abiometriccontrolprogram.Threemetricsareusedtojudgebiometric
accuracy:theFalseRejectRate(FRR),theFalseAcceptRate(FAR),andthe
CrossoverErrorRate(CER).
False reject rate
Afalserejectionoccurswhenanauthorizedsubjectisrejectedbythe
biometricsystemasunauthorized.FalserejectionsarealsocalledaTypeI
error.Falserejectionscausefrustrationoftheauthorizedusers,reductionin
workduetopooraccessconditions,andexpenditureofresourcesto
revalidateauthorizedusers.
False accept rate
Afalseacceptanceoccurswhenanunauthorizedsubjectisacceptedasvalid.
Ifanorganizationsbiometriccontrolisproducingalotoffalserejections,the
overallcontrolmighthavetolowertheaccuracyofthesystembylessening
theamountofdataitcollectswhenauthenticatingsubjects.Whenthedata
pointsarelowered,theorganizationrisksanincreaseinthefalseacceptance
rate.Theorganizationrisksanunauthorizedusergainingaccess.Thistypeof
errorisalsocalledaTypeIIerror.
CrunchTime
Afalseacceptisworsethanafalsereject:mostorganizationswould
prefertorejectauthenticsubjectstoacceptingimpostors.FARs(TypeII
errors)areworsethanFRRs(TypeIerrors).Twoisgreaterthanone,
whichwillhelpyourememberthatFARisTypeII,whichareworsethan
TypeI(FRRs).
TheCrossoverErrorRate(CER)describesthepointwheretheFalseReject
Rate(FRR)andFalseAcceptRate(FAR)areequal.CERisalsoknownasthe
EqualErrorRate(EER).TheCrossoverErrorRatedescribestheoverall
accuracyofabiometricsystem.
Asthesensitivityofabiometricsystemincreases,FRRswillriseandFARs
willdrop.Conversely,asthesensitivityislowered,FRRswilldropandFARs
willrise.Figure1.2showsagraphdepictingtheFARversustheFRR.The
CERistheintersectionofbothlinesofthegraphasshowninFigure1.2,
basedontheISACABiometricAuditingGuide,G36.
FIGURE1.2 Crossovererrorrate.
Thereareanumberofbiometriccontrolsusedtoday.Belowarethemajor
implementationsandtheirspecicprosandconswithregardtoaccess
controlsecurity.
Fingerprints
Fingerprintsarethemostwidelyusedbiometriccontrolavailabletoday.
Smartcardscancarryngerprintinformation.ManyU.S.Governmentoce
buildingsrelyonngerprintauthenticationforphysicalaccesstothefacility.
Examplesincludesmartkeyboards,whichrequireuserstopresenta
ngerprinttounlockthecomputersscreensaver.
Thedatausedforstoringeachpersonsngerprintmustbeofasmallenough
sizetobeusedforauthentication.Thisdataisamathematicalrepresentation
ofngerprintminutiae,specicdetailsofngerprintfrictionridges,which
includewhorls,ridges,bifurcation,andothers.Figure1.3showsminutiae
types(fromleft)bifurcation,ridgeending,core,anddelta.
10
FIGURE1.3 Fingerprintminutiae.
Retina scan
Aretinascanisalaserscanofthecapillariesthatfeedtheretinaofthebackof
theeye.Thiscanseempersonallyintrusivebecausethelightbeammust
directlyenterthepupil,andtheuserusuallyneedstopresstheireyeuptoa
laserscannereyecup.Thelaserscanmapsthebloodvesselsoftheretina.
Healthinformationoftheusercanbegainedthrougharetinascan:
conditionssuchaspregnancyanddiabetescanbedetermined,whichmay
raiselegitimateprivacyissues.Becauseoftheneedforcloseproximityofthe
scannerinaretinascan,exchangeofbodilyuidsispossiblewhenusing
retinascanningasameansofaccesscontrol.
E x a m Wa r n i n g
Retinascansarerarelyusedbecauseofhealthrisksandinvasionof
privacyissues.Alternativesshouldbeconsideredforbiometriccontrols
thatriskexchangeofbodilyuidorraiselegitimateprivacyconcerns.
Iris scan
Anirisscanisapassivebiometriccontrol.Acameratakesapictureoftheiris
(thecoloredportionoftheeye)andthencomparesphotoswithinthe
authenticationdatabase.Thisalsoworksthroughcontactlensesandglasses.
Eachpersonstwoirisesareunique,eventwinsirises.Benetsofirisscans
includehighaccuracy,passivescanning(whichmaybeaccomplished
withoutthesubjectsknowledge),andnoexchangeofbodilyuids.
Hand geometry
Inhandgeometrybiometriccontrol,measurementsaretakenfromspecic
pointsonthesubjectshand:Thedevicesuseasimpleconceptofmeasuring
andrecordingthelength,width,thickness,andsurfaceareaofanindividuals
handwhileguidedonaplate.
Handgeometrydevicesarefairlysimple
andcanstoreinformationinasli leas9bytes.
Keyboard dynamics
Keyboarddynamicsreferstohowhardapersonpresseseachkeyandthe
rhythmbywhichthekeysarepressed.Surprisingly,thistypeofaccess
controlischeaptoimplementandcanbeeective.Aspeoplelearnhowto
typeanduseacomputerkeyboard,theydevelopspecichabitsthatare
diculttoimpersonate,althoughnotimpossible.
Dynamic signature
Dynamicsignaturesmeasuretheprocessbywhichsomeonesignshisorher
name.Thisprocessissimilartokeyboarddynamics,exceptthatthismethod
measuresthehandwritingofthesubjectswhiletheysigntheirname.
Measuringtime,pressure,loopsinthesignature,andbeginningandending
pointsallhelptoensuretheuserisauthentic.
Voiceprint
Avoiceprintmeasuresthesubjectstoneofvoicewhilestatingaspecic
sentenceorphrase.Thistypeofaccesscontrolisvulnerabletoreplaya acks
(replayingarecordedvoice),sootheraccesscontrolsmustbeimplemented
alongwiththevoiceprint.Onesuchcontrolrequiressubjectstostaterandom
words,protectingagainstana ackerplayingprerecordedspecicphrases.
Anotherissueispeoplesvoicesmaysubstantiallychangeduetoillness,
resultinginafalserejection.
Facial scan
Facialscantechnologyhasgreatlyimprovedoverthepastfewyears.Facial
scanning(alsocalledfacialrecognition)istheprocessofpassivelytakinga
pictureofasubjectsfaceandcomparingthatpicturetoaliststoredina
database.Althoughnotfrequentlyusedforbiometricauthenticationcontrol
duetothehighcost,lawenforcementandsecurityagenciesusefacial
recognitionandscanningtechnologiesforbiometricidenticationtoimprove
securityofhighvalued,publiclyaccessibletargets.
Someplace you are
Someplaceyouaredescribeslocationbasedaccesscontrolusingtechnologies
suchastheglobalpositioningsystem(GPS),IPaddressbasedgeolocation,or
thephysicallocationforapointofsalepurchase.Thesecontrolscandeny
accessifthesubjectisintheincorrectlocation.
SingleSignOn(SSO)allowsmultiplesystemstouseacentralauthentication
server(AS).Thisallowsuserstoauthenticateonceandthenaccessmultiple,
dierentsystems.Italsoallowssecurityadministratorstoadd,change,or
revokeuserprivilegesononecentralsystem.
TheprimarydisadvantagetoSSOisitmayallowana ackertogainaccessto
multipleresourcesaftercompromisingoneauthenticationmethod,suchasa
password.SSOshouldalwaysbeusedwithmultifactorauthenticationforthis
reason.
Federated identity management
FederatedIdentityManagement(FIdM)appliesSingleSignOnatamuchwider
scale:rangingfromcrossorganizationtoInternetscale.Itissometimes
simplycalledIdentityManagement(IdM).FIdMmayuseOpenIDorSAML
(SecurityAssociationMarkupLanguage).
AccordingtoEDUCAUSE,Identitymanagementreferstothepolicies,
processes,andtechnologiesthatestablishuseridentitiesandenforcerules
aboutaccesstodigitalresources.Inacampusse ing,manyinformation
systemssuchasemail,learningmanagementsystems,librarydatabases,
andgridcomputingapplicationsrequireuserstoauthenticatethemselves
(typicallywithausernameandpassword).Anauthorizationprocessthen
determineswhichsystemsanauthenticateduserispermi edtoaccess.With
anenterpriseidentitymanagementsystem,ratherthanhavingseparate
credentialsforeachsystem,ausercanemployasingledigitalidentityto
accessallresourcestowhichtheuserisentitled.Federatedidentity
managementpermitsextendingthisapproachabovetheenterpriselevel,
creatingatrustedauthorityfordigitalidentitiesacrossmultiple
organizations.Inafederatedsystem,participatinginstitutionsshareidentity
a ributesbasedonagreeduponstandards,facilitatingauthenticationfrom
othermembersofthefederationandgrantingappropriateaccesstoonline
resources.Thisapproachstreamlinesaccesstodigitalassetswhileprotecting
restrictedresources.
Kerberos
Kerberosisathirdpartyauthenticationservicethatmaybeusedtosupport
SingleSignOn.Kerberos(h p://www.kerberos.org/)wasthenameofthe
threeheadeddogthatguardedtheentrancetoHades(alsocalledCerberus)
inGreekmythology.
Kerberosusessymmetricencryptionandprovidesmutualauthenticationof
bothclientsandservers.Itprotectsagainstnetworksningandreplay
a acks.ThecurrentversionofKerberosisversion5,describedbyRFC4120
(h p://www.ietf.org/rfc/rfc4120.txt).
FastFacts
Kerberoshasthefollowingcomponents:
Principal:Client(user)orservice
Realm:AlogicalKerberosnetwork
Ticket:Datathatauthenticatesaprincipalsidentity
Credentials:Aticketandaservicekey
KDC:KeyDistributionCenter,whichauthenticatesprincipals
TGS:TicketGrantingService
TGT:TicketGrantingTicket
C/S:Client/Server,regardingcommunicationsbetweenthetwo
SESAME
SESAMEisSecureEuropeanSystemforApplicationsinamultivendor
environment,asinglesignonsystemthatsupportsheterogeneous
environments.SESAMEcanbethoughtofasasequelofsortstoKerberos,
SESAMEaddstoKerberos:heterogeneity,sophisticatedaccesscontrol
features,scalabilityofpublickeysystems,be ermanageability,auditand
delegation.
Ofthoseimprovements,theadditionofpublickey
(asymmetric)encryptionisthemostcompelling.Itaddressesoneofthe
biggestweaknessesinKerberos:theplaintextstorageofsymmetrickeys.
SESAMEusesPrivilegeA ributeCerticates(PACs)inplaceofKerberos
tickets.MoreinformationonSESAMEisavailableat
h ps://www.cosic.esat.kuleuven.be/sesame/.
Apenetrationtesterisawhitehathackerwhoreceivesauthorizationto
a empttobreakintoanorganizationsphysicalorelectronicperimeter(and
sometimesboth).Penetrationtests(calledpentestsforshort)aredesignedto
determinewhetherblackhathackerscoulddothesame.Theyareanarrow,
butoftenuseful,test,especiallyifthepenetrationtesterissuccessful.
Penetrationtestsmayincludethefollowingtests:
Network(Internet)
Network(internalorDMZ)
Wardialing
Wireless
Physical(a empttogainentranceintoafacilityorroom)
Wireless
Networka acksmayleverageclientsidea acks,serversidea acks,orWeb
applicationa acks.SeeChapter6,Domain6:SecurityArchitectureand
Designformoreinformationonthesea acks.Wardialingusesmodemto
dialaseriesofphonenumbers,lookingforanansweringmodemcarriertone
(thepenetrationtesterthena emptstoaccesstheansweringsystem);the
namederivesfromthe1983movieWarGames.
Socialengineeringusesthehumanmindtobypasssecuritycontrols.Social
engineeringmaybeusedincombinationwithmanytypesofa acks,
especiallyclientsidea acksorphysicaltests.Anexampleofasocial
engineeringa ackcombinedwithaclientsidea ackisemailingmalware
withasubjectlineofCategory5HurricaneisabouttohitFlorida!
Azeroknowledgetestisblind;thepenetrationtesterbeginswithnoexternal
ortrustedinformationandbeginsthea ackwithpublicinformationonly.A
fullknowledgetestprovidesinternalinformationtothepenetrationtester,
includingnetworkdiagrams,policiesandprocedures,andsometimesreports
frompreviouspenetrationtesters.Partialknowledgetestsareinbetweenzero
andfullknowledge:thepenetrationtesterreceivessomelimitedtrusted
information.
Vulnerability testing
Vulnerabilityscanning(alsocalledvulnerabilitytesting)scansanetworkor
systemforalistofpredenedvulnerabilitiessuchassystem
misconguration,outdatedsoftware,oralackofpatching.Avulnerability
testingtoolsuchasNessus(h p://www.nessus.org)orOpenVAS
(h p://www.openvas.org)maybeusedtoidentifythevulnerabilities.
Security audits
Asecurityauditisatestagainstapublishedstandard.Organizationsmaybe
auditedforPCIDSS(PaymentCardIndustryDataSecurityStandard)
compliance,forexample.PCIDSSincludesmanyrequiredcontrols,suchas
rewalls,specicaccesscontrolmodels,andwirelessencryption.Anauditor
thenveriesasiteororganizationmeetsthepublishedstandard.
Security assessments
Securityassessmentsareaholisticapproachtoassessingtheeectivenessof
accesscontrol.Insteadoflookingnarrowlyatpenetrationtestsor
vulnerabilityassessments,securityassessmentshaveabroaderscope.
down,evenforanevaluation.
Thecompanywantsthemostindepthtestpossible.
1.Whatkindoftestshouldberecommended?
A.Zeroknowledge
B.Partialknowledge
C.Fullknowledge
D.Vulnerabilitytesting
2.Whileconductingthepenetrationtest,thetesterdiscoversacritical
businesssystemiscurrentlycompromised.Whatshouldthetesterdo?
A.Notetheresultsinthepenetrationtestingreport
B.ImmediatelyendthepenetrationtestandcalltheCIO
C.Removethemalware
D.Shutthesystemdown
3.Whattypeofpasswordcrackingcanrecoverthemostpasswords?
A.Dictionary
B.Hybrid
C.Bruteforce
D.Rainbowtable
4.Apolicythatstatesausermusthaveabusinessrequirementtoviewdata
beforea emptingtodosoisanexampleofenforcingwhat?
A.Leastprivilege
B.Needtoknow
C.Rotationofduties
D.Separationofduties
5.WhattechniquewouldraisetheFalseAcceptRate(FAR)andLowerthe
FalseRejectRate(FRR)inangerprintscanningsystem?
A.Decreasetheamountofminutiaethatisveried
B.Increasetheamountofminutiaethatisveried
C.Lengthentheenrollmenttime
D.Lowerthethroughputtime
evidencethatexistsinmemory.
3.Correctanswerandexplanation:C.AnswerCiscorrect;bruteforcea acks
willrecoverthemostpasswords.
Incorrectanswersandexplanations:A,B,andD.AnswersA,B,andDare
incorrect.Dictionaryandhybridwillonlycracksomepasswords.Most
rainbowtablesareabletorecovermost,butnotall,passwords.Rainbow
tablesarealsoineectiveagainstsaltedhashes.
4.Correctanswerandexplanation:B.AnswerBiscorrect;needtoknow
meanstheusermusthaveaneed(requirement)toaccessaspecicobject
beforedoingso.
Incorrectanswersandexplanations:A,C,andD.AnswersA,C,andDare
incorrect.Leastprivilegeislessgranularthanneedtoknow:usershavethe
leastamountofprivilegetodotheirjobs,butobjectsarestilltypically
groupedtogether(suchasallowingaccesstoallbackuptapesforabackup
administrator).Separationofdutiesisdesignedtodividesensitivetasks
amongmultiplesubjects.Rotationofdutiesisdesignedtomitigatecollusion.
5.Correctanswerandexplanation:A.AnswerAiscorrect;decreasingthe
amountofminutiawillmaketheaccuracyofthesystemlower,whichlower
falserejectsbutraisefalseaccepts.
Incorrectanswersandexplanations:B,C,andD.AnswersB,C,andDare
incorrect.Increasingtheamountofminutiaewillmakethesystemmore
accurate,increasingtheFRRandloweringtheFAR.Enrollmentand
throughputtimearenotdirectlyconnectedtoFARandFRR.
10
Ibid.
IdentityManagementDesignGuidewithIBMTivoliIdentityManager.
h p://www.redbooks.ibm.com/redbooks/pdfs/sg246996.pdf[accessedMay5,
2013].
2
RFC1994CHAP.h p://www.faqs.org/rfcs/rfc1994.html[accessedMay5,
2013].
3
Ibid.
PasswordProtectionforModernOperatingSystems.
h p://static.usenix.org/publications/login/200406/pdfs/alexander.pdf
[accessedMay5,2013].
5
ISACA,ITAuditandAssuranceGuidelineG36,BiometricControls.
h p://www.isaca.org/standards[accessedMay5,2013].
6
NISTTechBeatMarch16,2006.
h p://www.nist.gov/public_aairs/techbeat/tb2006_0316.htm[accessedMay
5,2013].
7
HandGeometry.
h p://www.biometrics.gov/Documents/HandGeometry.pdf[accessedMay5,
2013].
8
HandGeometry.
h p://www.biometrics.gov/Documents/HandGeometry.pdf[accessedMay5,
2013].
9
SESAMEinaNutshell.
h p://www.cosic.esat.kuleuven.be/sesame/html/sesame_what.html[accessed
May5,2013].
CHAPTER2
Domain 2: Telecommunications a
nd Network Security
Abstract
Domain2:TelecommunicationsandNetworkSecurity,coveredinthis
chapter,representsavastandtechnicaldomaintobetested.Oneofthemost
technicalofthedomainsincludedintheCISSP,Domain2requiresan
understandingofnetworkingandtheTCP/IPsuiteofprotocolsatafairly
substantiallevelofdepth.Networkinghardwaresuchasrouters,switches,
andthelesscommonrepeaters,hubs,andbridgesareallpresentedwithin
thisdomain.TechnicalaspectsofIntrusionDetectionSystems(IDS),Intrusion
PreventionSystems(IPS),VirtualPrivateNetworks(VPN),802.11wireless,
RadioFrequencyID(RFID),andalsoauthenticationdevicesandprotocolsare
foundinthislargedomain.Morerecentlyaddedtopicssuchasendpoint
security,remoteaccess,andvirtualizationarealsorepresentedinthischapter.
KEYWORDS
Ethernet;OSImodel;TCP/IP;Packetswitchednetwork;Switch;Router;
Packetlterrewall;Statefulrewall;Proxyrewall;802.11;802.1x;IPsec;
VoIP;Remotemeetingtechnology
Introduction
Introduction
TelecommunicationsandNetworkSecurityisfundamentaltoourmodern
life.TheInternet,theWorldWideWeb,onlinebanking,instantmessaginge
mail,andmanyothertechnologiesrelyonNetworkSecurity:ourmodern
worldcannotexistwithoutit.TelecommunicationsandNetworkSecurity
(oftencalledtelecommunications,forshort)focusesonthecondentiality,
integrity,andavailabilityofdatainmotion.
TelecommunicationsisoneofthelargestdomainsintheCommonBodyof
Knowledgeandcontainsmoreconceptsthananyotherdomain.Thisdomain
isalsooneofthemosttechnicallydeepdomains,requiringtechnical
knowledgedowntopackets,segments,frames,andtheirheaders.
Understandingthisdomainiscriticaltoensuresuccessontheexam.
BeforewecandiscussspecicTelecommunicationsandNetworkSecurity
concepts,weneedtounderstandthefundamentalconceptsbehindthem.
Termslikebroadbandareoftenusedinformally:theexamrequiresaprecise
understandingofinformationsecurityterminology.
Simplex, half-duplex, and full-duplex communication
Simplexcommunicationisoneway,likeacarradiotunedtoamusicstation.
Halfduplexcommunicationsendsorreceivesatonetimeonly(not
simultaneously),likeawalkietalkie.Fullduplexcommunicationssendsand
receivessimultaneously,liketwopeoplehavingafacetofaceconversation.
LANs, WANs, MANs, and PANs
ALANisaLocalAreaNetwork.ALANisacomparativelysmallnetwork,
typicallyconnedtoabuildingoranareawithinone.AMANisa
MetropolitanAreaNetwork,whichistypicallyconnedtoacity,azipcode,
acampus,oranocepark.AWANisaWideAreaNetwork,typically
coveringcities,states,orcountries.
Attheotherendofthespectrum,thesmallestofthesenetworksarePANs:
PersonalAreaNetworks,witharangeof100mormuchless.Lowpower
wirelesstechnologiessuchasBluetoothareusedtocreatePANs.
Internet, Intranet, and Extranet
TheInternetisaglobalcollectionofpeerednetworksrunningTCP/IP,
providingbesteortservice.AnIntranetisaprivatelyownednetwork
runningTCP/IP,suchasacompanynetwork.AnExtranetisaconnection
betweenprivateIntranets,suchasconnectionstobusinesspartnerIntranets.
The OSI model
TheOSI(OpenSystemInterconnection)ReferenceModelisaLayered
networkmodel.Themodelisabstract:wedonotdirectlyruntheOSImodel
inoursystems(mostnowusetheTCP/IPmodel);itisusedasareference
point,soLayer1(physical)isuniversallyunderstood,whetheryouare
runningEthernetorATM,forexample.LayerXinthisbookreferstothe
OSImodel.
TheOSImodelhassevenlayers,asshowninTable2.1.Thelayersmaybe
listedintoptobo omorbo omtotoporder.Usingthela er,theyare
Physical,DataLink,Network,Transport,Session,Presentation,andApplication.
Table2.1
TheOSIModel
Layer 1: Physical
ThePhysicalLayerisLayer1oftheOSImodel.Layer1describesunitsof
datasuchasbitsrepresentedbyenergy(suchaslight,electricity,orradio
waves)andthemediumusedtocarrythem(suchascopperorberoptic
cables).WLANshaveaPhysicalLayer,eventhoughwecannotphysically
touchit.
CablingstandardssuchasThinnet,Thicknet,andUnshieldedTwistedPair
(UTP)existatLayer1,amongmanyothers.Layer1devicesincludehubsand
repeaters.
Layer 2: Data Link
TheDataLinkLayerhandlesaccesstothePhysicalLayeraswellasLocal
AreaNetworkcommunication.AnEthernetcardanditsMAC(MediaAccess
Control)addressareatLayer2,asareswitchesandbridges.
Layer2isdividedintotwosublayers:MediaAccessControl(MAC)and
LogicalLinkControl(LLC).TheMACLayertransfersdatatoandfromthe
PhysicalLayer.LLChandlesLANcommunications.MACtouchesLayer1,
andLLCtouchesLayer3.
Layer 3: Network
TheNetworkLayerdescribesrouting:movingdatafromasystemonone
LANtoasystemonanother.IPaddressesandroutersexistatLayer3.Layer
3protocolsincludeIPv4andIPv6,amongothers.
Layer 4: Transport
TheTransportLayerhandlespacketsequencing,owcontrol,anderror
detection.TCPandUDPareLayer4protocols.
Layer4makesanumberoffeaturesavailable,suchasresendingor
resequencingpackets.Takingadvantageofthesefeaturesisaprotocol
implementationdecision.Aswewillseelater,TCPtakesadvantageofthese
features,attheexpenseofspeed.Manyofthesefeaturesarenotimplemented
inUDP,whichchoosesspeedoverreliability.
Layer 5: Session
TheSessionLayermanagessessions,whichprovidemaintenanceon
connections.Mountingaleshareviaanetworkrequiresanumberof
maintenancesessions,suchasRemoteProcedureCalls(RPCs):theseexistat
theSessionLayer.AgoodwaytoremembertheSessionLayersfunctionis
connectionsbetweenapplications.TheSessionLayerusessimplex,half
duplex,andfullduplexcommunication.
E x a m Wa r n i n g
TheTransportandSessionLayersareoftenconfused.Forexample,is
maintenanceofconnectionsaTransportLayerorSessionLayerissue?
PacketsaresequencedattheTransportLayer,andnetworklesharescan
beremountedattheSessionLayer:youmayconsidereithertobe
maintenance.Wordslikemaintenanceimplymoreworkthanpacket
sequencingorretransmission:itrequiresheavierlifting,like
remountinganetworksharethathasbeenunmounted,soSessionLayer
isthebestanswer.
Layer 6: Presentation
ThePresentationLayerpresentsdatatotheapplication(anduser)ina
comprehensibleway.PresentationLayerconceptsincludedataconversion,
characterssetssuchasASCII,andimageformatssuchasGIF(Graphics
InterchangeFormat),JPEG(JointPhotographicExpertsGroup),andTIFF
(TaggedImageFileFormat).
Layer 7: Application
TheApplicationLayeriswhereyouinterfacewithyourcomputer
application.YourWebbrowser,wordprocessor,andinstantmessagingclient
existatLayer7.TheprotocolsTelnetandFTPareApplicationLayer
protocols.
The TCP/IP model
TheTCP/IPmodel(TransmissionControlProtocol/InternetProtocol)isa
popularnetworkmodelcreatedbytheU.S.DefenseAdvancedResearch
ProjectsAgencyinthe1970s.TCP/IPisaninformalname(namedafterthe
rsttwoprotocolscreated);theformalnameistheInternetProtocolSuite.
TheTCP/IPmodelissimplerthantheOSImodel,asshowninTable2.2.
Table2.2
TheOSIModelvs.TCP/IPModel
WhileTCPandIPreceivetopbilling,TCP/IPisactuallyasuiteofprotocols
includingUDP(UserDatagramProtocol)andICMP(InternetControl
MessageProtocol),amongmanyothers.
Network Access Layer
TheNetworkAccessLayeroftheTCP/IPmodelcombinesLayers1(Physical)
and2(DataLink)oftheOSImodel.ItdescribesLayer1issuessuchasenergy,
bits,andthemediumusedtocarrythem(copper,ber,wireless,etc.).Italso
describesLayer2issuessuchasconvertingbitsintoprotocolunitssuchas
Ethernetframes,MAC(MediaAccessControl)addresses,andNetwork
InterfaceCards(NICs).
Internet Layer
TheInternetLayeroftheTCP/IPmodelalignswiththeLayer3(Network)
LayeroftheOSImodel.ThisiswhereIPaddressesandroutinglive.When
dataistransmi edfromanodeononeLANtoanodeonadierentLAN,the
InternetLayerisused.IPv4,IPv6,ICMP,androutingprotocols(among
others)areInternetLayerTCP/IPprotocols.
Host-to-Host Transport Layer
TheHosttoHostTransportLayer(sometimescalledeitherHosttoHostor,
morecommonly,Transportalone;thisbookwilluseTransport)connects
theInternetLayertotheApplicationLayer.Itiswhereapplicationsare
addressedonanetwork,viaports.TCPandUDParethetwoTransportLayer
protocolsofTCP/IP.
Application Layer
Application Layer
TheTCP/IPApplicationLayercombinesLayers5through7(Session,
Presentation,andApplication)oftheOSImodel.Mostoftheseprotocolsuse
aclientserverarchitecture,whereaclient(suchasssh)connectstoalistening
server(calledadaemononUNIXsystems)suchassshd.Theclientsand
serversuseeitherTCPorUDP(andsometimesboth)asaTransportLayer
protocol.TCP/IPApplicationLayerprotocolsincludeSSH,Telnet,andFTP,
amongmanyothers.
MAC addresses
AMediaAccessControl(MAC)addressistheuniquehardwareaddressofan
Ethernetnetworkinterfacecard(NIC),typicallyburnedinatthefactory.
MACaddressesmaybechangedinsoftware.
D i d Yo u K n o w ?
Historically,MACaddresseswere48bitslong.Theyhavetwohalves:the
rst24bitsistheOrganizationallyUniqueIdentier(OUI)andthelast
24bitsisaserialnumber(formallycalledanextensionidentier).
TheIEEEcreatedtheEUI64(ExtendedUniqueIdentier)standardfor64bit
MACaddresses.TheOUIisstill24bits,buttheserialnumberis40bits.This
allowsfarmoreMACaddresses,comparedwith48bitaddresses.IPv6
autocongurationiscompatiblewithbothtypesofMACaddresses.
IPv4
IPv4isInternetProtocolversion4,commonlycalledIP.Itisthe
fundamentalprotocoloftheInternet,designedinthe1970stosupportpacket
switchednetworkingfortheU.S.DefenseAdvancedResearchProjects
Agency(DARPA).IPv4wasusedfortheARPAnet,whichlaterbecamethe
Internet.
IPisasimpleprotocol,designedtocarrydataacrossnetworks.Itissosimple
thatitrequiresahelperprotocolcalledICMP(seebelow).Ifconnectionsor
reliabilityisrequired,itmustbeprovidedbyahigherlevelprotocolcarried
byIP,suchasTCP.
IPv4uses32bitsourceanddestinationaddresses,usuallyshownindo ed
32
quadformat,suchas192.168.2.4.A32bitaddresseldallows2 ,or
nearly4.3billion,addresses.
IPv6
IPv6isthesuccessortoIPv4,featuringfarlargeraddressspace(128bit
addressescomparedtoIPv4s32bits),simplerrouting,andsimpleraddress
assignment.AlackofIPv4addresseswastheprimaryfactorthatledtothe
creationofIPv6.
D i d Yo u K n o w ?
SystemsmaybedualstackandusebothIPv4andIPv6simultaneously.
HostsmayalsoaccessIPv6networksviaIPv4;thisiscalledtunneling.
TCP
TCPistheTransmissionControlProtocol,areliableLayer4protocol.TCP
usesathreewayhandshaketocreatereliableconnectionsacrossanetwork.
TCPcanreordersegmentsthatarriveoutoforderandretransmitmissing
segments.
TCP ports
TCPconnectsfromasourceporttoadestinationport.TheTCPporteldis
16bits,allowingportnumbersfrom0to65535.
Therearetwotypesofports:reservedandephemeral.Areservedportis1023or
lower;ephemeralportsare102465535.Mostoperatingsystemsrequire
superuserprivilegestoopenareservedport.Anyusermayopenan(unused)
ephemeralport.
UDP
UDPistheUserDatagramProtocol,asimplerandfastercousintoTCP.UDP
iscommonlyusedforapplicationsthatarelossy(canhandlesomepacket
loss),suchasstreamingaudioandvideo.Itisalsousedforqueryresponse
applications,suchasDNSqueries.
ICMP
ICMPistheInternetControlMessageProtocol,ahelperprotocolthathelps
Layer3.ICMPisusedtotroubleshootandreporterrorconditions:Without
ICMPtohelp,IPwouldfailwhenfacedwithroutingloops,ports,hosts,or
networksthataredown,etc.ICMPhasnoconceptofports,asTCPandUDP
do,butinsteadusestypesandcodes.
Application-Layer TCP/IP protocols and concepts
AmultitudeofprotocolsexistatTCP/IPsApplicationLayer,whichcombines
thePresentation,Session,andApplicationLayersoftheOSImodel.
Telnet
Telnetprovidesterminalemulationoveranetwork.Telnetserverslistenon
TCPport23.Telnetwasthestandardwaytoaccessaninteractivecommand
shelloveranetworkforover20years.
Telnetisweakbecauseitprovidesnocondentiality:alldatatransmi ed
duringaTelnetsessionisplaintext,includingtheusernameandpassword
usedtoauthenticatetothesystem.
FTP
FTPistheFileTransferProtocol,usedtotransferlestoandfromservers.
LikeTelnet,traditionalFTPhasnocondentialityorintegrityandshouldnot
beusedtotransfersensitivedataoverinsecurechannels.
SSH
SSHwasdesignedasasecurereplacementforTelnet,FTP,andtheUNIXR
commands(rlogin,rshell,etc).Itprovidescondentiality,integrity,and
secureauthentication,amongotherfeatures.SSHcanalsobeusedtosecurely
tunnelotherprotocols,suchasHTTP.SSHserverslistenonTCPport22by
default.
SMTP, POP, and IMAP
SMTPistheSimpleMailTransferProtocol,usedtotransferemailbetween
servers.SMTPserverslistenonTCPport25.POPv3(PostOceProtocol)and
IMAP(InternetMessageAccessProtocol)areusedforclientserveremail
access,whichuseTCPports110and143,respectively.
DNS
DNSistheDomainNameSystem,adistributedglobalhierarchicaldatabase
thattranslatesnamestoIPaddressesandviceversa.DNSusesbothTCPand
UDP:smallanswersuseUDPport53;largeanswers(suchaszonetransfers)
useTCPport53.
HTTP and HTTPS
HTTPistheHypertextTransferProtocol,whichisusedtotransfer
unencryptedWebbaseddata.HTTPS(HypertextTransferProtocolSecure)
transfersencryptedWebbaseddataviaSSL/TLS.HTTPusesTCPport80,
andHTTPSusesTCPport443.HTML(HypertextMarkupLanguage)isused
todisplayWebcontent.
LAN technologies and protocols
LocalAreaNetworkconceptsfocusonLayer13technologiessuchas
networkcablingtypes,physicalandlogicalnetworktopologies,Ethernet,
FDDI,andothers.
Ethernet
EthernetoperatesatLayer2andisadominantLocalAreaNetworking
technologythattransmitsnetworkdataviaframes.Ethernetisbaseband(one
channel),soitmustaddressissuessuchascollisions,wheretwonodes
a empttotransmitdatasimultaneously.
WAN technologies and protocols
ISPsandotherlonghaulnetworkproviders,whosenetworksspanfrom
citiestocountries,oftenuseWideAreaNetworktechnologies.Manyofus
havehandsonexperienceconguringLANtechnologiessuchasconnecting
Cat5networkcabling;itislesscommontohavehandsonexperiencebuilding
WANs.
T1s, T3s, E1s, and E3s
Thereareanumberofinternationalcircuitstandards:themostprevalentare
Tcarriers(UnitedStates)andEcarriers(Europe).
FastFacts
Hereisasummaryofcommoncircuits:
AT1isadedicated1.544megabitcircuitthatcarries2464bitDS0
(DigitalSignal0)channels.
AT3is28bundledT1s,forminga44.736megabitcircuit.
AnE1isadedicated2.048megabitcircuitthatcarries30channels.
AnE3is16bundledE1s,forminga34.368megabitcircuit.
Frame Relay
FrameRelayisapacketswitchedLayer2WANprotocolthatprovidesnoerror
recoveryandfocusesonspeed.HigherlayerprotocolscarriedbyFrame
Relay,suchasTCP/IP,canbeusedtoprovidereliability.
FrameRelaymultiplexesmultiplelogicalconnectionsoverasinglephysical
connectiontocreateVirtualCircuits;thissharedbandwidthmodelisan
alternativetodedicatedcircuitssuchasT1s.APVC(PermanentVirtual
Circuit)isalwaysconnected,analogoustoarealdedicatedcircuitlikeaT1.A
SwitchedVirtualCircuit(SVC)setsupeachcall,transfersdata,and
terminatestheconnectionafteranidletimeout.
MPLS
MultiprotocolLabelSwitching(MPLS)providesawaytoforwardWANdata
vialabels,viaasharedMPLScloudnetwork.Decisionsarebasedonlabels
andnotencapsulatedheaderdata(suchasanIPheader).MPLScancarry
voiceanddataandbeusedtosimplifyWANrouting.
RepeatersandhubsareLayer1devices.Arepeaterreceivesbitsononeport
andrepeatsthemouttheotherport.Therepeaterhasnounderstandingof
protocols;itsimplyrepeatsbits.Repeatersareoftenusedtoextendthelength
ofanetwork.
Ahubisarepeaterwithmorethantwoports.Itreceivesbitsononeportand
repeatsthemacrossallotherports.
Bridges
BridgesandswitchesareLayer2devices.Abridgehastwoportsandconnects
networksegmentstogether.Eachsegmenttypicallyhasmultiplenodes,and
thebridgelearnstheMACaddressesofnodesoneitherside.Tracsentfrom
twonodesonthesamesideofthebridgewillnotbeforwardedacrossthe
bridge.Tracsentfromanodeononesideofthebridgetotheothersidewill
forwardacross.Thebridgeprovidestracisolationandmakesforwarding
decisionsbylearningtheMACaddressesofconnectednodes.Abridgehas
twocollisiondomains.
Switches
Aswitchisabridgewithmorethantwoports.Also,itisbestpracticetoonly
connectonedeviceperswitchport.Otherwise,everythingthatistrueabouta
bridgeisalsotrueaboutaswitch.
Figure2.1showsanetworkswitch.Theswitchprovidestracisolationby
associatingtheMACaddressofeachcomputerandserverwithitsport.
FIGURE2.1 Networkswitch.
Aswitchshrinksthecollisiondomaintoasingleport.Youwillnormallyhave
nocollisionsassumingonedeviceisconnectedperport(whichisbest
practice).
Trunksareusedtoconnectmultipleswitches.
Routers
RoutersareLayer3devicesthatroutetracfromoneLANtoanother.IP
basedroutersmakeroutingdecisionsbasedonthesourceanddestinationIP
addresses.
Firewalls
Firewallsltertracbetweennetworks.TCP/IPpacketlterandstateful
rewallsmakedecisionsbasedonLayers3and4(IPaddressesandports).
ProxyrewallscanalsomakedecisionsbasedonLayers57.Firewallsare
multihomed:theyhavemultipleNICsconnectedtomultipledierent
networks.
Packet filter
Apacketlterisasimpleandfastrewall.Ithasnoconceptofstate:each
lteringdecisionmustbemadeonthebasisofasinglepacket.Thereisno
waytorefertopastpacketstomakecurrentdecisions.
ThepacketlteringrewallshowninFigure2.2allowsoutboundICMPecho
requestsandinboundICMPechoreplies.Computer1canping
bank.example.com.Theproblem:ana ackeratevil.example.comcansend
unsolicitedechoreplies,whichtherewallwillallow.
FIGURE2.2 Packetlterrewalldesign.
Stateful firewalls
Statefulrewallshaveastatetablethatallowstherewalltocomparecurrent
packetstopreviousones.Statefulrewallsareslowerthanpacketlters,but
arefarmoresecure.
Computer1sendsanICMPEchoRequesttobank.example.cominFigure2.3.
TherewallisconguredtoallowpingtoInternetsites,sothestateful
rewallallowsthetracandaddsanentrytoitstatetable.
FIGURE2.3 Statefulrewalldesign.
AnEchoReplyisthenreceivedfrombank.example.comtoComputer1in
Figure2.3.Therewallcheckstoseeifitallowsthistrac(itdoes)andthen
checksthestatetableforamatchingechorequestintheoppositedirection.
Therewallndsthematchingentry,deletesitfromthestatetable,and
passesthetrac.
Thenevil.example.comsendsanunsolicitedICMPechoreply.Thestateful
rewall,showninFigure2.3,seesnomatchingstatetableentryanddenies
thetrac.
Proxy firewalls
Proxiesarerewallsthatactasintermediaryservers.Bothpacketlterand
statefulrewallspasstracthroughordenyit:theyareanotherhopalong
theroute.Proxiesterminateconnections.
Application-Layer Proxy firewalls
ApplicationLayerProxyrewallsoperateuptoLayer7.Unlikepacketlter
andstatefulrewallsthatmakedecisionsbasedonLayers3and4only,
ApplicationLayerproxiescanmakelteringdecisionsbasedonApplication
Layerdata,suchasHTTPtrac,inadditiontoLayers3and4.
Modem
Amodemisamodulator/demodulator.Ittakesbinarydataandmodulatesit
intoanalogsoundthatcanbecarriedonphonenetworksdesignedtocarry
thehumanvoice.Thereceivingmodemthendemodulatestheanalogsound
backintobinarydata.
Intrusion Detection Systems and Intrusion Prevention Systems
AnIntrusionDetectionSystem(IDS)isadetectivedevicedesignedtodetect
malicious(includingpolicyviolating)actions.AnIntrusionPrevention
System(IPS)isapreventivedevicedesignedtopreventmaliciousactions.
TherearetwobasictypesofIDSsandIPSs:networkbasedandhostbased.
Endpoint security
Becauseendpointsarethetargetsofa acks,preventiveanddetective
capabilitiesontheendpointsthemselvesprovidealayerofdefensebeyond
networkcentricsecuritydevices.
Manypointproductscanbeconsideredpartofanoverallendpointsecurity
suite.Themostimportantareantivirus,applicationwhitelisting,removable
mediacontrols,diskencryption,HostIntrusionPreventionSystems,and
desktoprewalls.
Antivirus
Themostcommonlydeployedendpointsecurityproductisantivirus
software.Antivirusisonelayer(ofmany)ofendpointsecuritydefensein
depth.Althoughantivirusvendorsoftenemployheuristicorstatistical
methodsformalwaredetection,thepredominantmeansofdetectingmalware
isstillsignaturebased.
Signaturebasedapproachesrequirethatamalwarespecimenisavailableto
theantivirusvendorforthecreationofasignature.Thisisanexampleof
blacklisting.
Application whitelisting
Applicationwhitelistingisamorerecentadditiontoendpointsecuritysuites.
Theprimaryfocusofapplicationwhitelistingistodetermineinadvance
whichbinariesareconsideredsafetoexecuteonagivensystem.Oncethis
baselinehasbeenestablished,anybinarya emptingtorunthatisnotonthe
listofknowngoodbinariesispreventedfromexecuting.Aweaknessofthis
approachiswhenaknowngoodbinaryisexploitedbyana ackerand
usedmaliciously.
Removable media controls
Anotherrecentendpointsecurityproductassistswithremovablemedia
control.Malwaredeliveryanddataexltrationhavecompelledorganizations
toexertstrictercontroloverwhattypeofremovablemediamaybeconnected.
Removablemediacontrolproductsarethetechnicalcontrolthatmatches
administrativecontrolssuchaspolicymandatesagainstunauthorizeduseof
removablemedia.
Disk encryption
Anotherendpointsecurityproductfoundwithincreasingregularityisdisk
encryptionsoftware.FullDiskEncryption(FDE),alsocalledwholedisk
encryption,encryptsanentiredisk.Thisissuperiortopartiallyencrypted
solutions,suchasencryptedvolumes,directories,folders,orles.The
problemwiththela erapproachistheriskofleavingsensitivedataonan
unencryptedareaofthedisk.
SECURE COMMUNICATIONS
Protectingdatainmotionisoneofthemostcomplexchallengesweface.The
Internetprovidescheapglobalcommunicationwithli leornobuiltin
condentiality,integrity,oravailability.
Authentication protocols and frameworks
Anauthenticationprotocolauthenticatesanidentityclaimoverthenetwork.
Goodsecuritydesignassumesthatanetworkeavesdroppermaysniall
packetssentbetweentheclientandauthenticationserver:theprotocolshould
remainsecure.Aswewillseeshortly,PAPfailsthistest,butCHAPandEAP
pass.
PAP and CHAP
PAP(PasswordAuthenticationProtocol)isaveryweakauthentication
protocol.Itsendstheusernameandpasswordincleartext.Ana ackerwhois
abletosnitheauthenticationprocesscanlaunchasimplereplaya ack,by
replayingtheusernameandpassword,usingthemtologin.PAPisinsecure
andshouldnotbeused.
CHAP(ChallengeHandshakeAuthenticationProtocol)isamoresecure
authenticationprotocolthatdoesnotexposethecleartextpasswordandisnot
susceptibletoreplaya acks.CHAPreliesonasharedsecret:thepassword.
Thepasswordissecurelycreated(suchasduringaccountenrollment)and
storedontheCHAPserver.SinceboththeuserandtheCHAPserversharea
secret(theplaintextpassword),theycanusethatsecrettosecurely
authenticate.
802.1X and EAP
802.1XisPortBasedNetworkAccessControlandincludesEAP(Extensible
AuthenticationProtocol).EAPisanauthenticationframeworkthatdescribes
manyspecicauthenticationprotocols.EAPisdesignedtoprovide
authenticationatLayer2(itisportbased,likeportsonaswitch),beforea
nodereceivesanIPaddress.Itisavailableforbothwiredandwireless,butis
mostcommonlydeployedonWLANs.AnEAPclientiscalledasupplicant,
whichrequestsauthenticationtoaservercalledanauthenticator.
FastFacts
TherearemanytypesofEAP;wewillfocusonLEAP,EAPTLS,EAP
TTLS,andPEAP.
LEAP(LightweightExtensibleAuthenticationProtocol)isaCisco
proprietaryprotocolreleasedbefore802.1Xwasnalized.LEAPhas
signicantsecurityawsandshouldnotbeused.
EAPTLS(EAPTransportLayerSecurity)usesPKI,requiringboth
serversideandclientsidecerticates.EAPTLSestablishesasecureTLS
tunnelusedforauthentication.EAPTLSisverysecureduetotheuseof
PKI,butiscomplexandcostlyforthesamereason.Theothermajor
versionsofEAPa empttocreatethesameTLStunnelwithoutrequiringa
clientsidecerticate.
EAPTTLS(EAPTunneledTransportLayerSecurity),developedby
FunkSoftwareandCerticom,simpliesEAPTLSbydroppingtheclient
sidecerticaterequirement,allowingotherauthenticationmethods(such
aspassword)forclientsideauthentication.EAPTTLSisthuseasierto
deploythanEAPTLS,butlesssecurewhenomi ingtheclientside
certicate.
PEAP(ProtectedEAP)wasjointlydevelopedbyCiscoSystems,
Microsoft,andRSASecurity.Itissimilarto(andmaybeconsidereda
competitorto)EAPTTLS,includingnotrequiringclientsidecerticates.
VPN
VirtualPrivateNetworks(VPNs)securedatasentviainsecurenetworkssuch
astheInternet.Thegoalistoprovidetheprivacyprovidedbyacircuitsuch
asaT1,virtually.ThenutsandboltsofVPNsinvolvesecureauthentication,
cryptographichashessuchasSHA1toprovideintegrity,andcipherssuchas
AEStoprovidecondentiality.
PPP
PPP(PointtoPointProtocol)isaLayer2protocolthataddscondentiality,
integrity,andauthenticationviapointtopointlinks.PPPsupports
synchronouslinks(suchasT1s)inadditiontoasynchronouslinkssuchas
modems.
IPsec
IPv4hasnobuiltincondentiality;higherlayerprotocolssuchasTLSare
usedtoprovidesecurity.ToaddressthislackofsecurityatLayer3,IPsec
(InternetProtocolSecurity)wasdesignedtoprovidecondentiality,integrity,
andauthenticationviaencryptionforbothIPv4andIPv6.IPsecisasuiteof
protocols;themajortwoareEncapsulatingSecurityProtocol(ESP)and
AuthenticationHeader(AH).EachhasanIPprotocolnumber:ESPisprotocol
50;AHisprotocol51.
SSL and TLS
SecureSocketsLayer(SSL)wasdesignedtoprotectHTTP(HypertextTransfer
Protocol)data:HTTPSusesTCPport443.TLS(TransportLayerSecurity)is
thelatestversionofSSL,equivalenttoSSLversion3.1.Thecurrentversionof
TLSis1.2.
ThoughinitiallyWebfocused,SSLorTLSmaybeusedtoencryptmanytypes
ofdataandcanbeusedtotunnelotherIPprotocolstoformVPNconnections.
SSLVPNscanbesimplerthantheirIPsecequivalents:IPsecmakes
fundamentalchangestoIPnetworking,soinstallationofIPsecsoftware
changestheoperatingsystem(whichrequiressuperuserprivileges).SSL
clientsoftwaredoesnotrequirealteringtheoperatingsystem.Also,IPsecis
diculttorewall;SSLismuchsimpler.
VoIP
VoiceoverInternetProtocol(VoIP)carriesvoiceviadatanetworks.VoIP
bringstheadvantagesofpacketswitchednetworks,suchaslowercostand
resiliency,tothetelephone.WiththeadventofVoIP,manyorganizations
haveloweredcostsbycombiningvoiceanddataservicesonpacketswitched
networks.
CommonVoIPprotocolsincludeRealtimeTransportProtocol(RTP),designed
tocarrystreamingaudioandvideo.VoIPprotocolscarriedbyRTPinclude
SIP(SessionInitiationProtocol,asignalingprotocol)andH.323.SRTP(Secure
RealtimeTransportProtocol)maybeusedtoprovidesecureVoIP,including
condentiality,integrity,andsecureauthentication.SRTPusesAESfor
condentialityandSHA1forintegrity.
WhileVoIPcanprovidecompellingcostadvantages(especiallyfornewsites,
withoutalargelegacyvoiceinvestment),therearesecurityconcerns.Many
VoIPprotocols,suchasSIP,provideli leornosecuritybydefault.
Wireless Local Area Networks
WirelessLocalAreaNetworks(WLANs)transmitinformationvia
electromagneticwaves(suchasradio)orlight.Historically,wirelessdata
networkshavebeenveryinsecure,oftenrelyingonthe(perceived)diculty
ina ackingthecondentialityorintegrityofthetrac.Thisperceptionis
usuallymisplaced.Themostcommonformofwirelessdatanetworkingisthe
802.11wirelessstandard,andtherst802.11standardwithreasonable
securityis802.11i.
FHSS, DSSS, and OFDM
FrequencyHoppingSpreadSpectrum(FHSS)andDirectSequenceSpread
Spectrum(DSSS)aretwomethodsforsendingtracviaaradioband.Some
bands,likethe2.4GHzISMband,canbequitepollutedwithinterference:
Bluetooth,somecordlessphones,some802.11wireless,babymonitors,and
evenmicrowavescanbroadcastorinterferewiththisband.BothDSSSand
FHSSaredesignedtomaximizethroughputwhileminimizingtheeectsof
interference.
DSSSusestheentirebandatonce,spreadingthesignalthroughoutthe
band.FHSSusesanumberofsmallfrequencychannelsthroughouttheband
andhopsthroughtheminpseudorandomorder.
OrthogonalFrequencyDivisionMultiplexing(OFDM)isanewer
multiplexingmethod,allowingsimultaneoustransmissionusingmultiple
independentwirelessfrequenciesthatdonotinterferewitheachother.
802.11 abgn
802.11wirelesshasmanystandards,usingvariousfrequenciesandspeeds.
Theoriginalmodeissimplycalled802.11(sometimes802.111997,basedon
theyearitwascreated),whichoperatedat2megabitspersecond(mbps)
usingthe2.4GHzfrequency;itwasquicklysupplantedby802.11b,at11
mbps.802.11gwasdesignedtobebackwardcompatiblewith802.11bdevices,
oeringspeedsupto54mbpsusingthe2.4GHzfrequency.802.11aoersthe
sametopspeed,usingthe5GHzfrequency.
802.11nusesboth2.4and5GHzfrequenciesandisabletousemultiple
antennaswithmultipleinputmultipleoutput(MIMO).Thisallowsspeedsof
144mbpsandbeyond.Table2.3summarizesthemajortypesof802.11
wireless.
Table2.3
Typesof802.11Wireless
WEP
WEPistheWiredEquivalentPrivacyprotocol,anearlya empt(rstratiedin
1999)toprovide802.11wirelesssecurity.WEPhasproventobecritically
weak:newa ackscanbreakanyWEPkeyinminutes.Duetothesea acks,
WEPeectivelyprovidesli leintegrityorcondentialityprotection:WEPis
consideredbrokenanditsuseisstronglydiscouraged.802.11iand/orother
encryptionmethodssuchasVPNshouldbeusedinplaceofWEP.
802.11i
802.11iistherst802.11wirelesssecuritystandardthatprovidesreasonable
security.802.11idescribesaRobustSecurityNetwork(RSN),whichallows
pluggableauthenticationmodules.RSNallowschangestocryptographic
ciphersasnewvulnerabilitiesarediscovered.
CrunchTime
RSNisalsoknownasWPA2(WiFiProtectedAccess2),afull
implementationof802.11i.Bydefault,WPA2usesAESencryptionto
providecondentialityandCCMP(CounterModeCBCMACProtocol)to
createaMessageIntegrityCheck(MIC),whichprovidesintegrity.WPA2
may(optionally)usethelesssecureRC4(RivestCipher4)andTKIP
(TemporalKeyIntegrityProtocol)cipherstoprovidecondentialityand
integrity,respectively.
ThelesssecureWPA(withoutthe2)wasdesignedforaccesspointsthat
lackthepowertoimplementthefull802.11istandard,providingabe er
securityalternativetoWEP.WPAusesRC4forcondentialityandTKIP
forintegrity.UsageofWPA2isrecommendedoverWPA.
Bluetooth
Bluetooth,describedbyIEEEstandard802.15,isaPersonalAreaNetwork
(PAN)wirelesstechnology,operatinginthesame2.4GHzfrequencyasmany
typesof802.11wireless.Bluetoothcanbeusedbysmalllowpowerdevices
suchascellphonestotransmitdataovershortdistances.Bluetoothversions
2.1andolderoperateat3mbpsorless;versions3and4oerfarfaster
speeds.
RFID
RadioFrequencyIdentication(RFID)isatechnologyusedtocreate
wirelesslyreadabletagsforanimalsorobjects.TherearethreetypesofRFID
tags:active,semipassive,andpassive.ActiveandsemipassiveRFIDtagshavea
ba ery;anactivetagbroadcastsasignal;semipassiveRFIDtagsrelyona
RFIDreaderssignalforpower.PassiveRFIDtagshavenoba eryandalso
relyontheRFIDreaderssignalforpower.
Remote access
Inanageoftelecommutingandthemobileworkforce,secureremoteaccessis
acriticalcontrol.Thisincludesconnectingmobileusersviamethodssuchas
DSLorCableModem,securitymechanismssuchascallback,andnewer
concernssuchasinstantmessagingandremotemeetingtechnology.
Remote desktop console access
Manyusersrequireremoteaccesstocomputersconsoles.Naturally,some
formofsecureconduitlikeanIPSecVPN,SSH,orSSLtunnelshouldbeused
toensurecondentialityoftheconnection,especiallyiftheconnection
originatesfromoutsidetheorganization.
Twocommonmodernprotocolsprovidingforremoteaccesstoadesktopare
VirtualNetworkComputing(VNC),whichtypicallyrunsonTCP5900,and
RemoteDesktopProtocol(RDP),whichtypicallyrunsonTCPport3389.
VNCandRDPallowforgraphicalaccessofremotesystems,asopposedto
theolderterminalbasedapproachtoremoteaccess.RDPisaproprietary
Microsoftprotocol.
Increasingly,usersareexpectingeasyaccesstoagraphicaldesktopoverthe
Internetthatcanbeestablishedquicklyandfromanynumberofpersonal
devices.TheseexpectationscanprovedicultwithtraditionalVNCand
RDPbasedapproaches,which,forsecuritypurposes,arefrequentlytunneled
overanencryptedchannelsuchasaVPN.
Arecentalternativetotheseapproachesistouseareversetunnel,which
allowsauserwhoestablishedanoutboundencryptedtunneltoconnectback
inthroughthesametunnel.Thisusuallyrequiresasmallagentinstalledon
theuserscomputerthatwillinitiateanoutboundconnectionusingHTTPS
overTCP443.Thisconnectionwillterminateatacentralserver,whichthe
usercanconnecttofromoutsidetheoceinordertotakecontroloftheir
desktopmachine.
Desktop and application virtualization
Inadditiontoaccessingstandalonedesktopsystemsremotely,another
approachtoprovidingremoteaccesstocomputingresourcesisthrough
desktopandapplicationvirtualization.Desktopvirtualizationisanapproach
thatprovidesacentralizedinfrastructurethathostsadesktopimagethatcan
beremotelyleveragedbytheworkforce.Desktopvirtualizationisoften
referredtoasVDI.
Asopposedtoprovidingafulldesktopenvironment,anorganizationcan
choosetosimplyvirtualizekeyapplicationsthatwillbeservedcentrally.Like
desktopvirtualization,thecentralizedcontrolassociatedwithapplication
virtualizationallowstheorganizationtoemploystrictaccesscontroland
perhapsmorequicklypatchtheapplication.Additionally,application
virtualizationcanalsobeusedtorunlegacyapplicationsthatwould
otherwisebeunabletorunonthesystemsemployedbytheworkforce.
DSL
DigitalSubscriberLine(DSL)hasalastmilesolutionthatusesexisting
copperpairstoprovidedigitalservicetohomesandsmalloces.
CommontypesofDSLareSymmetricDigitalSubscriberLine(SDSL,with
matchinguploadanddownloadspeeds),AsymmetricDigitalSubscriberLine
(ADSL,featuringfasterdownloadspeedsthanupload),andVeryHighRate
DigitalSubscriberLine(VDSL,featuringmuchfasterasymmetricspeeds).
AnotheroptionisHDSL(HighdatarateDSL),whichmatchesSDSLspeeds
usingtwopairsofcopper;HDSLisusedtoprovideinexpensiveT1service.
Asageneralrule,thecloserasiteistotheCentralOce(CO),thefasterthe
availableservice.
Table2.4summarizesthespeedsandmodesofDSL.
Table2.4
DSLSpeedandDistances
DSLandCableModemNetworks.
h p://www.ciscopress.com/articles/article.asp?p=31289[accessedJune26,
2013].
Cable Modems
CableModemsareusedbycableTVproviderstoprovideInternetaccessvia
broadbandcableTV.CableTVaccessisnotubiquitous,butisavailablein
mostlargetownsandcitiesinindustrializedareas.UnlikeDSL,Cable
Modembandwidthistypicallysharedwithneighborsonthesamenetwork
segment.
Instant messaging
Instantmessagingallowstwoormoreuserstocommunicatewitheachother
viarealtimechat.Chatmaybeonetooneormanytomanyviachat
groups.Inadditiontocha ing,mostmoderninstantmessagingsoftware
allowslesharingandsometimesaudioandvideoconferencing.
AnolderinstantmessagingprotocolisIRC(InternetRelayChat),aglobal
networkofchatserversandclientscreatedin1988andremainingvery
populareventoday.OtherchatprotocolsandnetworksincludeAOLInstant
Messenger(AIM),ICQ(shortforIseekyou),andExtensibleMessagingand
PresenceProtocol(XMPP)(formerlyknownasJabber).
Chatsoftwaremaybesubjecttovarioussecurityissues,includingremote
exploitation,andmustbepatchedlikeanyothersoftware.Thelesharing
capabilityofchatsoftwaremayallowuserstoviolatepolicybydistributing
sensitivedocuments,andsimilarissuescanberaisedbytheaudioandvideo
sharingcapabilityofmanyoftheseprograms.
Remote meeting technology
Remotemeetingtechnologyisanewertechnologythatallowsuserstoconduct
onlinemeetingsviatheInternet,includingdesktopsharingfunctionality.
ThesetechnologiesusuallyincludedisplayingPowerPointslidesonallPCs
connectedtoameeting,sharingdocumentssuchasspreadsheets,andalso
sharingaudioorvideo.
ManyofthesesolutionsaredesignedtotunneloutboundSSLorTLStrac,
whichcanoftenpassviarewallsandanyWebproxies.Usageofremote
meetingtechnologiesshouldbeunderstood,controlled,andcompliantwith
allapplicablepolicy.
packetltertostateful.Ourphysicaldesignevolvedfrombusestostars,
providingfaulttoleranceandhardwareisolation.Wehaveevolvedfromhubs
toswitchesthatprovidetracisolation.Wehaveaddeddetectivedevices
suchasHIDSandNIDSandpreventivedevicessuchasHIPSandNIPS.We
havedeployedsecureprotocolssuchasTLSandIPsec.
Wehaveimprovedournetworkdefenseindeptheverystepofthewayand
increasedthecondentiality,integrity,andavailabilityofournetworkdata.
4.Whatisthemostsecuretypeofrewall?
A.Packetlter
B.Statefulrewall
C.CircuitlevelProxyrewall
D.ApplicationLayerProxyrewall
5.AccessinganIPv6networkviaanIPv4networkiscalledwhat?
A.CIDR
B.NAT
C.Translation
D.Tunneling
Incorrectanswersandexplanations:B,C,andD.AnswersB,C,andDare
incorrect.EAPTTLSandPEAParesimilaranddontrequireclientside
certicates.LEAPisaCiscoproprietaryprotocolthatdoesnotrequireclient
sidecerticates,andalsohasfundamentalsecurityweaknesses.
4.Correctanswerandexplanation:D.AnswerDiscorrect;ApplicationLayer
rewallsarethemostsecure:theyhavetheabilitytolterbasedonOSIlayers
threethroughseven.
Incorrectanswersandexplanations:A,B,andC.AnswersA,B,andCare
incorrect.Allarerewalls.Apacketlteristheleastsecureofthefour,dueto
thelackofstate.Astatefulrewallismoresecurethanapacketlter,butits
decisionsarelimitedtoLayers3and4.CircuitlevelProxyrewallsoperateat
Layer5andcannotlterbasedonapplicationLayerdata.
5.Correctanswerandexplanation:D.AnswerDiscorrect;accessinganIPv6
networkviaanIPv4networkiscalledtunneling.
Incorrectanswersandexplanations:A,B,andC.AnswersA,B,andCare
incorrect.CIDRisClasslessInterdomainRouting,awaytocreateexible
subnets.NATisNetworkAddressTranslation,whichtranslatesoneIP
addressforanother.Translationisadistracteranswer.
CHAPTER3
KEYWORDS
Threat;Vulnerability;Risk;Safeguard;QuantitativeRiskAnalysis;
QualitativeRiskAnalysis;AssetValue(AV);ExposureFactor(EF);SingleLoss
Expectancy(SLE);AnnualRateofOccurrence(ARO);AnnualizedLoss
Expectancy(ALE);TotalCostofOwnership(TCO);ReturnonInvestment
(ROI);Policy;Procedure;Standard;Baseline;Guideline
Introduction
Introduction
Ourjobasinformationsecurityprofessionalsistoevaluaterisksagainstour
criticalassetsanddeploysafeguardstomitigatethoserisks.Weworkin
variousroles:rewallengineers,penetrationtesters,auditors,management,
etc.Thecommonthreadisrisk:itispartofourjobdescription.
TheInformationSecurityGovernanceandRiskManagementdomainfocuses
onRiskAnalysisandmitigation.Thisdomainalsodetailssecurity
governanceortheorganizationalstructurerequiredforasuccessful
informationsecurityprogram.Thedierencebetweenorganizationsthatare
successfulversusthosethatfailinthisrealmisusuallynottiedtodollarsor
sizeofsta:itistiedtotherightpeopleintherightroles.Knowledgeableand
experiencedinformationsecuritystawithsupportiveandvestedleadership
isthekeytosuccess.
RISK ANALYSIS
Allinformationsecurityprofessionalsassessrisk:wedoitsooftenthatit
becomessecondnature.AccurateRiskAnalysisisacriticalskillforan
informationsecurityprofessional.Wemustholdourselvestoahigher
standardwhenjudgingrisk.Ourriskdecisionswilldictatewhichsafeguards
wedeploytoprotectourassetsandtheamountofmoneyandresourceswe
spenddoingso.Poordecisionswillresultinwastedmoneyor,evenworse,
compromiseddata.
Assets
Assetsarevaluableresourcesyouaretryingtoprotect.Assetscanbedata,
systems,people,buildings,property,andsoforth.Thevalueorcriticalityof
theassetwilldictatewhatsafeguardsyoudeploy.
Threats and vulnerabilities
Athreatisanythingthatcanpotentiallycauseharmtoanasset.Threats
includeearthquakes,poweroutages,ornetworkbasedworms.
Avulnerabilityisaweaknessthatallowsathreattocauseharm.Examplesof
vulnerabilities(matchingourpreviousthreats)arebuildingsthatarenotbuilt
towithstandearthquakes,adatacenterwithoutproperbackuppower,ora
MicrosoftWindowsXPsystemthathasnotbeenpatchedinafewyears.
Risk=threatvulnerability
Risk=threatvulnerability
Tohaverisk,athreatmustconnecttoavulnerability.Thisrelationshipis
statedbytheformula:
Youcanassignavaluetospecicrisksusingthisformula.Assignanumberto
boththreatsandvulnerabilities.Wewillusearangeof15(therangeis
arbitrary;justkeepitconsistentwhencomparingdierentrisks).
Impact
Therisk=threatvulnerabilityequationsometimesusesanaddedvariable
calledimpact:risk=threatvulnerabilityimpact.Impactistheseverityof
thedamage,sometimesexpressedindollars.
Risk=threatvulnerabilitycostissometimesusedforthatreason.A
synonymforimpactisconsequences.
E x a m Wa r n i n g
Lossofhumanlifehasnearinniteimpactontheexam.Whencalculating
riskusingtherisk=threatvulnerabilityimpactformula,anyrisk
involvinglossofhumanlifeisextremelyhighandmustbemitigated.
TheRiskAnalysisMatrixusesaquadranttomapthelikelihoodofarisk
occurringagainsttheconsequences(orimpact)thatriskwouldhave.
Australia/NewZealandISO31000:2009RiskManagementPrinciplesand
Guidelines(AS/NZSISO31000:2009,see
h p://infostore.saiglobal.com/store/Details.aspx?ProductID=1378670)
describestheRiskAnalysisMatrix,showninTable3.1.
Table3.1
RiskAnalysisMatrix
TheRiskAnalysisMatrixallowsyoutoperformQualitativeRiskAnalysis
(seeSectionQualitativeandQuantitativeRiskAnalysis)basedon
likelihood(fromraretoalmostcertain)andconsequences(orimpact),
frominsignicanttocatastrophic.Theresultingscoresarelow(L),
medium(M),high(H),andextremerisk(E).Lowrisksarehandledvia
normalprocesses,moderaterisksrequiremanagementnotication,highrisks
requireseniormanagementnotication,andextremerisksrequireimmediate
actionincludingadetailedmitigationplan(andseniormanagement
notication).
Thegoalofthematrixistoidentifyhighlikelihood/highconsequencerisks
(upperrightquadrantofTable3.1)anddrivethemdowntolow
likelihood/lowconsequencerisks(lowerleftquadrantofTable3.1).
Calculating Annualized Loss Expectancy
TheAnnualizedLossExpectancy(ALE)calculationallowsyoutodeterminethe
annualcostofalossduetoarisk.Oncecalculated,ALEallowsyoutomake
informeddecisionstomitigatetherisk.
Thissectionwilluseanexampleofriskduetolostorstolenunencrypted
laptops.Assumeyourcompanyhas1000laptopsthatcontainPersonally
IdentiableInformation(PII).Youarethesecurityocer,andyouare
concernedabouttheriskofexposureofPIIduetolostorstolenlaptops.You
wouldliketopurchaseanddeployalaptopencryptionsolution.Thesolution
isexpensive,soyouneedtoconvincemanagementthatthesolutionis
worthwhile.
Asset Value
Asset Value
TheAssetValue(AV)isthevalueoftheassetyouaretryingtoprotect.Inthis
example,eachlaptopcosts$2500,buttherealvalueisthePII.Theftof
unencryptedPIIhasoccurredpreviouslyandhascostthecompanymany
timesthevalueofthelaptopinregulatorynes,badpublicity,legalfees,sta
hoursspentinvestigating,etc.ThetrueaverageAssetValueofalaptopwith
PIIforthisexampleis$25,000($2500forthehardwareand$22,500forthe
exposedPII).
Tangibleassets(suchascomputersorbuildings)arestraightforwardto
calculate.Intangibleassetsaremorechallenging.Forexample,whatisthe
valueofbrandloyalty?AccordingtoDeloi e,therearethreemethodsfor
calculatingthevalueofintangibleassets,marketapproach,incomeapproach,
andcostapproach:
MarketApproach:Thisapproachassumesthatthefairvalueofanasset
reectsthepricewhichcomparableassetshavebeenpurchasedin
transactionsundersimilarcircumstances.
IncomeApproach:Thisapproachisbasedonthepremisethatthevalueofa
securityorassetisthepresentvalueofthefutureearningcapacitythatan
assetwillgenerateoveritsremainingusefullife.
CostApproach:Thisapproachestimatesthefairvalueoftheassetby
referencetothecoststhatwouldbeincurredinordertorecreateorreplace
theasset.
Exposure Factor
TheExposureFactor(EF)isthepercentageofvalueanassetlostduetoan
incident.InthecaseofastolenlaptopwithunencryptedPII,theExposure
Factoris100%:thelaptopandallthedataaregone.
Single Loss Expectancy
TheSingleLossExpectancy(SLE)isthecostofasingleloss.SLEistheAsset
Value(AV)timestheExposureFactor(EF).Inourcase,SLEis$25,000(Asset
Value)times100%(ExposureFactor)or$25,000.
Annual Rate of Occurrence
TheAnnualRateofOccurrence(ARO)isthenumberoflossesyousuerper
year.Lookingthroughpastevents,youdiscoverthatyouhavesuered11
lostorstolenlaptopsperyearonaverage.YourAROis11.
Annualized Loss Expectancy
TheAnnualizedLossExpectancy(ALE)isyouryearlycostduetoarisk.Itis
calculatedbymultiplyingtheSingleLossExpectancy(SLE)timestheAnnual
RateofOccurrence(ARO).Inourcase,itis$25,000(SLE)times11(ARO)or
$275,000.
Table3.2summarizestheequationsusedtodetermineAnnualizedLoss
Expectancy.
Table3.2
SummaryofRiskEquations
TheTotalCostofOwnership(TCO)isthetotalcostofamitigatingsafeguard.
TCOcombinesupfrontcosts(oftenaonetimecapitalexpense)plusannual
costofmaintenance,includingstahours,vendormaintenancefees,software
subscriptions,etc.Theseongoingcostsareusuallyconsideredoperational
expenses.
Usingourlaptopencryptionexample,theupfrontcostoflaptopencryption
softwareis$100/laptop,or$100,000for1000laptops.Thevendorchargesa
10%annualsupportfeeor$10,000/year.Youestimatethatitwilltake4sta
hoursperlaptoptoinstallthesoftwareor4000stahours.Thestathatwill
performthisworkmakes$50/hourplusbenets.Includingbenets,thesta
costperhouris$70times4000hours,thatis,$280,000.
Yourcompanyusesa3yeartechnologyrefreshcycle,soyoucalculatethe
TotalCostofOwnershipover3years:
Softwarecost:$100,000
Threeyearsvendorsupport:$10,0003=$30,000
Hourlystacost:$280,000
TotalCostofOwnershipover3years:$410,000
TotalCostofOwnershipperyear:$410,000/3=$136,667/year
YourAnnualTotalCostofOwnershipforthelaptopencryptionprojectis
$136,667peryear.
Return on Investment
TheReturnonInvestment(ROI)istheamountofmoneysavedby
implementingasafeguard.IfyourannualTotalCostofOwnership(TCO)is
lessthanyourAnnualizedLossExpectancy(ALE),youhaveapositiveROI
(andhavemadeagoodchoice).IftheTCOishigherthanyourALE,youhave
madeapoorchoice.
TheannualTCOoflaptopencryptionis$136,667;theAnnualizedLoss
Expectancyforlostorstolenunencryptedlaptopsis$275,000.Themathis
summarizedinTable3.3.
Table3.3
AnnualizedLossExpectancyofUnencryptedLaptops
ImplementinglaptopencryptionwillchangetheExposureFactor.Thelaptop
hardwareisworth$2500,andtheexposedPIIcostsanadditional$22,500for
$25,000AssetValue.Ifanunencryptedlaptopislostorstolen,theExposure
Factoris100%(thehardwareandalldataisexposed).Laptopencryption
mitigatesthePIIexposurerisk,loweringtheExposureFactorfrom100%(the
laptopandalldata)to10%(justthelaptophardware).
ThelowerExposureFactorlowerstheAnnualizedLossExpectancyfrom
$275,000to$27,500asshowninTable3.4.
Table3.4
AnnualizedLossExpectancyofEncryptedLaptops
Youwillsave$247,500/year(theoldALE,$275,000,minusthenewALE,
$27,500)bymakinganinvestmentof$136,667.YourROIis$110,833peryear
($247,500minus$136,667).ThelaptopencryptionprojecthasapositiveROI
andisawiseinvestment.
Budget and metrics
WhencombinedwithRiskAnalysis,theTotalCostofOwnershipandReturn
onInvestmentcalculationsfactorintoproperbudgeting.Someorganizations
havetheenviablepositionofampleinformationsecurityfunding,yettheyare
oftencompromised.Why?Theanswerisusuallybecausetheymitigatedthe
wrongrisks.Theyspentmoneywhereitmaynothavebeennecessaryand
ignoredlargerrisks.Regardlessofstasizeorbudget,allorganizationscan
takeonaniteamountofinformationsecurityprojects.Iftheychoose
unwisely,informationsecuritycansuer.
Metricscangreatlyassisttheinformationsecuritybudgetingprocess.They
helpillustratepotentiallycostlyrisksanddemonstratetheeectiveness(and
potentialcostsavings)ofexistingcontrols.Theycanalsohelpchampionthe
causeofinformationsecurity.
Risk choices
Risk choices
Oncewehaveassessedrisk,wemustdecidewhattodo.Optionsinclude
acceptingtherisk,mitigatingoreliminatingtherisk,transferringtherisk,and
avoidingtherisk.
Accept the risk
Somerisksmaybeaccepted:insomecases,itischeapertoleaveanasset
unprotectedduetoaspecicrisk,ratherthanmaketheeort(andspendthe
money)requiredtoprotectit.Thiscannotbeanignorantdecision:therisk
mustbeconsidered,andalloptionsmustbeconsideredbeforeacceptingthe
risk.
Risk acceptance criteria
Lowlikelihood/lowconsequencerisksarecandidatesforriskacceptance.
Highandextremeriskscannotbeaccepted.Therearecases,suchasdata
protectedbylawsorregulationsorrisktohumanlifeorsafety,where
acceptingtheriskisnotanoption.
Mitigate the risk
Mitigatingtheriskmeansloweringtherisktoanacceptablelevel.Thelaptop
encryptionexamplegiveninSectionAnnualizedLossExpectancyisan
exampleofmitigatingtherisk.TheriskoflostPIIduetostolenlaptopswas
mitigatedbyencryptingthedataonthelaptops.Theriskhasnotbeen
eliminatedentirely:aweakorexposedencryptionpasswordcouldexposethe
PII,buttheriskhasbeenreducedtoanacceptablelevel.
Insomecases,itispossibletoremovetheriskentirely:thisiscalled
eliminatingtherisk.
Transfer the risk
Transfertheriskistheinsurancemodel.Mostpeopledonotassumethe
riskofretotheirhouse:theypayaninsurancecompanytoassumethatrisk
forthem.TheinsurancecompaniesareexpertsinRiskAnalysis:buyingrisk
istheirbusiness.
Risk avoidance
AthoroughRiskAnalysisshouldbecompletedbeforetakingonanew
project.IftheRiskAnalysisdiscovershighorextremerisksthatcannotbe
easilymitigated,avoidingtherisk(andtheproject)maybethebestoption.
Qualitative and Quantitative Risk Analysis
QuantitativeandQualitativeRiskAnalysesaretwomethodsforanalyzing
risk.QuantitativeRiskAnalysisuseshardmetrics,suchasdollars.Qualitative
RiskAnalysisusessimpleapproximatevalues.Quantitativeismoreobjective;
qualitativeismoresubjective.HybridRiskAnalysiscombinesthetwo:using
quantitativeanalysisforrisksthatmaybeeasilyexpressedinhardnumbers,
suchasmoney,andqualitativefortheremainder.
CalculatingtheAnnualizedLossExpectancy(ALE)isanexampleof
QuantitativeRiskAnalysis.TheRiskAnalysisMatrix(shownpreviouslyin
Table3.1)isanexampleofQualitativeRiskAnalysis.
The Risk Management process
TheU.S.NationalInstituteofStandardsandTechnology(NIST)published
SpecialPublication80030,RiskManagementGuideforInformation
TechnologySystems(seeh p://csrc.nist.gov/publications/nistpubs/800
30/sp80030.pdf).Theguidedescribesa9stepRiskAnalysisprocess:
1.SystemCharacterization
2.ThreatIdentication
3.VulnerabilityIdentication
4.ControlAnalysis
5.LikelihoodDetermination
6.ImpactAnalysis
7.RiskDetermination
8.ControlRecommendations
9.ResultsDocumentation
organizationalpriorityprovidedbyseniorleadership,whichisrequiredfora
successfulinformationsecurityprogram.
Security policy and related documents
Documentssuchaspoliciesandproceduresarearequiredpartofany
successfulinformationsecurityprogram.Thesedocumentsshouldbe
groundedinreality:theyarenotidealisticdocumentsthatsitonshelves
collectingdust.Theyshouldmirrortherealworldandprovideguidanceon
thecorrect(andsometimesrequired)wayofdoingthings.
Policy
Policiesarehighlevelmanagementdirectives.Policyismandatory:ifyoudo
notagreewithyourcompanyssexualharassmentpolicy,forexample,you
donothavetheoptionofnotfollowingit.
CrunchTime
Policyishighlevel:itdoesnotdelveintospecics.Aserversecurity
policywoulddiscussprotectingthecondentiality,integrity,and
availabilityofthesystem(usuallyinthoseterms).Itmaydiscusssoftware
updatesandpatching.ThepolicywouldnotusetermslikeLinuxor
Windows;thatistoolowlevel.Infact,ifyouconvertedyourservers
fromWindowstoLinux,yourserverpolicywouldnotchange.Other
documents,likeprocedures,wouldchange.
Allpolicyshouldcontainthesebasiccomponents:
Purpose
Scope
Responsibilities
Compliance
Purposedescribestheneedforthepolicy,typicallytoprotectthe
condentiality,integrity,andavailabilityofprotecteddata.
Scopedescribeswhatsystems,people,facilities,andorganizationsare
coveredbythepolicy.Anyrelatedentitiesthatarenotinscopeshouldbe
documentedtoavoidconfusion.
Responsibilitiesincluderesponsibilitiesofinformationsecuritysta,policy
andmanagementteams,aswellasresponsibilitiesofallmembersofthe
organization.
Compliancedescribestworelatedissues:howtojudgetheeectivenessofthe
policies(howwelltheyareworking)andwhathappenswhenpolicyis
violated(thesanction).Allpolicymusthaveteeth:apolicythatforbids
accessingexplicitcontentviatheInternetisnotusefulifthereareno
consequencesfordoingso.
Policy types
NISTSpecialPublication80012(see
h p://csrc.nist.gov/publications/nistpubs/80012/80012html/chapter5.html)
discussesthreespecicpolicytypes:programpolicy,issuespecicpolicy,
andsystemspecicpolicy.
Programpolicyestablishesanorganizationsinformationsecurityprogram.
ExamplesofissuespecicpolicieslistedinNISTSP80012includeemail
policyandemailprivacypolicy.Examplesofsystemspecicpoliciesinclude
aleserverpolicyoraWebserverpolicy.
Procedures
Aprocedureisastepbystepguideforaccomplishingatask.Theyarelow
levelandspecic.Likepolicies,proceduresaremandatory.
Hereisasimpleexampleprocedureforcreatinganewuser:
1.Receiveanewuserrequestformandverifyitscompleteness.
2.Verifythattheusersmanagerhassignedtheform.
3.Verifythattheuserhasreadandagreedtotheuseraccountsecuritypolicy.
4.ClassifytheusersrolebyfollowingroleassignmentprocedureNX103.
5.Verifythattheuserhasselectedasecretword,suchastheirmothers
maidenname,andenteritintothehelpdeskaccountprole.
6.Createtheaccountandassigntheproperrole.
7.AssignthesecretwordastheinitialpasswordandsetForceuserto
changepasswordonnextlogintoTrue.
8.EmailtheNewAccountdocumenttotheuserandtheirmanager.
Thestepsofthisprocedurearemandatory.Securityadministratorsdonot
havetheoptionofskippingstep1,forexample,createanaccountwithouta
form.
D i d Yo u K n o w ?
Othersafeguardsdependonthisfact:whenausercallsthehelpdeskasa
resultofaforgo enpassword,thehelpdeskwillfollowtheirforgo en
passwordprocedure,whichincludesaskingfortheuserssecretword.
Theycannotdothatunlessstep5wascompleted:withoutthatword,the
helpdeskcannotsecurelyresetthepassword.Thismitigatessocial
engineeringa acks,whereanimpostertriestotrickthehelpdeskto
rese ingapasswordforanaccounttheyarenotauthorizedtoaccess.
Standards
Astandarddescribesthespecicuseoftechnology,oftenappliedto
hardwareandsoftware.AllemployeeswillreceiveanACMENexus6laptop
with4gigabytesofmemory,a2.8GHZdualcoreCPU,and2Terabytedisk
isanexampleofahardwarestandard.ThelaptopswillrunWindows8
Enterprise,64bitversionisanexampleofasoftware(operatingsystem)
standard.
Standardsaremandatory.TheylowertheTotalCostofOwnershipofa
safeguard.
Guidelines
Guidelines
Guidelinesarerecommendations(whicharediscretionary).Aguidelinecan
beausefulpieceofadvice,suchasTocreateastrongpassword,taketherst
le erofeverywordinasentence,andmixinsomenumbersandsymbols.I
willpasstheCISSPexamin6months!becomesIwptcei6m!.
Youcancreateastrongpasswordwithoutfollowingthisadvice,whichis
whyguidelinesarenotmandatory.Theyareuseful,especiallyfornovice
users.
Baselines
Baselinesareuniformwaysofimplementingasafeguard.Hardenthe
systembyapplyingtheCenterforInternetSecurityLinuxbenchmarksisan
exampleofabaseline(seeh p://benchmarks.cisecurity.orgfortheCIS
SecurityBenchmarks;theyareagreatresource).Thesystemmustmeetthe
baselinedescribedbythosebenchmarks.
Baselinesarediscretionary:itisacceptabletohardenthesystemwithout
followingtheaforementionedbenchmarks,aslongasitisatleastassecureas
asystemhardenedusingthebenchmarks.
Table3.5summarizesthetypesofsecuritydocumentation.
Table3.5
SummaryofSecurityDocumentation
Primaryinformationsecurityrolesincludeseniormanagement,dataowner,
custodian,anduser.Eachplaysadierentroleinsecuringanorganizations
assets.
Seniormanagementcreatestheinformationsecurityprogramandensures
thatitisproperlystaedandfundedandhasorganizationalpriority.Itis
responsibleforensuringthatallorganizationalassetsareprotected.
Thedataowner(alsocalledinformationownerorbusinessowner)isa
managementemployeeresponsibleforensuringthatspecicdatais
protected.Dataownersdeterminedatasensitivitylabelsandthefrequencyof
databackup.Acompanywithmultiplelinesofbusinessmayhavemultiple
dataowners.Thedataownerperformsmanagementduties;custodians
performthehandsonprotectionofdata.
Acustodianprovideshandsonprotectionofassetssuchasdata.They
performdatabackupsandrestoration,patchsystems,congureantivirus
software,etc.Thecustodiansfollowdetailedorders;theydonotmakecritical
decisionsonhowdataisprotected.ThedataownermaydictateAlldata
mustbebackedupevery24hours.Thecustodians(andtheirmanagers)
wouldthendeployandoperateabackupsolutionthatmeetsthedataowners
requirements.
Theuseristhefourthprimaryinformationsecurityrole.Usersmustfollow
therules:theymustcomplywithmandatorypoliciesprocedures,standards,
etc.Theymustnotwritetheirpasswordsdownorshareaccounts,for
example.Usersmustbemadeawareoftheserisksandrequirements.You
cannotassumetheywillknowwhattodoorassumetheyarealreadydoing
therightthing:theymustbetold,viainformationsecurityawareness.
Personnel security
Userscanposethebiggestsecurityrisktoanorganization.Background
checksshouldbeperformed,contractorsneedtobesecurelymanaged,and
usersmustbeproperlytrainedandmadeawareofsecurityrisks,aswewill
discussnext.ControlssuchasNondisclosureAgreements(NDA)andrelated
employmentagreementsarearecommendedpersonnelsecuritycontrol.
Background checks
Organizationsshouldconductathoroughbackgroundcheckbeforehiring
anyone.Acriminalrecordscheckshouldbeconducted,andallexperience,
education,andcerticationsshouldbeveried.Lyingorexaggeratingabout
education,certications,andrelatedcredentialsisoneofthemostcommon
examplesofdishonestyinregardstothehiringprocess.
Morethoroughbackgroundchecksshouldbeconductedforroleswith
heightenedprivileges,suchasaccesstomoneyorclassiedinformation.
Thesecheckscanincludeanancialinvestigation,amorethoroughcriminal
recordscheck,andinterviewswithfriends,neighbors,andcurrentand
formercoworkers.
Employee termination
Terminationshouldresultinimmediaterevocationofallemployeeaccess.
Beyondaccountrevocation,terminationshouldbeafairprocess.Thereare
ethicalandlegalreasonsforemployingfairtermination,butthereisalsoan
additionalinformationsecurityadvantage.Anorganizationsworstenemy
canbeadisgruntledformeremployee,who,evenwithoutlegitimateaccount
access,knowswheretheweakspotsare.
Security awareness and training
Securityawarenessandtrainingareoftenconfused.Awarenesschangesuser
behavior;trainingprovidesaskillset.
Remindinguserstonevershareaccountsorwritetheirpasswordsdownisan
exampleofawareness.Itisassumedthatsomeusersaredoingthewrong
thing,andawarenessisdesignedtochangethatbehavior.
Securitytrainingteachesauserhowtodosomething.Examplesinclude
trainingnewhelpdeskpersonneltoopen,modify,andcloseservicetickets;
trainingnetworkengineerstocongurearouter;ortrainingasecurity
administratortocreateanewaccount.
Vendor, consultant, and contractor security
Vendors,consultants,andcontractorscanintroduceriskstoanorganization.
Theyarenotdirectemployeesandsometimeshaveaccesstosystemsat
multipleorganizations.Ifallowedto,theymayplaceanorganizations
sensitivedataondevicesnotcontrolled(orsecured)bytheorganization.
Thirdpartypersonnelwithaccesstosensitivedatamustbetrainedandmade
awareofrisks,justasemployeesare.Backgroundchecksmayalsobe
required,dependingonthelevelofaccessrequired.Informationsecurity
policies,procedures,andotherguidanceshouldapplyaswell.Additional
policiesregardingownershipofdataandintellectualpropertyshouldbe
developed.Clearrulesdictatingwhereandwhenathirdpartymayaccessor
storedatamustbedeveloped.
Outsourcing and o shoring
Outsourcingistheuseofathirdpartytoprovideinformationtechnology
supportservicesthatwerepreviouslyperformedinhouse.Oshoringis
outsourcingtoanothercountry.
BothcanlowerTotalCostofOwnershipbyprovidingITservicesatlower
cost.Theymayalsoenhancetheinformationtechnologyresourcesandskill
setandresourcesavailabletoacompany(especiallyasmallcompany),which
canimprovecondentiality,integrity,andavailabilityofdata.
AthoroughandaccurateRiskAnalysismustbeperformedbefore
outsourcingoroshoringsensitivedata.Ifthedatawillresideinanother
country,youmustensurethatlawsandregulationsgoverningthedataare
followed,evenbeyondtheirjurisdiction.
Privacy
Privacyistheprotectionofthecondentialityofpersonalinformation.Many
organizationshostpersonalinformationabouttheirusers:PIIsuchassocial
securitynumbers,nancialinformationsuchasannualsalaryandbank
accountinformationrequiredforpayrolldeposits,andhealthcare
informationforinsurancepurposes.Thecondentialityofthisinformation
mustbeassured.
Due care and due diligence
Duecareisdoingwhatareasonablepersonwoulddo.Itissometimescalled
theprudentmanrule.Thetermderivesfromdutyofcare:parentshavea
dutytocarefortheirchildren,forexample.Duediligenceisthemanagement
ofduecare.
Duecareandduediligenceareoftenconfused:theyarerelated,butdierent.
Duecareisinformal;duediligencefollowsaprocess.Thinkofduediligence
asastepbeyondduecare.Expectingyourstatokeeptheirsystemspatched
meansyouexpectthemtoexerciseduecare.Verifyingthatyourstahas
patchedtheirsystemsisanexampleofduediligence.
Gross negligence
Grossnegligenceistheoppositeofduecare.Itisalegallyimportantconcept.
IfyousuerlossofPII,butcandemonstrateduecareinprotectingthePII,
youareonlegallystrongerground,forexample.Ifyoucannotdemonstrate
duecare(youweregrosslynegligent),youareinamuchworselegal
position.
Best practice
Informationsecuritybestpracticeisaconsensusofthebestwaytoprotectthe
condentiality,integrity,andavailabilityofassets.Followingbestpracticesis
awaytodemonstrateduecareandduediligence.
Auditing and control frameworks
Auditingmeansverifyingcompliancetoasecuritycontrolframework,
publishedspecication,orinternalpolicies,standards,etc.Auditinghelps
supportRiskAnalysiseortsbyverifyingthatacompanynotonlytalksthe
talk(hasdocumentationsupportingarobustinformationsecurityprogram)
butalsowalksthewalk(actuallyhasarobustinformationsecurityprogram
inpractice).
AnumberofcontrolframeworksareavailabletoassistauditingRisk
Analysis.Some,suchasPCIDSS,areindustryspecic.Others,suchas
OCTAVE,ISO17799/27002,andCOBIT,coverednext,aremoregeneral.
OCTAVE
OCTAVEstandsforOperationallyCriticalThreat,Asset,andVulnerability
Evaluation,aRiskManagementframeworkfromCarnegieMellonUniversity.
OCTAVEdescribesathreephaseprocessformanagingrisk.Phase1identies
staknowledge,assets,andthreats.Phase2identiesvulnerabilitiesand
evaluatessafeguards.Phase3conductstheRiskAnalysisanddevelopsthe
riskmitigationstrategy.
OCTAVEisahighqualityfreeresourcethatmaybedownloadedfrom
h p://www.cert.org/octave/.
ISO 17799 and the ISO 27000 series
ISO17799wasabroadbasedapproachforinformationsecuritycodeof
practicebytheInternationalOrganizationforStandardization(basedin
Geneva,Swi erland).ThefulltitleisISO/IEC17799:2005Information
technologySecurityTechniquesCodeofPracticeforInformationSecurity
Management.ISO17799:2005signiesthe2005versionofthestandard.It
wasbasedonBS(BritishStandard)7799Part1.
FastFacts
ISO17799had11areas,focusingonspecicinformationsecuritycontrols:
1.Policy
2.Organizationofinformationsecurity
3.Assetmanagement
4.Humanresourcessecurity
5.Physicalandenvironmentalsecurity
6.Communicationsandoperationsmanagement
7.Accesscontrol
8.Informationsystemsacquisition,development,andmaintenance
9.Informationsecurityincidentmanagement
10.Businesscontinuitymanagement
11.Compliance
2
ISO/IEC17799:2005.h p://www.iso.org/iso/catalogue_detail?
csnumber=39612[accessedJune26,2013].
ISO17799wasrenumberedtoISO27002in2005tomakeitconsistentwiththe
27000seriesofISOsecuritystandards.ISO27001isarelatedstandard,
formallycalledISO/IEC27001:2005InformationtechnologySecurity
techniquesInformationSecurityManagementSystemsRequirements.
ISO27001wasbasedonBS7799Part2.
NotethatthetitleofISO27002includesthewordtechniques;ISO27001
includesthewordrequirements.Simplyput,ISO27002describes
informationsecuritybestpractices(Techniques),andISO27001describesa
processforauditing(Requirements).
COBIT
COBIT(ControlObjectivesforInformationandrelatedTechnology)isa
controlframeworkforemployinginformationsecuritygovernancebest
practiceswithinanorganization.COBITwasdevelopedbyISACA
(InformationSystemsAuditandControlAssociation,see
h p://www.isaca.org).
ITIL
ITIL(InformationTechnologyInfrastructureLibrary)isaframeworkfor
providingbestservicesinITServiceManagement(ITSM).Moreinformation
aboutITILisavailableath p://www.itilocialsite.com.
ITILcontainsveServiceManagementPracticesCoreGuidance
publications:
ServiceStrategy
ServiceDesign
ServiceTransition
ServiceOperation
ContinualServiceImprovement
ServiceStrategyhelpsITprovideservices.ServiceDesigndetailsthe
infrastructureandarchitecturerequiredtodeliverITservices.Service
Transitiondescribestakingnewprojectsandmakingthemoperational.
ServiceOperationcoversIToperationscontrols.Finally,ContinualService
ImprovementdescribeswaystoimproveexistingITservices.
Certification and Accreditation
Certicationisadetailedinspectionthatverieswhetherasystemmeetsthe
documentedsecurityrequirements.Accreditationisthedataowners
acceptanceoftheriskrepresentedbythatsystem.Thisprocessiscalled
CerticationandAccreditationorC&A.
NISTSpecialPublication80037GuidefortheSecurityCerticationand
AccreditationofFederalInformationSystems(see
h p://csrc.nist.gov/publications/nistpubs/80037rev1/sp80037rev1nal.pdf)
describesU.S.FederalCerticationandAccreditation.
Certicationmaybeperformedbyatrustedthirdpartysuchasanauditor.
Certiersinvestigateasystem,inspectdocumentation,andmayobserve
operations.Theyauditthesystemtoensurecompliance.Certicationisonly
arecommendation:thecertierdoesnothavetheabilitytoapproveasystem
orenvironment.Onlythedataowner(theaccreditor)candoso.
NISTSP80037describesafourstepCerticationandAccreditationprocess:
Initiationphase
Securitycerticationphase
Securityaccreditationphase
Continuousmonitoringphase
Theinformationsecuritysystemandriskmitigationplanareresearched
duringtheinitiationphase.Thesecurityofthesystemisassessedand
documentedduringthesecuritycerticationphase.Thedecisiontoacceptthe
riskrepresentedbythesystemismadeanddocumentedduringthesecurity
accreditationphase.Finally,onceaccredited,theongoingsecurityofthe
systemisveriedduringthecontinuousmonitoringphase.
andmitigatesrisk.Accuratelyassessingriskandunderstandingtermssuchas
AnnualizedLossExpectancy,TotalCostofOwnership,andReturnon
Investmentwillnotonlyhelpyouintheexambutalsohelpadvanceyour
informationsecuritycareer.
B.$8000
C.$84,000
D.$56,000
4.IstheDoSmitigationserviceagoodinvestment?
A.Yes,itwillpayforitself
B.Yes,$10,000islessthanthe$56,000AnnualizedLossExpectancy
C.No,theannualTotalCostofOwnershipishigherthantheAnnualized
LossExpectancy
D.No,theannualTotalCostofOwnershipislowerthantheAnnualizedLoss
Expectancy
5.Whichofthefollowingdescribesadutyofthedataowner?
A.Patchsystems
B.Reportsuspiciousactivity
C.Ensuretheirlesarebackedup
D.Ensuredatahaspropersecuritylabels
ANSWERS
1.Correctanswerandexplanation:A.AnswerAiscorrect;policyishighlevel
andavoidstechnologyspecics.
Incorrectanswersandexplanations:B,C,andD.AnswersB,C,andDare
incorrect.Bisaproceduralstatement.Cisaguideline.Disabaseline.
2.Correctanswerandexplanation:C.AnswerCiscorrect;theAnnualRateof
Occurrenceisthenumberofa acksinayear.
Incorrectanswersandexplanations:A,B,andD.AnswersA,B,andDare
incorrect.$20,000istheAssetValue(AV).FortypercentistheExposureFactor
(EF).$10,000isthemonthlycostoftheDoSservice(usedtocalculateTCO).
3.Correctanswerandexplanation:D.AnswerDiscorrect;AnnualizedLoss
Expectancy(ALE)iscalculatedbyrstcalculatingtheSingleLossExpectancy
(SLE),whichistheAssetValue(AV,$20,000)timestheExposureFactor(EF,
40%).TheSLEis$8000;multiplybytheAnnualRateofOccurrence(ARO,7)
foranALEof$56,000.
Incorrectanswersandexplanations:A,B,andC.AnswersA,B,andCare
incorrect.$20,000istheAssetValue.$8000istheSingleLossExpectancy.
4.Correctanswerandexplanation:C.AnswerCiscorrect;theTotalCostof
Ownership(TCO)oftheDoSmitigationserviceishigherthanAnnualized
LossExpectancy(ALE)oflostsalesduetoDoSa acks.Thismeansitsless
expensivetoaccepttheriskofDoSa acks(orndalessexpensivemitigation
strategy).
Incorrectanswersandexplanations:A,B,andD.AnswersA,B,andDare
incorrect.Aisincorrect:theTCOishigher,notlower.$10,000isthemonthly
TCO;youmustcalculateyearlyTCOtocomparewiththeALE.Diswrong:
theannualTCOishigher,notlower.
5.Correctanswerandexplanation:D.AnswerDiscorrect;thedataowner
ensuresthatdatahaspropersecuritylabels.
Incorrectanswersandexplanations:A,B,andC.AnswersA,B,andCare
incorrect.Custodianspatchsystems.Usersshouldbeawareandreport
suspiciousactivity.Ensuringlesarebackedupisaweakeranswerforadata
ownerduty,usedtoconfusethedataownerwiththeowneroftheleona
discretionaryaccesscontrolsystem.
1
IntangibleAssetsRecognisingTheirValue.
h p://www.deloi e.com/assets/Dcom
Ireland/Local%20Assets/Documents/ie_CF_ValuationsIntangible_0609.pdf
[accessedJune26,2013].
CHAPTER4
KEYWORDS
Database;ExtremeProgramming(XP);Object;ObjectOrientedProgramming;
Procedurallanguages;SpiralModel;SystemsDevelopmentLifeCycle;
WaterfallModel
SoftwareVulnerabilities,Testing,andAssurance
Databases
Introduction
Softwareiseverywhere:notonlyinourcomputersbutalsoinourhouses,our
cars,andourmedicaldevices,andallsoftwareprogrammersmakemistakes.
Assoftwarehasgrownincomplexity,thenumberofmistakeshasgrown
alongwithit.
Developingsoftwarethatisrobustandsecureiscritical:thischapterwill
showhowtodothat.Wewillcoverprogrammingfundamentalssuchas
compiledversusinterpretedlanguages,aswellasproceduralandObject
OrientedProgramminglanguages.Wewilldiscussapplicationdevelopment
modelssuchastheWaterfallModel,SpiralModel,andExtremeProgramming
(XP)andothers.Wewilldescribecommonsoftwarevulnerabilities,waysto
testforthem,andmaturityframeworkstoassessthematurityofthe
programmingprocessandprovidewaystoimproveit.
PROGRAMMING CONCEPTS
Letusbeginbyunderstandingsomecornerstoneprogrammingconcepts.As
computershavebecomemorepowerfulandubiquitous,theprocessand
methodsusedtocreatecomputersoftwarehavegrownandchanged.
Machine code, source code, and assemblers
Machinecode(alsocalledmachinelanguage)isasoftwarethatisexecuted
directlybytheCPU.MachinecodeisCPUdependent;itisaseriesof1sand
0sthattranslatetoinstructionsthatareunderstoodbytheCPU.Sourcecodeis
computerprogramminglanguageinstructionsthatarewri enintextthat
mustbetranslatedintomachinecodebeforeexecutionbytheCPU.
Assemblylanguageisalowlevelcomputerprogramminglanguage.Assembly
languageinstructionsareshortmnemonics,suchasADD,SUB,
(subtract),andJMP(jump),thatmatchtomachinelanguageinstructions.
Anassemblerconvertsassemblylanguageintomachinelanguage.A
disassemblera emptstoconvertmachinelanguageintoassembly.
Compilers, interpreters, and bytecode
Compilerstakesourcecode,suchasCorBasic,andcompileitintomachine
code.Interpretedlanguagesdierfromcompiledlanguages:interpretedcodeis
compiledontheyeachtimetheprogramisrun.Bytecode,suchasJava
bytecode,isalsointerpretedcode.Bytecodeexistsasanintermediaryform
(convertedfromsourcecode)butstillmustbeconvertedintomachinecode
beforeitmayrunontheCPU.
Types of publicly released so ware
Onceprogrammed,publiclyreleasedsoftwaremaycomeindierentforms
(suchaswithorwithouttheaccompanyingsourcecode)andreleasedundera
varietyoflicenses.
Open and closed source so ware
Closedsourcesoftwareissoftwaretypicallyreleasedinexecutableform:the
sourcecodeiskeptcondential.Opensourcesoftwarepublishessourcecode
publicly.Proprietarysoftwareissoftwarethatissubjecttointellectual
propertyprotectionssuchaspatentsorcopyrights.
Free So ware, Shareware, and Crippleware
Freewareisasoftware,whichisfreeofchargetouse.Sharewareisafully
functionalproprietarysoftwarethatmaybeinitiallyusedfreeofcharge.Ifthe
usercontinuestousetheSharewareforaspecicperiodoftimespeciedby
thelicense(suchas30days),theSharewarelicensetypicallyrequires
payment.Cripplewareisapartiallyfunctioningproprietarysoftware,often
withkeyfeaturesdisabled.Theuseristypicallyrequiredtomakeapayment
tounlockthefullfunctionality.
TheWaterfallModelisalinearapplicationdevelopmentmodelthatusesrigid
phases;whenonephaseends,thenextbegins.Stepsoccurinsequence,and
theunmodiedWaterfallModeldoesnotallowdeveloperstogobackto
previoussteps.Itiscalledthewaterfallbecauseitsimulateswaterfalling:it
cannotgobackup.AmodiedWaterfallModelallowsareturntoaprevious
phaseforvericationorvalidation,ideallyconnedtoconnectingsteps.
Spiral
TheSpiralModelisasoftwaredevelopmentmodeldesignedtocontrolrisk.
TheSpiralModelrepeatsstepsofaproject,startingwithmodestgoalsand
expandingoutwardineverwiderspirals(calledrounds).Eachroundofthe
spiralconstitutesaproject,andeachroundmayfollowtraditionalsoftware
developmentmethodologysuchasmodiedwaterfall.Ariskanalysisis
performedeachround.Fundamentalawsintheprojectorprocessaremore
likelytobediscoveredintheearlierphases,resultinginsimplerxes.This
lowerstheoverallriskoftheproject:largerisksshouldbeidentiedand
mitigated.
Agile So ware Development
AgileSoftwareDevelopmentevolvedasareactiontorigidsoftware
developmentmodelssuchastheWaterfallModel.Agilemethodsinclude
ExtremeProgramming(XP).Agileembodiesmanymoderndevelopment
concepts,includingmoreexibility,fastturnaroundwithsmallermilestones,
strongcommunicationwithintheteam,andmorecustomerinvolvement.
Extreme Programming
ExtremeProgramming(XP)isanAgiledevelopmentmethodthatusespairs
ofprogrammerswhoworkoadetailedspecication.Thereisahighlevelof
customerinvolvementandconstantcommunication.
Rapid Application Development
RapidApplicationDevelopment(RAD)rapidlydevelopssoftwareviatheuseof
prototypes,dummyGUIs,backenddatabases,andmore.ThegoalofRAD
isquicklymeetingthebusinessneedofthesystem;technicalconcernsare
secondary.Thecustomerisheavilyinvolvedintheprocess.
SDLC
TheSystemsDevelopmentLifeCycle(SDLC,alsocalledthesoftwaredevelopment
lifecycleorsimplythesystemlifecycle)isasystemdevelopmentmodel.SDLC
isusedacrosstheindustry,butSDLCfocusesonsecuritywhenusedin
contextoftheexam.ThinkofourSDLCasthesecuresystemsdevelopment
lifecycle:thesecurityisimplied.
FastFacts
ThefollowingoverviewissummarizedfromNISTSP80014:
Prepareasecurityplan:Ensurethatsecurityisconsideredduringall
phasesoftheITsystemlifecycleandthatsecurityactivitiesare
accomplishedduringeachofthephases.
Initiation:Theneedforasystemisexpressedandthepurposeofthe
systemisdocumented.
Conductasensitivityassessment:Lookatthesecuritysensitivityofthe
systemandtheinformationtobeprocessed.
Development/acquisition:Thesystemisdesigned,purchased,
programmed,ordeveloped.
Determinesecurityrequirements:Determinetechnicalfeatures(like
accesscontrols),assurances(likebackgroundchecksforsystem
developers),oroperationalpractices(likeawarenessandtraining).
Incorporatesecurityrequirementsintospecications:Ensurethatthe
previouslygatheredinformationisincorporatedintheprojectplan.
Obtainthesystemandrelatedsecurityactivities:Mayinclude
developingthesystemssecurityfeatures,monitoringthedevelopment
processitselfforsecurityproblems,respondingtochanges,and
monitoringthreats.
Implementation:Thesystemistestedandinstalled.
Install/turnoncontrols:Asystemoftencomeswithsecurityfeatures
disabled.Theseneedtobeenabledandcongured.
Securitytesting:Usedtocertifyasystemandmayincludetesting
securitymanagement,physicalfacilities,personnel,procedures,theuseof
commercialorinhouseservices(suchasnetworkingservices),and
contingencyplanning.
Accreditation:Theformalauthorizationbytheaccrediting
(management)ocialforsystemoperationandanexplicitacceptanceof
risk.
Operation/maintenance:Thesystemismodiedbytheadditionof
hardwareandsoftwareandbyotherevents.
Securityoperationsandadministration:Examplesincludebackups,
training,managingcryptographickeys,useradministration,andpatching.
Operationalassurance:Examineswhetherasystemisoperated
accordingtoitscurrentsecurityrequirements.
Auditsandmonitoring:Asystemauditisaonetimeorperiodiceventto
evaluatesecurity.Monitoringreferstoanongoingactivitythatexamines
eitherthesystemortheusers.
Disposal:Thesecuredecommissionofasystem.
Information:Informationmaybemovedtoanothersystem,archived,
discarded,ordestroyed.
Mediasanitization:Therearethreegeneralmethodsofpurgingmedia:
overwriting,degaussing(formagneticmediaonly),anddestruction.
1
GenerallyAcceptedPrinciplesandPracticesforSecuringInformation
TechnologySystems.h p://csrc.nist.gov/publications/nistpubs/80014/800
14.pdf[accessedJune26,2013].
OBJECT-ORIENTED PROGRAMMING
ObjectOrientedProgramming(OOP)usesanobjectmetaphortodesignand
writecomputerprograms.Anobjectisablackboxthatisabletoperform
functionsandsendsandreceivesmessages.Objectscontaindataandmethods
(thefunctionstheyperform).Theobjectprovidesencapsulation(alsocalled
datahiding):wedonotknow,fromtheoutside,howtheobjectperformsits
function.Thisprovidessecuritybenets:usersshouldnotbeexposedto
unnecessarydetails.
Cornerstone Object-Oriented Programming concepts
CornerstoneObjectOrientedProgrammingconceptsincludeobjects,
methods,messages,inheritance,delegation,polymorphism,and
polyinstantiation.WewilluseanexampleobjectcalledAddytoillustrate
thecornerstoneconcepts.Addyisanobjectthataddstwointegers;itisan
extremelysimpleobject,buthasenoughcomplexitytoexplaincoreOOP
concepts.Addyinheritsanunderstandingofnumbersandmathfromhis
parentclass(theclassiscalledmathematicaloperators).Onespecicobjectis
calledaninstance.Notethatobjectsmayinheritfromotherobjects,inaddition
toclasses.
Inourcase,theprogrammersimplyneedstoprogramAddytosupportthe
methodofaddition(inheritancetakescareofeverythingelseAddymust
know).Figure4.1showsAddyaddingtwonumbers.
FIGURE4.1 TheAddyobject.
1+2istheinputmessage;3istheoutputmessage.Addyalsosupports
delegation:ifhedoesnotknowhowtoperformarequestedfunction,hecan
delegatethatrequesttoanotherobject(calledSubbyinFigure4.2).
FIGURE4.2 Delegation.
Addyalsosupportspolymorphism(basedontheGreekrootspolyand
morph,meaningmanyandforms,respectively):hehastheabilityto
overloadhisplus(+)operator,performingdierentmethodsdependingon
thecontextoftheinputmessage.Forexample,Addyaddswhentheinput
messagecontainsnumber+number;polymorphismallowsAddyto
concatenatetwostringswhentheinputmessagecontainsstring+string,as
showninFigure4.3.
FIGURE4.3 Polymorphism.
Finally,polyinstantiationinvolvesmultipleinstances(specicobjects)with
thesamenamesthatcontaindierentdata.Thismaybeusedinmultilevel
secureenvironmentstokeeptopsecretandsecretdataseparate,forexample.
Figure4.4showspolyinstantiatedAddyobjects:twoobjectswiththesame
namebutdierentdata.Notethatthesearetwoseparateobjects.Also,toa
secretclearedsubject,theAddyobjectwithsecretdataistheonlyknown
Addyobject.
FastFacts
HereisasummaryofObjectOrientedProgrammingconceptsillustrated
byAddy:
Object:Addy
Class:Mathematicaloperators
Method:Addition
Inheritance:Addyinheritsanunderstandingofnumbersandmathfrom
hisparentclassmathematicaloperators.Theprogrammersimplyneedsto
programAddytosupportthemethodofaddition
Exampleinputmessage:1+2
Exampleoutputmessage:3
Polymorphism:Addycanchangebehaviorbasedonthecontextofthe
input,overloadingthe+toperformaddition,orconcatenation,
dependingonthecontext
Polyinstantiation:TwoAddyobjects(secretandtopsecret),with
dierentdata
FIGURE4.4 Polyinstantiation.
Aswehaveseenpreviously,matureobjectsaredesignedtobereused:they
lowerriskanddevelopmentcosts.ObjectRequestBrokers(ORBs)canbeused
tolocateobjects:theyactasobjectsearchengines.ORBsaremiddleware:they
connectprogramstoprograms.CommonobjectbrokersincludedCOM,
DCOM,andCORBA.
COM and DCOM
TwoobjectbrokertechnologiesbyMicrosoftareCOM(ComponentObject
Model)andDCOM(DistributedComponentObjectModel).COMlocatesobjects
onalocalsystem;DCOMcanalsolocateobjectsoveranetwork.
COMallowsobjectswri enwithdierentOOPlanguagestocommunicate,
whereobjectswri eninC++sendmessagestoobjectswri eninJava,for
example.Itisdesignedtohidethedetailsofanyindividualobjectandfocuses
ontheobjectscapabilities.
DCOMisanetworkedsequeltoCOM:MicrosoftDistributedCOM
(DCOM)extendstheComponentObjectModel(COM)tosupport
communicationamongobjectsondierentcomputersonaLAN,aWAN,or
eventheInternet.WithDCOM,yourapplicationcanbedistributedat
locationsthatmakethemostsensetoyourcustomerandtotheapplication.
2
DCOMincludesObjectLinkingandEmbedding(OLE),awaytolink
documentstootherdocuments.
BothCOMandDCOMarebeingsupplantedbyMicrosoft.NET,whichcan
interoperatewithDCOMbutoersadvancedfunctionalitytobothCOMand
DCOM.
Programmersmakemistakes:thishasbeentruesincetheadventofcomputer
programming.Thenumberofaveragedefectsperlineofsoftwarecodecan
oftenbereduced,thoughnoteliminated,byimplementingmaturesoftware
developmentpractices.
Types of so ware vulnerabilities
Thissectionwillbrieydescribecommonapplicationvulnerabilities.An
additionalsourceofuptodatevulnerabilitiescanbefoundat2011
CWE/SANSTop25MostDangerousProgrammingErrors,availableat
h p://cwe.mitre.org/top25/;thefollowingsummaryisbasedonthislist.CWE
referstoCommonWeaknessEnumeration,adictionaryofsoftware
vulnerabilitiesbyMITRE(seeh p://cwe.mitre.org/).SANSistheSANS
Institute;seeh p://www.sans.org.
Hardcodedcredentials:Backdoorusername/passwordsleftby
programmersinproductioncode
Bueroverow:Occurswhenaprogrammerdoesnotperformvariable
boundschecking
SQLinjection:ManipulationofabackendSQLserverviaafrontendWeb
server
Directorypathtraversal:EscapingfromtherootofaWebserver(such
as/var/www)intotheregularlesystembyreferencingdirectoriessuchas
../..
PHPRemoteFileInclusion(RFI):AlteringnormalPHPURLsandvariables
suchash p://good.example.com?le=readme.txttoincludeandexecute
remotecontent,suchash p://good.example.com?
le=h p://evil.example.com/bad.php
CrossSiteScripting(XSS):ThirdpartyinjectionofascriptintoaWebpage
withinthesecuritycontextofatrustedsite
CrossSiteRequestForgery(CSRForsometimesXSRF):Thirdparty
submissionofpredictablecontenttoaWebapplicationwithinthesecurity
contextofanauthenticateduser
CrossSiteScriptingandCrossSiteRequestForgeryareoftenconfused.They
arebothWeba acks:thedierenceisXSSexecutesascriptinatrusted
context:
<script>alert(XSS Test!);</script>
ThepreviouscodewouldpopupaharmlessXSSTest!alert.Areala ack
wouldincludemoreJavaScript,oftenstealingcookiesorauthentication
credentials.
CSRFoftentricksauserintoprocessingaURL(sometimesbyembeddingthe
URLinanHTMLimagetag)thatperformsamaliciousact,forexample,
trickingawhitehatintorenderingthefollowingimagetag:
<img src=https://bank.example.com/transfer-money?
from=WHITEHAT&to=BLACKHAT>
Privilege escalation
Privilegeescalationvulnerabilitiesallowana ackerwith(typicallylimited)
accesstobeabletoaccessadditionalresources.Impropersoftware
congurationsandpoorcodingandtestingpracticesoftencauseprivilege
escalationvulnerabilities.
Backdoors
Backdoors
Backdoorsareshortcutsinasystemthatallowausertobypasssecurity
checks(suchasusername/passwordauthentication).A ackerswilloften
installabackdooraftercompromisingasystem.
Disclosure
Disclosuredescribestheactionstakenbyasecurityresearcherafter
discoveringasoftwarevulnerability.Fulldisclosureisthecontroversial
practiceofreleasingvulnerabilitydetailspublicly.Responsibledisclosureisthe
practiceofprivatelysharingvulnerabilityinformationwithavendorand
withholdingpublicreleaseuntilapatchisavailable.Otheroptionsexist
betweenfullandresponsibledisclosure.
So ware Capability Maturity Model
TheSoftwareCapabilityMaturityModel(CMM)isamaturityframeworkfor
evaluatingandimprovingthesoftwaredevelopmentprocess.Carnegie
MellonUniversitys(CMU)SoftwareEngineeringInstitute(SEI)developed
themodel.ThegoalofCMMistodevelopamethodicalframeworkfor
creatingqualitysoftwarethatallowsmeasurableandrepeatableresults.
FastFacts
ThevelevelsofCMMaredescribed(see
h p://www.sei.cmu.edu/reports/93tr024.pdf):
1.Initial:Thesoftwareprocessischaracterizedasadhocandoccasionally
evenchaotic.Fewprocessesaredened,andsuccessdependson
individualeort.
2.Repeatable:Basicprojectmanagementprocessesareestablishedtotrack
cost,schedule,andfunctionality.Thenecessaryprocessdisciplineisin
placetorepeatearliersuccessesonprojectswithsimilarapplications.
3.Dened:Thesoftwareprocessforbothmanagementandengineering
activitiesisdocumented,standardized,andintegratedintoastandard
softwareprocessfortheorganization.Projectsuseanapproved,tailored
versionoftheorganizationsstandardsoftwareprocessfordevelopingand
maintainingsoftware.
4.Managed:Detailedmeasuresofthesoftwareprocessandproductquality
arecollected,analyzed,andusedtocontroltheprocess.Boththesoftware
processandproductsarequantitativelyunderstoodandcontrolled.
5.Optimizing:Continualprocessimprovementisenabledbyquantitative
feedbackfromtheprocessandfrompilotinginnovativeideasand
technologies.
4
SM
CapabilityMaturityModel forSoftware,Version1.1.
h p://www.sei.cmu.edu/reports/93tr024.pdf[accessedJune26,2013].
DATABASES
Adatabaseisastructuredcollectionofrelateddata.Databasesallowqueries
(searches),insertions(updates),deletions,andmanyotherfunctions.The
databaseismanagedbytheDatabaseManagementSystem(DBMS),which
controlsallaccesstothedatabaseandenforcesthedatabasesecurity.
DatabasesaremanagedbyDatabaseAdministrators(DBAs).Databasesmaybe
searchedwithadatabasequerylanguage,suchastheStructuredQuery
Language(SQL).Typicaldatabasesecurityissuesincludethecondentiality
andintegrityofthestoreddata.Integrityisaprimaryconcernwhen
replicateddatabasesareupdated.
Relational databases
Themostcommonmoderndatabaseistherelationaldatabase,whichcontain
twodimensionaltablesofrelated(hencethetermrelational)data.Atableis
alsocalledarelation.Tableshaverowsandcolumns:arowisadatabase
record,calledatuple;acolumniscalledana ribute.Asinglecell(intersection
ofarowandcolumn)inadatabaseiscalledavalue.Relationaldatabases
requireauniquevaluecalledtheprimarykeyineachtupleinatable.Table4.1
showsarelationaldatabaseemployeetable,sortedbytheprimarykey(SSN
orSocialSecurityNumber).
Table4.1
RelationalDatabaseEmployeeTable
Table4.1a ributesareSSN,Name,andTitle.Tuplesincludeeachrow:133
731337,343534334,etc.Gaisanexampleofavalue(cell).Candidatekeys
areanya ribute(column)inthetablewithuniquevalues:candidatekeysin
theprevioustableincludeSSNandName;SSNwasselectedastheprimary
keybecauseitistrulyunique(twoemployeescouldhavethesamename,but
notthesameSSN).Theprimarykeymayjointwotablesinarelational
database.
Foreign keys
Aforeignkeyisakeyinarelateddatabasetablethatmatchesaprimarykeyin
theparentdatabase.Notethattheforeignkeyisthelocaltablesprimarykey:
itiscalledtheforeignkeywhenreferringtoaparenttable.Table4.2istheHR
databasetablethatlistsemployeesvacationtime(indays)andsicktime(also
indays);ithasaforeignkeyofSSN.TheHRdatabasetablemaybejoinedto
theparent(employee)databasetablebyconnectingtheforeignkeyoftheHR
tabletotheprimarykeyoftheemployeetable.
Table4.2
HRDatabaseTable
Databasesmustensuretheintegrityofthedatainthetables:thisiscalled
dataintegrity,discussedinSectionDatabaseintegrity.Therearethree
additionalspecicintegrityissuesthatmustbeaddressedbeyondthe
correctnessofthedataitself:referential,semantic,andentityintegrity.These
aretiedcloselytothelogicaloperationsoftheDBMS.
CrunchTime
Referentialintegritymeansthateveryforeignkeyinasecondarytable
matchesaprimarykeyintheparenttable:ifthisisnottrue,referential
integrityhasbeenbroken.Semanticintegritymeansthateacha ribute
(column)valueisconsistentwiththea ributedatatype.Entityintegrity
meanseachtuplehasauniqueprimarykeythatisnotnull.
TheHRdatabasetableshowninTable4.2,seenpreviously,hasreferential,
semantic,andentityintegrity.Table4.3,ontheotherhand,hasmultiple
problems:onetupleviolatesreferentialintegrity,onetupleviolatessemantic
integrity,andthelasttwotuplesviolateentityintegrity.
Table4.3
DatabaseTableLackingIntegrity
Thetuplewiththeforeignkey467519732hasnomatchingentryinthe
employeedatabasetable.Thisbreaksreferentialintegrity:thereisnowayto
linkthisentrytoanameortitle.CellNexus6violatessemanticintegrity:
thesicktimea ributerequiresvaluesofdays,andNexus6isnotavalid
amountofsickdays.Finally,thelasttwotuplesbothhavethesameprimary
key(primarytothistable;foreignkeytotheparentemployeestable);this
breaksentityintegrity.
Database normalization
Databasenormalizationseekstomakethedatainadatabasetablelogically
concise,organized,andconsistent.Normalizationremovesredundantdata
andimprovestheintegrityandavailabilityofthedatabase.
Database views
Databasetablesmaybequeried;theresultsofaqueryarecalledadatabase
view.Viewsmaybeusedtoprovideaconstraineduserinterface:forexample,
nonmanagementemployeescanbeshowntheirindividualrecordsonlyvia
databaseviews.Table4.4showsthedatabaseviewresultingfromquerying
theemployeetableTitlea ributewithastringofDetective.While
employeesoftheHRdepartmentmaybeabletoviewtheentireemployee
table,thisviewmaybeauthorizedforthecaptainofthedetectives,for
example.
Table4.4
EmployeeTableDatabaseViewDetective
Databasequerylanguagesallowthecreationofdatabasetables,read/write
accesstothosetables,andmanyotherfunctions.Databasequerylanguages
haveatleasttwosubsetsofcommands:DataDenitionLanguage(DDL)and
DataManipulationLanguage(DML).DDLisusedtocreate,modify,anddelete
tables.DMLisusedtoqueryandupdatedatastoredinthetables.
Database integrity
Inadditiontothepreviouslydiscussedrelationaldatabaseintegrityissuesof
semantic,referential,andentityintegrity,databasesmustalsoensuredata
integrity:theintegrityoftheentriesinthedatabasetables.Thistreats
integrityasamoregeneralissue:mitigatingunauthorizedmodicationsof
data.Theprimarychallengeassociatedwithdataintegritywithinadatabase
issimultaneousa emptedmodicationsofdata.Adatabaseservertypically
runsmultiplethreads(lightweightprocesses),eachcapableofalteringdata.
Whathappensiftwothreadsa empttoalterthesamerecord?
DBMSsmaya empttocommitupdates:makethependingchanges
permanent.Ifthecommitisunsuccessful,theDBMSscanrollback(alsocalled
abort)andrestorefromasavepoint(cleansnapshotofthedatabasetables).
Adatabasejournalisalogofalldatabasetransactions.Shouldadatabase
becomecorrupted,thedatabasecanberevertedtoabackupcopy,andthen,
subsequenttransactionscanbereplayedfromthejournal,restoring
databaseintegrity.
Database replication and shadowing
Databasesmaybehighlyavailable(HA),replicatedwithmultipleservers
containingmultiplecopiesoftables.Integrityistheprimaryconcernwith
replicated.
Databasereplicationmirrorsalivedatabase,allowingsimultaneousreadsand
writestomultiplereplicateddatabasesbyclients.Replicateddatabasespose
additionalintegritychallenges.Atwophase(ormultiphase)commitcanbe
usedtoassureintegrity.
Ashadowdatabaseissimilartoareplicateddatabase,withonekeydierence:
ashadowdatabasemirrorsallchangesmadetoaprimarydatabase,but
clientsdonotaccesstheshadow.Unlikereplicateddatabases,theshadow
databaseisoneway.
2.Anobjectactsdierently,dependingonthecontextoftheinputmessage.
WhatObjectOrientedProgrammingconceptdoesthisillustrate?
A.Delegation
B.Inheritance
C.Polyinstantiation
D.Polymorphism
3.Whattypeofdatabaselanguageisusedtocreate,modify,anddelete
tables?
A.DataDenitionLanguage(DDL)
B.DataManipulationLanguage(DML)
C.DatabaseManagementSystem(DBMS)
D.StructuredQueryLanguage(SQL)
4.Adatabasecontainsanentrywithanemptyprimarykey.Whatdatabase
concepthasbeenviolated?
A.Entityintegrity
B.Normalization
C.Referentialintegrity
D.Semanticintegrity
5.Whichvulnerabilityallowsathirdpartytoredirectpredictablecontent
withinthesecuritycontextofanauthenticateduser?
A.CrossSiteRequestForgery(CSRF)
B.CrossSiteScripting(XSS)
C.PHPRemoteFileInclusion(RFI)
D.SQLInjection
foreignkeyinasecondarytablematchesaprimarykeyintheparenttable:if
thisisnottrue,referentialintegrityhasbeenbroken.Semanticintegrity
meanseacha ribute(column)valueisconsistentwiththea ributedatatype.
5.Correctanswerandexplanation:A.AnswerAiscorrect;CrossSiteRequest
Forgery(CSRF)allowsathirdpartytoredirectofstaticcontentwithinthe
securitycontextofatrustedsite.
Incorrectanswersandexplanations:B,C,andD.AnswersB,C,andDare
incorrect.CrossSiteScripting(XSS)isthirdpartyexecutionofaweb
scriptinglanguage(suchasJavaScript)withinthesecuritycontextofatrusted
site.XSSissimilartoCSRF;thedierenceisXSSusesactivecode.PHP
RemoteFileInclusion(RFI)altersnormalPHPvariablestoreferenceremote
content,whichcanleadtoexecutionofmaliciousPHPcode.SQLinjection
manipulatesabackendSQLserverviaafrontendWebserver.
2
DCOMTechnicalOverview.h p://technet.microsoft.com/en
us/library/cc722925.aspx[accessedJune26,2013].
3
2011CWE/SANSTop25MostDangerousSoftwareErrors.
h p://cwe.mitre.org/top25/[accessedJune26,2013].
CHAPTER5
Domain 5: Cryptography
Abstract
Domain5:Cryptography,presentedinthischapter,presentsanotherrather
technicaldomainoftheCISSP.Thischapterpresentskeycryptographic
conceptsofauthenticationandnonrepudiationinadditiontocondentiality
andintegrity,whichareconceptspresentedinmanyofthedomains.Beyond
thefoundationaloperationssuchassubstitutionandpermutationandtypes
ofcryptosystems,symmetric,asymmetric,andhashing,thischapteralso
introduceskeymodesofoperationforsymmetriccryptosystems,Electronic
CodeBook(ECB),CipherBlockChaining(CBC),CipherFeedback(CFB),
OutputFeedback(OFB),andCounterMode(CTR).Anadditionalgoalofthis
chapterispresentingkeycharacteristicsofthosecryptographicalgorithms
mostlikelytobeseenintheCISSP.
KEYWORDS
Plaintext;Ciphertext;Cryptography;Cryptanalysis;Cryptology;Symmetric
encryption;Asymmetricencryption;Hashfunction;Digitalsignature;
Nonrepudiation
CryptographicA acks
ImplementingCryptography
Introduction
Cryptographyissecretwriting:securecommunicationthatmaybe
understoodbytheintendedrecipientonly.Whilethefactthatdataisbeing
transmi edmaybeknown,thecontentofthatdatashouldremainunknown
tothirdparties.Datainmotion(movingonanetwork)andatrest(storedon
adevicesuchasadisk)maybeencrypted.
Cryptologyisthescienceofsecurecommunications.Cryptographycreates
messageswhosemeaningishidden;cryptanalysisisthescienceofbreaking
encryptedmessages(recoveringtheirmeaning).Manyusetheterm
cryptographyinplaceofcryptology:itisimportanttorememberthat
cryptologyencompassesbothcryptographyandcryptanalysis.
Acipherisacryptographicalgorithm.Aplaintextisanunencryptedmessage.
Encryptionconvertstheplaintexttoaciphertext.Decryptionturnsaciphertext
backintoaplaintext.
Confidentiality, integrity, authentication, and nonrepudiation
Cryptographycanprovidecondentiality(secretsremainsecret)and
integrity(dataisnotalteredinanunauthorizedmanner):itisimportantto
notethatitdoesnotdirectlyprovideavailability.Cryptographycanalso
provideauthentication(provinganidentityclaim).
Additionally,cryptographycanprovidenonrepudiation,whichisanassurance
thataspecicuserperformedaspecictransactionandthatthetransaction
didnotchange.
Substitution and permutation
Cryptographicsubstitutionreplacesonecharacterforanother;thisprovides
confusion.Permutation(alsocalledtransposition)providesdiusionby
rearrangingthecharactersoftheplaintext,anagramstyle.
ATTACKATDAWNcanberearrangedtoCAAKDTANTATW,for
example.Substitutionandpermutationareoftencombined.
D i d Yo u K n o w ?
Strongencryptiondestroyspa erns.Ifasinglebitofplaintextchanges,
theoddsofeverybitofresultingciphertextchangingshouldbe50/50.
Anysignsofnonrandomnessmaybeusedascluestoacryptanalyst,
hintingattheunderlyingorderoftheoriginalplaintextorkey.
Cryptographic strength
Goodencryptionisstrong:forkeybasedencryption,itshouldbevery
dicult(andideallyimpossible)toconvertaciphertextbacktoaplaintext
withoutthekey.Theworkfactordescribeshowlongitwilltaketobreaka
cryptosystem(decryptaciphertextwithoutthekey).
Secrecyofthecryptographicalgorithmdoesnotprovidestrength:infact
secretalgorithmsareoftenprovenquiteweak.Strongcryptoreliesonmath,
notsecrecy,toprovidestrength.Ciphersthathavestoodthetestoftimeare
publicalgorithms,suchastheTripleDataEncryptionStandard(TDES)andthe
AdvancedEncryptionStandard(AES).
Monoalphabetic and polyalphabetic ciphers
Amonoalphabeticcipherusesonealphabet:aspecicle er(likeE)is
substitutedforanother(likeX).Apolyalphabeticcipherusesmultiple
alphabets:EmaybesubstitutedforXoneroundandthenSthenext
round.
Monoalphabeticciphersaresusceptibletofrequencyanalysis.Polyalphabetic
ciphersa empttoaddressthisissueviatheuseofmultiplealphabets.
Exclusive Or (XOR)
ExclusiveOr(XOR)isthesecretsaucebehindmodernencryption.
CombiningakeywithaplaintextviaXORcreatesaciphertext.XORingto
samekeytotheciphertextrestorestheoriginalplaintext.XORmathisfast
andsimple.
Twobitsaretrue(or1)ifoneortheother(exclusively,notboth)is1.Inother
words,iftwobitsaredierent,theansweris1(true).Iftwobitsarethesame,
theansweris0(false).XORusesatruthtable,showninTable5.1.Thisdictates
howtocombinethebitsofakeyandplaintext.
Table5.1
XORTruthTable
Types of cryptography
Therearethreeprimarytypesofmodernencryption:symmetric,asymmetric,
andhashing.Symmetricencryptionusesonekey:thesamekeyencryptsand
decrypts.Asymmetriccryptographyusestwokeys:ifyouencryptwithone
key,youmaydecryptwiththeother.Hashingisaonewaycryptographic
transformationusinganalgorithm(andnokey).
Cryptographicprotocolgovernancedescribestheprocessofselectingtheright
method(cipher)andimplementationfortherightjob,typicallyatan
organizationwidescale.Forexample,adigitalsignatureprovides
authenticationandintegrity,butnotcondentiality.Symmetricciphersare
primarilyusedforcondentiality,andAESispreferableoverDESdueto
strengthandperformancereasons(whichwewillalsodiscusslater).
SYMMETRIC ENCRYPTION
Symmetricencryptionusesonekeytoencryptanddecrypt.Ifyouencrypta
zipleandthendecryptwiththesamekey,youareusingsymmetric
encryption.Symmetricencryptionisalsocalledsecretkeyencryption:the
keymustbekeptsecretfromthirdparties.Strengthsincludespeedand
cryptographicstrengthperbitofkey.Themajorweaknessisthatthekey
mustbesecurelysharedbeforetwopartiesmaycommunicatesecurely.
Symmetrickeysareoftensharedviaanoutofbandmethod,suchasviaface
tofacediscussion.
Stream and block ciphers
Symmetricencryptionmayhavestreamandblockmodes.Streammode
meanseachbitisindependentlyencryptedinastream.Blockmodeciphers
encryptblocksofdataeachround:56bitsfortheDataEncryptionStandard
(DES)and128,192,or256bitsforAES,forexample.Someblockcipherscan
emulatestreamciphersbyse ingtheblocksizeto1bit;theyarestill
consideredblockciphers.
Initialization vectors and chaining
Aninitializationvectorisusedinsomesymmetriccipherstoensurethatthe
rstencryptedblockofdataisrandom.Thisensuresthatidenticalplaintexts
encrypttodierentciphertexts.Also,asBruceSchneiernotesinApplied
Cryptography,Evenworse,twomessagesthatbeginthesamewillencrypt
thesamewayuptotherstdierence.Somemessageshaveacommon
header:ale erhead,oraFromline,orwhatever.
Initializationvectors
solvethisproblem.
Chaining(calledfeedbackinstreammodes)seedsthepreviousencryptedblock
intothenextblocktobeencrypted.Thisdestroyspa ernsintheresulting
ciphertext.DESElectronicCodeBookmode(seebelow)doesnotusean
initializationvectororchainingandpa ernscanbeclearlyvisibleinthe
resultingciphertext.
DES
DESistheDataEncryptionStandard,whichdescribestheDataEncryption
Algorithm(DEA).IBMdesignedDES,basedontheirolderLucifersymmetric
cipher.Itusesa64bitblocksize(meaningitencrypts64bitseachround)and
a56bitkey.
E x a m Wa r n i n g
EventhoughDESiscommonlyreferredtoasanalgorithm,DESis
technicallythenameofthepublishedstandardthatdescribesDEA.It
maysoundlikespli inghairs,butthatisanimportantdistinctiontokeep
inmindontheexam.DEAmaybethebestanswerforaquestion
regardingthealgorithmitself.
Modes of DES
DEScanusevedierentmodestoencryptdata.Themodesprimary
dierenceisblockversus(emulated)stream,theuseofinitializationvectors,
andwhethererrorsinencryptionwillpropagatetosubsequentblocks.
FastFacts
ThevemodesofDESare:
ElectronicCodeBook(ECB)
CipherBlockChaining(CBC)
CipherFeedback(CFB)
OutputFeedback(OFB)
CounterMode(CTR)
ECBistheoriginalmodeofDES.CBC,CFB,andOFBwerelateraddedin
FIPSPublication81(seeh p://www.itl.nist.gov/pspubs/p81.htm).CTR
modeisthenewestmode,describedinNISTSpecialPublication80038a(see
h p://csrc.nist.gov/publications/nistpubs/80038a/sp80038a.pdf).
Electronic Code Book
ElectronicCodeBook(ECB)isthesimplestandweakestformofDES.Ituses
noinitializationvectororchaining.Identicalplaintextswithidenticalkeys
encrypttoidenticalciphertexts.Twoplaintextswithpartialidenticalportions
(suchastheheaderofale er)encryptedwiththesamekeywillhavepartial
identicalciphertextportions.
Cipher Block Chaining
CipherBlockChaining(CBC)modeisablockmodeofDESthatXORsthe
previousencryptedblockofciphertexttothenextblockofplaintexttobe
encrypted.Therstencryptedblockisaninitializationvectorthatcontains
randomdata.Thischainingdestroyspa erns.OnelimitationofCBCmode
isthatencryptionerrorswillpropagate:anencryptionerrorinoneblockwill
cascadethroughsubsequentblocksduetothechaining,destroyingtheir
integrity.
Cipher Feedback
CipherFeedback(CFB)modeisverysimilartoCBC;theprimarydierenceis
CFBisastreammode.Itusesfeedback(thenameforchainingwhenusedin
streammodes)todestroypa erns.LikeCBC,CFBusesaninitialization
vectoranddestroyspa erns,anderrorspropagate.
Output Feedback
OutputFeedback(OFB)modediersfromCFBinthewayfeedbackis
accomplished.CFBusesthepreviousciphertextforfeedback.Theprevious
ciphertextisthesubkeyXORedtotheplaintext.OFBusesthesubkeybeforeit
isXORedtotheplaintext.Sincethesubkeyisnotaectedbyencryption
errors,errorswillnotpropagate.
Counter
Counter(CTR)modeislikeOFB;thedierenceagainisthefeedback:CTR
modeusesacounter.ThismodesharesthesameadvantagesasOFB(pa erns
aredestroyedanderrorsdonotpropagate)withanadditionaladvantage:
sincethefeedbackcanbeassimpleasanascendingnumber,CTRmode
encryptioncanbedoneinparallel.
Table5.2summarizesthevemodesofDES.
Table5.2
ModesofDESSummary
Single DES
SingleDESistheoriginalimplementationofDES,encrypting64bitblocksof
datawitha56bitkey,using16roundsofencryption.Theworkfactor
requiredtobreakDESwasreasonablein1976,butadvancesinCPUspeed
andparallelarchitecturehavemadeDESweaktoabruteforcekeya ack
today,whereeverypossiblekeyisgeneratedanda empted.
Triple DES
TripleDESappliessingleDESencryptionthreetimesperblock.Formally
calledtheTripleDataEncryptionAlgorithm(TDEA)andcommonlycalled
TDESor3DES,itbecamearecommendedstandardin1999.
Triple DES encryption order and keying options
TripleDESappliesDESencryptionthreetimesperblock.FIPS463describes
Encrypt,Decrypt,Encrypt(EDE)orderusingthreekeyingoptions:one,
two,orthreeuniquekeys(called1TDESEDE,2TDESEDE,and3TDESEDE,
respectively).
International Data Encryption Algorithm
TheInternationalDataEncryptionAlgorithmisasymmetricblockcipher
designedasaninternationalreplacementtoDES.TheIDEAalgorithmis
patentedinmanycountries.Itusesa128bitkeyand64bitblocksize.
Advanced Encryption Standard
TheAdvancedEncryptionStandard(AES)isthecurrentU.S.standard
symmetricblockcipher.AESuses128(with10roundsofencryption),192
(12roundsofencryption),or256bit(14roundsofencryption)keystoencrypt
128bitblocksofdata.
Choosing AES
TheU.S.NationalInstituteofStandardsandTechnology(NIST)solicited
inputonareplacementforDESintheFederalRegisterinJanuary1997.Fifteen
AEScandidateswereannouncedinAugust1998,andthelistwasreducedto
veinAugust1999.Table5.3liststheveAESnalists.
Table5.3
FiveAESFinalists
RijndaelwaschosenandbecameAES.AEShasfourfunctions:SubBytes,
ShiftRows,MixColumns,andAddRoundKey.
Blowfish and Twofish
BlowshandTwosharesymmetricblockcipherscreatedbyteamsledby
BruceSchneier,authorofAppliedCryptography.Blowshuses32through
448bit(thedefaultis128)keystoencrypt64bitsofdata.TwoshwasanAES
nalist,encrypting128bitblocksusing128through256bitkeys.Bothare
openalgorithms,unpatented,andfreelyavailable.
RC5 and RC6
RC5andRC6aresymmetricblockciphersbyRSALaboratories.RC5uses32
(testingpurposes),64(replacementforDES),or128bitblocks.Thekeysize
rangesfrom0to2040bits.
RC6wasanAESnalist.ItisbasedonRC5,alteredtomeettheAES
requirements.ItisalsostrongerthanRC5,encrypting128bitblocksusing
128,192,or256bitkeys.
ASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION
Asymmetricencryptionusestwokeys:ifyouencryptwithonekey,youmay
decryptwiththeother.Onekeymaybemadepublic(calledthepublickey);
asymmetricencryptionisalsocalledpublickeyencryptionforthisreason.
Anyonewhowantstocommunicatewithyoumaysimplydownloadyour
publiclypostedpublickeyanduseittoencrypttheirplaintext.Once
encrypted,yourpublickeycannotdecrypttheplaintext:onlyyourprivatekey
candoso.Asthenameimplies,yourprivatekeymustbekeptprivateand
secure.
Additionally,anymessageencryptedwiththeprivatekeymaybedecrypted
withthepublickey.Thisistypicallyusedfordigitalsignatures,aswewillsee
shortly.
Asymmetric methods
Mathliesbehindtheasymmetricbreakthrough.Thesemethodsuseoneway
functions,whichareeasytocomputeonewayanddiculttocomputein
thereversedirection.
Factoring prime numbers
Anexampleofaonewayfunctionisfactoringacompositenumberintoits
primes.Multiplyingtheprimenumber6269bytheprimenumber7883
resultsinthecompositenumber49,418,527.Thatwayisquiteeasyto
compute,takingmillisecondsonacalculator.Answeringthequestionwhich
primenumbertimeswhichprimenumberequals49,418,527ismuchmore
dicult.Thatproblemiscalledfactoring,andnoshortcuthasbeenfoundfor
hundredsofyears.ThisisthebasisoftheRSAalgorithm.
Discrete logarithm
Alogarithmistheoppositeofexponentiation.Computing7thtothe13th
power(exponentiation)iseasyonamoderncalculator:96,889,010,407.Asking
thequestion96,889,010,407is7towhatpower(ndingthelogarithm)is
moredicult.Discretelogarithmsapplylogarithmstogroups,whichisa
muchharderproblemtosolve.ThisonewayfunctionisthebasisoftheDie
HellmanandElGamalasymmetricalgorithms.
Di ie-Hellman Key Agreement Protocol
Keyagreementallowstwopartiestosecurelyagreeonasymmetrickeyviaa
publicchannel,suchastheInternet,withnopriorkeyexchange.Ana acker
whoisabletosnitheentireconversationisunabletoderivetheexchanged
key.WhiteldDieandMartinHellmancreatedtheDieHellmanKey
AgreementProtocol(alsocalledtheDieHellmanKeyExchange)in1976.
DieHellmanusesdiscretelogarithmstoprovidesecurity.
Elliptic Curve Cryptography
ECCleveragesaonewayfunctionthatusesdiscretelogarithmsasappliedto
ellipticcurves.Solvingthisproblemisharderthansolvingdiscrete
logarithms,soalgorithmsbasedonEllipticCurveCryptography(ECC)are
muchstrongerperbitthansystemsusingdiscretelogarithms(andalso
strongerthanfactoringprimenumbers).ECCrequireslesscomputational
resourcesbecauseshorterkeyscanbeusedcomparedtootherasymmetric
methods.ECCisoftenusedinlowerpowerdevicesforthisreason.
Asymmetric and symmetric trade-o s
Asymmetricencryptionisfarslowerthansymmetricencryptionandisalso
weakerperbitofkeylength.Thestrengthofasymmetricencryptionisthe
abilitytosecurelycommunicatewithoutpresharingakey.
HASH FUNCTIONS
Ahashfunctionprovidesencryptionusinganalgorithmandnokey.Theyare
calledonewayhashfunctionsbecausethereisnowaytoreversethe
encryption.Avariablelengthplaintextishashedintoa(typically)xed
lengthhashvalue(oftencalledamessagedigestorsimplyahash).Hash
functionsareprimarilyusedtoprovideintegrity:ifthehashofaplaintext
changes,theplaintextitselfhaschanged.Commonolderhashfunctions
includeSecureHashAlgorithm1(SHA1),whichcreatesa160bithashand
MessageDigest5(MD5),whichcreatesa128bithash.Weaknesseshavebeen
foundinbothMD5andSHA1;neweralternativessuchasSHA2are
recommended.
MD5
MD5istheMessageDigestalgorithm5,createdbyRonaldRivest.Itisthe
mostwidelyusedoftheMDfamilyofhashalgorithms.MD5createsa128bit
hashvaluebasedonanyinputlength.MD5hasbeenquitepopularoverthe
years,butweaknesseshavebeendiscoveredwherecollisionscouldbefound
inapracticalamountoftime.MD6isthenewestversionoftheMDfamilyof
hashalgorithms,rstpublishedin2008.
Secure Hash Algorithm
SecureHashAlgorithmisthenameofaseriesofhashalgorithms.SHA1
createsa160bithashvalue.SHA2includesSHA224,SHA256,SHA384,
andSHA512,namedafterthelengthofthemessagedigesteachcreates.
HAVAL
HAVAL(HashofVariableLength)isahashalgorithmthatcreatesmessage
digestsof128,160,192,224,or256bitsinlength,using3,4,or5rounds.
HAVALusessomeofthedesignprinciplesbehindtheMDfamilyofhash
algorithmsandisfasterthanMD5.
CRYPTOGRAPHIC ATTACKS
Cryptographica acksareusedbycryptanalyststorecovertheplaintext
withoutthekey.Pleaserememberthatrecoveringthekey(sometimescalled
stealthekey)isusuallyeasierthanbreakingmodernencryption.Thisis
whatlawenforcementtypicallydoeswhenfacedwithasuspectusing
cryptography:theyobtainasearchwarrantanda empttorecoverthekey.
Brute force
Abruteforcea ackgeneratestheentirekeyspace,whichiseverypossible
key.Givenenoughtime,theplaintextwillberecovered.
Known plaintext
Aknownplaintexta ackreliesonrecoveringandanalyzingamatching
plaintextandciphertextpair:thegoalistoderivethekeythatwasused.You
maybewonderingwhyyouwouldneedthekeyifyoualreadyhavethe
plaintext:recoveringthekeywouldallowyoutodecryptotherciphertexts
encryptedwiththesamekey.
Chosen plaintext and adaptive-chosen plaintext
Acryptanalystchoosestheplaintexttobeencryptedinachosenplaintext
a ack;thegoalistoderivethekey.Encryptingwithoutknowingthekeyis
doneviaanencryptionoracleoradevicethatencryptswithoutrevealing
thekey.
Adaptivechosenplaintextbeginswithachosenplaintexta ackinround1.
Thecryptanalystthenadaptsfurtherroundsofencryptionbasedonthe
previousround.
Chosen ciphertext and adaptive-chosen ciphertext
Ameetinthemiddlea ackencryptsononeside,decryptsontheotherside,
andmeetsinthemiddle.Themostcommona ackisagainstdoubleDES,
whichencryptswithtwokeysinencrypt,encryptorder.Thea ackisa
knownplaintexta ack:thea ackerhasacopyofamatchingplaintextand
ciphertextandseekstorecoverthetwokeysusedtoencrypt.
Known key
Thetermknownkeya ackismisleading:ifthecryptanalystknowsthe
key,thea ackisover.Knownkeymeansthecryptanalystknowssomething
aboutthekey,toreducetheeortsusedtoa ackit.Ifthecryptanalystknows
thatthekeyisanuppercasele erandanumberonly,othercharactersmay
beomi edinthea ack.
Di erential cryptanalysis
Dierentialcryptanalysisseekstondthedierencebetweenrelated
plaintextsthatareencrypted.Theplaintextsmaydierbyafewbits.Itis
usuallylaunchedasanadaptivechosenplaintexta ack:thea ackerchooses
theplaintexttobeencrypted(butdoesnotknowthekey)andthenencrypts
relatedplaintexts.
Linear cryptanalysis
Linearcryptanalysisisaknownplaintexta ackwherethecryptanalystnds
largeamountsofplaintext/ciphertextpairscreatedwiththesamekey.The
pairsarestudiedtoderiveinformationaboutthekeyusedtocreatethem.
Bothdierentialandlinearanalysescanbecombinedasdierentiallinear
analysis.
Side-channel attacks
Sidechannela acksusephysicaldatatobreakacryptosystem,suchas
monitoringCPUcyclesorpowerconsumptionusedwhileencryptingor
decrypting.
IMPLEMENTING CRYPTOGRAPHY
Symmetric,asymmetric,andhashbasedcryptographydonotexistina
vacuum:theyareappliedintherealworld,oftenincombination,toprovide
condentiality,integrity,authentication,andnonrepudiation.
Digital signatures
Digitalsignaturesareusedtocryptographicallysigndocuments.Digital
signaturesprovidenonrepudiation,whichincludesauthenticationofthe
identityofthesigner,andproofofthedocumentsintegrity(provingthe
documentdidnotchange).Thismeansthesendercannotlaterdeny(or
repudiate)signingthedocument.
RoywantstosendadigitallysignedemailtoRick.Roywritestheemail,
whichistheplaintext.HethenusestheSHA1hashfunctiontogeneratea
hashvalueoftheplaintext.Hethencreatesthedigitalsignatureby
encryptingthehashwithhisRSAprivatekey.Figure5.1showsthisprocess.
Roythena achesthesignaturetohisplaintextemailandhitssend.
FIGURE5.1 Creatingadigitalsignature.
RickreceivesRoysemailandgenerateshisownSHA1hashvalueofthe
plaintextemail.RickthendecryptsthedigitalsignaturewithRoysRSA
publickey,recoveringtheSHA1hashRoygenerated.Rickthencompareshis
SHA1hashwithRoys.Figure5.2showsthisprocess.
FIGURE5.2 Verifyingadigitalsignature.
Ifthetwohashesmatch,Rickknowsanumberofthings:
1.Roymusthavesenttheemail(onlyRoyknowshisprivatekey).This
authenticatesRoyasthesender.
2.Theemaildidnotchange.Thisprovestheintegrityoftheemail.
Ifthehashesmatch,Roycannotlaterdenyhavingsignedtheemail.Thisis
nonrepudiation.Ifthehashesdonotmatch,RickknowseitherRoydidnot
senditorthattheemailsintegritywasviolated.
Public Key Infrastructure
PublicKeyInfrastructure(PKI)leveragesallthreeformsofencryptionto
provideandmanagedigitalcerticates.Adigitalcerticateisapublickey
signedwithadigitalsignature.Digitalcerticatesmaybeserverbasedor
clientbased.Ifthetwoareusedtogether,theyprovidemutualauthentication
andencryption.ThestandarddigitalcerticateformatisX.509.
Certificate Authorities and Organizational Registration Authorities
DigitalcerticatesareissuedbyCerticateAuthorities(CAs).Organizational
RegistrationAuthorities(ORAs)authenticatetheidentityofacerticate
holderbeforeissuingacerticatetothem.AnorganizationmayactasaCA
orORA(orboth).
Certificate Revocation Lists
TheCerticationAuthoritiesmaintainCerticateRevocationLists(CRL),which,
asthenameimplies,listcerticatesthathavebeenrevoked.Acerticatemay
berevokediftheprivatekeyhasbeenstolen,anemployeeisterminated,etc.
ACRLisaatleanddoesnotscalewell.TheOnlineCerticateStatus
Protocol(OSCP)isareplacementforCRLsandusesclientserverdesignthat
scalesbe er.
Key management issues
CerticateAuthoritiesissuedigitalcerticatesanddistributethemto
certicateholders.Thecondentialityandintegrityoftheholdersprivatekey
mustbeassuredduringthedistributionprocess.
Public/privatekeypairsusedinPKIshouldbestoredcentrally(andsecurely).
Usersmaylosetheirprivatekeyaseasilyastheymayforgettheirpassword.
Alostprivatekeythatisnotsecurelystoredmeansthatanythingencrypted
withthematchingpublickeywillbelost(shortofcryptanalysisdescribed
previously).
Notethatkeystorageisdierentthankeyescrow.Keystoragemeansthe
organizationthatissuedthepublic/privatekeypairsretainsacopy.Key
escrow,aswewilldiscussshortly,meansacopyisretainedbyathirdparty
organization(andsometimesmultipleorganizations),oftenforlaw
enforcementpurposes.
Aretiredkeymaynotbeusedfornewtransactions,butmaybeusedto
decryptpreviouslyencryptedplaintexts.Adestroyedkeynolongerexists
andcannotbeusedforanypurpose.
SSL and TLS
SecureSocketsLayer(SSL)broughtthepowerofPKItotheWeb.SSL
authenticatesandprovidescondentialitytoWebtrac.TransportLayer
Security(TLS)isthesuccessortoSSL.Theyarecommonlyusedaspartof
HTTPS(HypertextTransferProtocolSecure).
SSLwasdevelopedfortheNetscapeWebbrowserinthe1990s.SSL2.0was
therstreleasedversion;SSL3.0xedanumberofsecurityissueswith
version2.TLSwasbasedonSSL3.0.TLSisverysimilartothatversion,with
somesecurityimprovements.AlthoughtypicallyusedforHTTPStosecure
Webtrac,TLSmaybeusedforotherapplicationssuchasInternetchatand
emailservertoserverorclientaccess.
IPsec
IPsec(InternetProtocolSecurity)isasuiteofprotocolsthatprovidea
cryptographiclayertobothIPv4andIPv6.Itisoneofthemethodsusedto
provideVirtualPrivateNetworks(VPN),whichallowyoutosendprivatedata
overaninsecurenetwork,suchastheInternet(thedatacrossesapublic
networkbutisvirtuallyprivate).IPsecincludestwoprimaryprotocols:
AuthenticationHeader(AH)andEncapsulatingSecurityPayload(ESP).AHand
ESPprovidedierentandsometimesoverlappingfunctionalities.
SupportingIPsecprotocolsincludeInternetSecurityAssociationandKey
ManagementProtocol(ISAKMP)andInternetKeyExchange(IKE).
AH and ESP
AuthenticationHeaderprovidesauthenticationandintegrityforeachpacket
ofnetworkdata.AHprovidesnocondentiality;itactsasadigitalsignature
forthepacket.AHalsoprotectsagainstreplaya acks,wheredataissniedo
anetworkandresent,ofteninana empttofraudulentlyreuseencrypted
authenticationcredentials.
EncapsulatingSecurityPayloadprimarilyprovidescondentialityby
encryptingpacketdata.Itmayalsooptionallyprovideauthenticationand
integrity.
Security association and ISAKMP
AHandESPmaybeusedseparatelyorincombination.AnIPsecSecurity
Association(SA)isasimplex(oneway)connection,whichmaybeusedto
negotiateESPorAHparameters.IftwosystemscommunicateviaESP,they
usetwoSAs(oneforeachdirection).IfthesystemsleverageAHinaddition
toESP,theyusetwomoreSAs,foratotaloffour.Aunique32bitnumber
calledtheSecurityParameterIndex(SPI)identieseachsimplexSA
connection.TheInternetSecurityAssociationandKeyManagementProtocol
(ISAKMP)managestheSAcreationprocess.
Tunnel and transport mode
IPseccanbeusedintunnelmodeortransportmode.Tunnelmodeisusedby
securitygateways(whichcanprovidepointtopointIPsectunnels).ESP
tunnelmodeencryptstheentirepacket,includingtheoriginalpacketheaders.
ESPtransportmodeonlyencryptsthedata(andnottheoriginalheaders);this
iscommonlyusedwhenthesendingandreceivingsystemcanspeakIPsec
natively.
CrunchTime
AHauthenticatestheoriginalIPheaders,soitisoftenused(alongwith
ESP)intransportmodebecausetheoriginalheadersarenotencrypted.
TunnelmodetypicallyusesESPalone(theoriginalheadersareencrypted,
andthusprotected,byESP).
IKE
IPseccanuseavarietyofencryptionalgorithms,suchasMD5orSHA1for
integrityandtripleDESorAESforcondentiality.TheInternetKey
Exchangenegotiatesthealgorithmselectionprocess.TwosidesofanIPsec
tunnelwilltypicallyuseIKEtonegotiatetothehighestandfastestlevelof
security,selectingAESoversingleDESforcondentialityifbothsides
supportAES,forexample.
PGP
Pre yGoodPrivacy(PGP),createdbyPhilZimmermannin1991,brought
asymmetricencryptiontothemasses.PGPprovidesthemodernsuiteof
cryptography:condentiality,integrity,authentication,andnonrepudiation.
Itcanbeusedtoencryptemails,documents,oranentirediskdrive.PGP
usesaWeboftrustmodeltoauthenticatedigitalcerticates,insteadofrelying
onacentralCerticateAuthority(CA).
S/MIME
MIME(MultipurposeInternetMailExtensions)providesastandardwayto
formatemail,includingcharacters,sets,anda achments.S/MIME
(Secure/MIME)leveragesPKItoencryptandauthenticateMIMEencodede
mail.Theclientorclientsemailserver(calledanS/MIMEgateway)may
performtheencryption.
Escrowed encryption
Escrowedencryptionmeansathirdpartyorganizationholdsacopyofa
public/privatekeypair.Theprivatekeyisoftendividedintotwoormore
parts,eachheldinescrowbydierenttrustedthirdpartyorganizations,
whichwillonlyreleasetheirportionofthekeywithproperauthorization,
suchasacourtorder.Thisprovidesseparationofduties.
Clipper Chip
Clipper Chip
TheClipperChipwasthenamethetechnologyusedintheEscrowed
EncryptionStandard(EES),aneortannouncedin1993bytheU.S.
Governmenttodeployescrowedencryptionintelecommunicationsdevices.
Theeortcreatedamediarestormandwasabandonedby1996.TheClipper
ChipusedtheSkipjackalgorithm,asymmetriccipherthatusesan80bitkey.
Thealgorithmwasoriginallyclassiedassecret.
B.Chosenplaintext
C.Chosenciphertext
D.Linearcryptanalysis
3.Whichofthefollowinga acksanalyzeslargeamountsof
plaintext/ciphertextpairscreatedwiththesamekey?
A.Knownplaintext
B.Dierentialcryptanalysis
C.Linearcryptanalysis
D.Chosenplaintext
4.Whichofthefollowingistruefordigitalsignatures?
A.Thesenderencryptsthehashwithapublickey
B.Thesenderencryptsthehashwithaprivatekey
C.Thesenderencryptstheplaintextwithapublickey
D.Thesenderencryptstheplaintextwithaprivatekey
5.WhichofthefollowingwasnotanAESnalist?
A.MARS
B.RC6
C.Serpent
D.Blowsh
ANSWERS
1.Correctanswerandexplanation:C.AnswerCiscorrect;digitalsignatures
requireasymmetricencryption.ECCisthestrongestasymmetricalgorithm
perbitofkeylength.ThisallowsshorterkeylengthsthatrequirelessCPU
resources.
Incorrectanswersandexplanations:A,B,andD.AnswersA,B,andDare
incorrect.AESisasymmetriccipher;symmetricciphersarenotusedin
digitalsignatures.RSAisbasedonfactoringcompositenumbersintotheir
primes,andElGamalisbasedondiscretelogarithms.Bothmethodsprovide
roughlythesamestrengthperbitandarefarweakerperbitthanECC.
2.Correctanswerandexplanation:C.AnswerCiscorrect;chosenciphertext
a acksareusuallylaunchedagainstasymmetriccryptosystems,wherethe
cryptanalystmaychoosepublicdocumentstodecryptthataresigned
(encrypted)withauserspublickey.
Incorrectanswersandexplanations:A,B,andD.AnswersA,B,andDare
incorrect.Noneoftheseareprimarilyusedagainstasymmetricencryption.
3.Correctanswerandexplanation:C.AnswerCiscorrect;linear
cryptanalysisanalyzeslargeamountsofplaintext/ciphertextpairscreated
withthesamekey,tryingtodeduceinformationaboutthekey.
Incorrectanswersandexplanations:A,B,andD.AnswersA,B,andDare
incorrect.Linearcryptanalysisisaknownplaintexta ack,butthequestion
referenceslinearspecically,makingknownplaintexta ackincorrect.
Dierentialcryptanalysisseekstondthedierencebetweenrelated
plaintextsthatareencrypted.Acryptanalystchoosestheplaintexttobe
encryptedduringachosenplaintexta ack.
4.Correctanswerandexplanation:B.AnswerBiscorrect;thesender
generatesahashoftheplaintextandencryptsthehashwithaprivatekey.
Therecipientdecryptsthehashwithapublickey.
Incorrectanswersandexplanations:A,C,andD.AnswersA,C,andDare
incorrect.Thesenderencryptsthehashwiththeprivatekey,notpublic.The
plaintextishashedandnotencrypted.
5.Correctanswerandexplanation:D.AnswerDiscorrect;Blowshwasnot
anAESnalist(Twosh,basedonBlowsh,was).
Incorrectanswersandexplanations:A,B,andC.AnswersA,B,andCare
incorrect.MARS,RC6,andSerpentwereallAESnalists.
2
Sco R.Bladerunner.WarnerBros;1982.
SchneierB.AppliedCryptography.NewYork,NY:Wiley;1996.
CHAPTER6
KEYWORDS
BellLapadula;CerticationandAccreditation;Hypervisor;Memory(RAM);
Referencemonitor;ReadOnlyMemory(ROM);TrustedComputerSystem
EvaluationCriteria(TCSEC);Virtualization
SecureOperatingSystemandSoftwareArchitecture
VirtualizationandDistributedComputing
SystemVulnerabilities,Threats,andCountermeasures
SecurityModels
EvaluationMethods,Certication,andAccreditation
Introduction
SecurityArchitectureandDesigndescribesfundamentallogicalhardware,
operatingsystem,andsoftwaresecuritycomponentsandhowtousethose
componentstodesign,architect,andevaluatesecurecomputersystems.
Understandingthesefundamentalissuesiscriticalforaninformationsecurity
professional.
SecurityArchitectureandDesignisathreepartdomain.Therstpartcovers
thehardwareandsoftwarerequiredtohaveasecurecomputersystem.The
secondpartcoversthelogicalmodelsrequiredtokeepthesystemsecure,and
thethirdpartcoversevaluationmodelsthatquantifyhowsecurethesystem
reallyis.
Layeringseparateshardwareandsoftwarefunctionalityintomodulartiers.
Thecomplexityofanissuesuchasreadingasectorfromadiskdriveis
containedtoonelayer(thehardwarelayerinthiscase).Onelayer(suchasthe
applicationlayer)isnotdirectlyaectedbyachangetoanother.
FastFacts
Agenericlistofsecurityarchitecturelayersisasfollows:
1.Hardware
2.Kernelanddevicedrivers
3.Operatingsystem
4.Applications
Abstraction
Abstractionhidesunnecessarydetailsfromtheuser.Complexityistheenemy
ofsecurity:themorecomplexaprocessis,thelesssecureitis.Thatsaid,
computersaretremendouslycomplexmachines.Abstractionprovidesaway
tomanagethatcomplexity.
Security domains
Asecuritydomainisthelistofobjectsasubjectisallowedtoaccess.More
broadlydened,domainsaregroupsofsubjectsandobjectswithsimilar
securityrequirements.Condential,Secret,andTopSecretarethreesecurity
domainsusedbytheU.S.DepartmentofDefense(DoD),forexample.
The ring model
TheringmodelisaformofCPUhardwarelayeringthatseparatesandprotects
domains(suchaskernelmodeandusermode)fromeachother.ManyCPUs,
suchastheIntelx86family,havefourrings,rangingfromring0(kernel)to
ring3(user),showninFigure6.1.Theinnermostringisthemosttrusted,and
eachsuccessiveouterringislesstrusted.
FIGURE6.1 Theringmodel.
Processescommunicatebetweentheringsviasystemcalls,whichallow
processestocommunicatewiththekernelandprovideawindowbetween
therings.
FastFacts
Theringsare(theoretically)usedasfollows:
Ring0:Kernel
Ring1:OtherOScomponentsthatdonottintoring0
Ring2:Devicedrivers
Ring3:Userapplications
Whilex86CPUshavefourringsandcanbeusedasdescribedabove,this
usageisconsideredtheoreticalbecausemostx86operatingsystems,
includingLinuxandWindows,userings0and3only.Anewmodecalled
hypervisormode(andinformallycalledring1)allowsvirtualgueststo
operateinring0,controlledbythehypervisoroneringbelow.TheIntelVT
(IntelVirtualizationTechnology,akaVanderpool)andAMDV(AMD
Virtualization,akaPacica)CPUssupportahypervisor.
Thesystemunitisthecomputerscase:itcontainsalloftheinternalelectronic
computercomponents,includingthemotherboard,internaldiskdrives,and
powersupply.ThemotherboardcontainshardwareincludingtheCPU,
memoryslots,rmware,andperipheralslotssuchasPCI(Peripheral
ComponentInterconnect)slots.Thekeyboardunitistheexternalkeyboard.
The computer bus
Acomputerbus,showninFigure6.2,istheprimarycommunicationchannel
onacomputersystem.CommunicationbetweentheCPU,memory,and
input/outputdevicessuchaskeyboard,mouse,display,etc.,occursviathe
bus.
FIGURE6.2 Simpliedcomputerbus.
The CPU
TheCentralProcessingUnit(CPU)isthebrainsofthecomputer,capableof
controllingandperformingmathematicalcalculations.Ultimately,everything
acomputerdoesismathematical:addingnumbers(whichcanbeextendedto
subtraction,multiplication,division,etc.),performinglogicaloperations,
accessingmemorylocationsbyaddress,etc.CPUsareratedbythenumberof
clockcyclespersecond.A2.4GHzPentium4CPUhas2.4billionclockcycles
persecond.
Arithmetic logic unit and control unit
Thearithmeticlogicunit(ALU)performsmathematicalcalculations:it
computes.Itisfedinstructionsbythecontrolunit,whichactsasatrac
cop,sendinginstructionstotheALU.
Fetch and execute
CPUsfetchmachinelanguageinstructions(suchasadd1+1)andexecute
them(addthenumbers,foranswerof2).Thefetchandexecute(alsocalled
Fetch,Decode,Execute,orFDX)processactuallytakesfoursteps:
1.Fetchinstruction1
2.Decodeinstruction1
3.Executeinstruction1
4.Write(save)result1
Thesefourstepstakeoneclockcycletocomplete.
Pipelining
Pipeliningcombinesmultiplestepsintoonecombinedprocess,allowing
simultaneousfetch,decode,execute,andwritestepsfordierentinstructions.
Eachpartiscalledapipelinestage;thepipelinedepthisthenumberof
simultaneousstagesthatmaybecompletedatonce.
Givenourpreviousfetchandexecuteexampleofadding1+1,aCPUwithout
pipeliningwouldhavetowaitanentirecyclebeforeperforminganother
computation.Afourstagepipelinecancombinethestagesoffourother
instructions:
1.Fetchinstruction1
2.Fetchinstruction2,decodeinstruction1
3.Fetchinstruction3,decodeinstruction2,executeinstruction1
4.Fetchinstruction4,decodeinstruction3,executeinstruction2,write(save)
result1
5.Fetchinstruction5,decodeinstruction4,executeinstruction3,write(save)
result2,etc.
Pipeliningislikeanautomobileassemblyline:insteadofbuildingonecarata
time,fromstarttonish,lotsofcarsentertheassemblypipeline,anddiscrete
phases(likeinstallingthetires)occurononecarafteranother.Thisincreases
thethroughput.
Interrupts
Aninterruptindicatesthatanasynchronouseventhasoccurred.CPU
interruptsareaformofhardwareinterruptthatcausetheCPUtostop
processingitscurrenttask,savethestate,andbeginprocessinganew
request.Whenthenewtaskiscomplete,theCPUwillcompletethepriortask.
Processes and threads
Aprocessisanexecutableprogramanditsassociateddataloadedand
runninginmemory.Aheavyweightprocess(HWP)isalsocalledatask.A
parentprocessmayspawnadditionalchildprocessescalledthreads.Athread
isalightweightprocess(LWP).Threadsareabletosharememory,resulting
inloweroverheadcomparedtoheavyweightprocesses.
Multitasking and multiprocessing
Applicationsrunasprocessesinmemory,comprisedofexecutablecodeand
data.Multitaskingallowsmultipletasks(heavyweightprocesses)torun
simultaneouslyononeCPU.Olderandsimpleroperatingsystems,suchas
MSDOS,arenonmultitasking:theyrunoneprocessatatime.Mostmodern
operatingsystems,suchasLinuxandWindowsXP,supportmultitasking.
E x a m Wa r n i n g
Somesourcesrefertoothertermsrelatedtomultitasking,including
multiprogrammingandmultithreading.Multiprogrammingismultiple
programsrunningsimultaneouslyononeCPU;multitaskingismultiple
tasks(processes)runningsimultaneouslyononeCPU,and
multithreadingismultiplethreads(lightweightprocesses)running
simultaneouslyononeCPU.
Multiprogrammingisanolderformofmultitasking;manysourcesuse
thetwotermssynonymously.Thisbookwillusethetermmultitasking
torefertomultiplesimultaneousprocessesononeCPU.
Multiprocessinghasafundamentaldierencefrommultitasking:itruns
multipleprocessesonmultipleCPUs.Twotypesofmultiprocessingare
SymmetricMultiprocessing(SMP)andAsymmetricMultiprocessing(AMP,
somesourcesuseASMP).SMPsystemshaveoneoperatingsystemtomanage
allCPUs.AMPsystemshaveoneoperatingsystemimageperCPU,
essentiallyactingasindependentsystems.
CISC and RISC
CISC(ComplexInstructionSetComputer)andRISC(ReducedInstructionSet
Computer)aretwoformsofCPUdesign.CISCusesalargesetofcomplex
machinelanguageinstructions,whileRISCusesareducedsetofsimpler
instructions.x86CPUs(amongmanyothers)areCISC;ARM(usedinmany
cellphonesandPDAs),PowerPC,SPARC,andothersareRISC.
Memory
Memoryisaseriesofonoswitchesrepresentingbits:0s(o)and1s(on).
Memorymaybechipbasedanddiskbasedoruseothermediasuchastape.
RAMisRandomAccessMemory:randommeanstheCPUmayrandomly
access(jumpto)anylocationinmemory.Sequentialmemory(suchastape)
mustsequentiallyreadmemory,beginningatosetzerotothedesired
portionofmemory.Volatilememory(suchasRAM)losesintegrityaftera
powerloss;nonvolatilememory(suchasROM,disk,ortape)maintains
integritywithoutpower.
Real(orprimary)memory,suchasRAM,isdirectlyaccessiblebytheCPU
andisusedtoholdinstructionsanddataforcurrentlyexecutingprocesses.
Secondarymemory,suchasdiskbasedmemory,isnotdirectlyaccessible.
Cache memory
Cachememoryisthefastestmemoryonthesystem,requiredtokeepupwith
theCPUasitfetchesandexecutesinstructions.Thedatamostfrequently
usedbytheCPUisstoredincachememory.ThefastestportionoftheCPU
cacheistheregisterle,whichcontainsmultipleregisters.Registersaresmall
storagelocationsusedbytheCPUtostoreinstructionsanddata.
ThenextfastestformofcachememoryisLevel1cache,locatedontheCPU
itself.Finally,Level2cacheisconnectedto(butoutside)theCPU.SRAM
(StaticRandomAccessMemory)isusedforcachememory.
RAM and ROM
RAMisvolatilememoryusedtoholdinstructionsanddataofcurrently
runningprograms.Itlosesintegrityafterlossofpower.RAMmemory
modulesareinstalledintoslotsonthecomputermotherboard.
ROM(ReadOnlyMemory)isnonvolatile:datastoredinROMmaintains
integrityafterlossofpower.AcomputerBasicInputOutputSystem(BIOS)
rmwareisstoredinROM.WhileROMisreadonly,sometypesofROM
maybewri entoviaashing,aswewillseeshortlyinSectionFlash
memory.
DRAM and SRAM
StaticRandomAccessMemory(SRAM)isexpensiveandfastmemorythat
usessmalllatchescalledipopstostorebits.DynamicRandomAccess
Memory(DRAM)storesbitsinsmallcapacitors(likesmallba eries)andis
slowerandcheaperthanSRAM.ThecapacitorsusedbyDRAMleakcharge
andmustbecontinuallyrefreshedtomaintainintegrity,typicallyeveryfew
tofewhundredmilliseconds,dependingonthetypeofDRAM.Refreshing
readsandwritesthebitsbacktomemory.SRAMdoesnotrequirerefreshing
andmaintainsintegrityaslongaspowerissupplied.
Memory protection
Memoryprotectionpreventsoneprocessfromaectingthecondentiality,
integrity,oravailabilityofanother.Thisisarequirementforsecuremultiuser
(morethanoneuserloggedinsimultaneously)andmultitasking(morethan
oneprocessrunningsimultaneously)systems.
Process isolation
Processisolationisalogicalcontrolthata emptstopreventoneprocessfrom
interferingwithanother.Thisisacommonfeatureamongmultiuser
operatingsystemssuchasLinux,UNIX,orrecentMicrosoftWindows
operatingsystems.OlderoperatingsystemssuchasMSDOSprovideno
processisolation.AlackofprocessisolationmeansacrashinanyMSDOS
applicationcouldcrashtheentiresystem.
Hardware segmentation
Hardwaresegmentationtakesprocessisolationonestepfurtherbymapping
processestospecicmemorylocations.Thisprovidesmoresecuritythan
(logical)processisolationalone.
Virtual memory
Virtualmemoryprovidesvirtualaddressmappingbetweenapplicationsand
hardwarememory.Virtualmemoryprovidesmanyfunctions,including
multitasking(multipletasksexecutingatonceononeCPU),allowing
multipleprocessestoaccessthesamesharedlibraryinmemory,swapping,
andothers.
Swapping and paging
Swappingusesvirtualmemorytocopycontentsinprimarymemory(RAM)to
orfromsecondarymemory(notdirectlyaddressablebytheCPU,ondisk).
Swapspaceisoftenadedicateddiskpartitionthatisusedtoextendthe
amountofavailablememory.Ifthekernela emptstoaccessapage(axed
lengthblockofmemory)storedinswapspace,apagefaultoccurs(anerror
thatmeansthepageisnotlocatedinRAM),andthepageisswappedfrom
disktoRAM.
Firmware
Firmwarestoressmallprogramsthatdonotchangefrequently,suchasa
computersBIOS(discussedbelow)oraroutersoperatingsystemandsaved
conguration.VarioustypesofROMchipsmaystorermware,including
PROM,EPROM,andEEPROM.
PROM(ProgrammableReadOnlyMemory)canbewri entoonce,typically
atthefactory.EPROM(ErasableProgrammableReadOnlyMemory)and
EEPROM(ElectricallyErasableProgrammableReadOnlyMemory)maybe
ashed,orerasedandwri entomultipletimes.
AProgrammableLogicDevice(PLD)isaeldprogrammabledevice,which
meansitisprogrammedafteritleavesthefactory.EPROMs,EEPROMS,and
ashmemoryareexamplesofPLDs.
Flash memory
Flashmemory(suchasUSBthumbdrives)isaspecictypeofEEPROMused
forsmallportablediskdrives.ThedierenceisanybyteofanEEPROMmay
bewri en,whileashdrivesarewri enby(larger)sectors.Thismakesash
memoryfasterthanEEPROMs,butstillslowerthanmagneticdisks.
BIOS
TheIBMPCcompatibleBasicInputOutputSystemcontainscodeinrmware
thatisexecutedwhenaPCispoweredon.ItrstrunsthePowerOnSelfTest
(POST),whichperformsbasictests,includingverifyingtheintegrityofthe
BIOSitself,testingthememory,andidentifyingsystemdevices,amongother
tasks.OncethePOSTprocessiscompleteandsuccessful,itlocatestheboot
sector(forsystemsthatbootodisks),whichcontainsthemachinecodefor
theoperatingsystemkernel.Thekernelthenloadsandexecutes,andthe
operatingsystembootsup.
Thekernelistheheartoftheoperatingsystem,whichusuallyrunsinring0.
Itprovidestheinterfacebetweenhardwareandtherestoftheoperating
system,includingapplications.WhenanIBMcompatiblePCisstartedor
rebooted,theBIOSlocatesthebootsectorofastoragedevicesuchasahard
drive.Thatbootsectorcontainsthebeginningofthesoftwarekernelmachine
code,whichisthenexecuted.Kernelshavetwobasicdesigns:monolithicand
microkernel.
Amonolithickerneliscompiledintoonestaticexecutableandtheentire
kernelrunsinsupervisormode.Microkernelsaremodularkernels.A
microkernelisusuallysmallerandhaslessnativefunctionalitythanatypical
monolithickernel,butcanaddfunctionalityvialoadablekernelmodules.
Reference monitor
Reference monitor
Acorefunctionofthekernelisrunningthereferencemonitor,whichmediates
allaccessbetweensubjectsandobjects.Itenforcesthesystemssecurity
policy,suchaspreventinganormaluserfromwritingtoarestrictedle,such
asthesystempasswordle.
Virtualization
Virtualizationaddsasoftwarelayerbetweenanoperatingsystemandthe
underlyingcomputerhardware.Thisallowsmultipleguestoperating
systemstorunsimultaneouslyononephysicalhostcomputer.
Hypervisor
Thekeytovirtualizationsecurityisthehypervisor,whichcontrolsaccess
betweenvirtualguestsandhosthardware.Atype1hypervisor(alsocalled
baremetal)ispartofanoperatingsystemthatrunsdirectlyonhost
hardware.Atype2hypervisorrunsasanapplicationonanormaloperating
system,suchasWindows7.
Manyvirtualizationexploitstargetthehypervisor,includinghypervisor
controlledresourcessharedbetweenhostandguests,orguestandguest.
Theseincludecutandpaste,shareddrives,andsharednetworkconnections.
Virtualization security issues
Virtualizationsoftwareiscomplexandrelativelynew.Asdiscussed
previously,complexityistheenemyofsecurity:thesheercomplexityof
virtualizationsoftwaremaycausesecurityproblems.
Combiningmultipleguestsontoonehostmayalsoraisesecurityissues.
Virtualizationisnoreplacementforarewall:nevercombineguestswith
dierentsecurityrequirements(suchasDMZandinternal)ontoonehost.
Theriskofvirtualizationescape(calledVMEscape,whereana acker
exploitsthehostOSoraguestfromanotherguest)isatopicofrecent
research.Knownvirtualizationescapebugshavebeenpatched,butnew
issuesmayarise.
Manytraditionalnetworkbasedsecuritytools,suchasnetworkintrusion
detectionsystemsandrewalls,canbeblindedbyvirtualization.
Cloud computing
PubliccloudcomputingoutsourcesITinfrastructure,storage,orapplications
toathirdpartyprovider.Acloudalsoimpliesgeographicdiversityof
computerresources.Thegoalofcloudcomputingistoallowlargeproviders
toleveragetheireconomiesofscaletoprovidecomputingresourcestoother
companiesthattypicallypayfortheseservicesbasedontheirusage.
Threecommonlyavailablelevelsofserviceprovidedbycloudprovidersare
InfrastructureasaService(IaaS),PlatformasaService(PaaS),andSoftwareasa
Service(SaaS).InfrastructureasaServiceprovidesanentirevirtualized
operatingsystem,whichthecustomerconguresfromtheOSonup.
PlatformasaServiceprovidesapreconguredservice,suchasaWebserver
supportingPHP,withapreconguredbackenddatabase.Finally,Software
asaServiceiscompletelycongured,fromtheoperatingsystemto
applications,andthecustomersimplyusestheapplication.Inallthreecases,
thecloudprovidermanageshardware,virtualizationsoftware,network,
backups,etc.SeeTable6.1fortypicalexamplesofeach.
Table6.1
ExampleCloudServiceLevels
Type
Example
InfrastructureasaService(IaaS) Linuxserverhosting
PlatformasaService(PaaS)
Webservicehosting
SoftwareasaService(SaaS)
Webmail
Privatecloudshousedataforasingleorganizationandmaybeoperatedbya
thirdpartyorbytheorganizationitself.Governmentcloudsaredesignedto
keepdataandresourcesgeographicallycontainedwithinthebordersofone
country,designedforthegovernmentoftherespectivecountry.
Benetsofcloudcomputingincludereducedupfrontcapitalexpenditure,
reducedmaintenancecosts,robustlevelsofservice,andoveralloperational
costsavings.
Fromasecurityperspective,takingadvantageofpubliccloudcomputing
servicesrequiresstrictservicelevelagreementsandanunderstandingofnew
sourcesofrisk.Oneconcernismultipleorganizationsguestsrunningonthe
samehost.Thecompromiseofonecloudcustomercouldleadtocompromise
ofothercustomers.
Organizationsshouldalsonegotiatespecicrightsbeforesigningacontract
withacloudcomputingprovider.Theserightsincludetherighttoaudit,the
righttoconductavulnerabilityassessment,andtherighttoconducta
penetrationtest(bothelectronicandphysical)ofdataandsystemsplacedin
thecloud.
Grid computing
Gridcomputingrepresentsadistributedcomputingapproachthata empts
toachievehighcomputationalperformancebyanontraditionalmeans.
Ratherthanachievinghighperformancecomputationalneedsbyhaving
largeclustersofsimilarcomputingresourcesorasinglehighperformance
system,suchasasupercomputer,gridcomputinga emptstoharnessthe
computationalresourcesofalargenumberofdissimilardevices.
Peer-to-peer
Peertopeer(P2P)networksaltertheclassicclient/servercomputermodel.
Anysystemmayactasaclient,aserver,orboth,dependingonthedata
needs.Decentralizedpeertopeernetworksareresilient:therearenocentral
serversthatcanbetakenoine.
Thin clients
Thinclientsaresimplerthannormalcomputersystems,withharddrives,full
operatingsystems,locallyinstalledapplications,etc.Theyrelyoncentral
servers,whichserveapplicationsandstoretheassociateddata.Thinclients
allowcentralizationofapplicationsandtheirdata,aswellastheassociated
securitycostsofupgrades,patching,datastorage,etc.Thinclientsmaybe
hardwarebased(suchasdisklessworkstations)orsoftwarebased(suchas
thinclientapplications).
maycompromisesystemsecurity.Wewillalsodiscusscountermeasuresor
mitigatingactionsthatreducetheassociatedrisk.
Covert channels
Acovertchannelisanycommunicationthatviolatessecuritypolicy.Two
specictypesofcovertchannelsarestoragechannelsandtimingchannels.A
storagechannelexampleusessharedstorage,suchasatemporarydirectory,
toallowtwosubjectstosignaleachother.Acoverttimingchannelrelieson
thesystemclocktoinfersensitiveinformation.
Bu er overflows
Bueroverowscanoccurwhenaprogrammerfailstoperformbounds
checking.Bytesbeyondtheallocatedspacewilloverwritememoryintended
tostoredierentdata.
TOCTOU/race conditions
TimeofCheck/TimeofUse(TOCTOU)a acksarealsocalledraceconditions:an
a ackera emptstoalteraconditionafterithasbeencheckedbythe
operatingsystem,butbeforeitisused.
Maintenance Hooks
MaintenanceHooksareatypeofbackdoor;theyareshortcutsinstalledby
systemdesignersandprogrammerstoallowdeveloperstobypassnormal
systemchecksduringdevelopment,suchasrequiringuserstoauthenticate.
Malicious code (malware)
Maliciouscodeormalwareisthegenerictermforanytypeofsoftwarethat
a acksanapplicationorsystem.Therearemanytypesofmaliciouscode;
viruses,worms,Trojans,andlogicbombscancausedamagetotargeted
systems.
Zerodayexploitsaremaliciouscode(athreat)forwhichthereisnovendor
suppliedpatch(meaningthereisanunpatchedvulnerability).
Computer viruses
Computervirusesaremalwarethatdoesnotspreadautomatically:they
requireacarrier(usuallyahuman).
FastFacts
Typesofvirusesinclude:
Macrovirus:viruswri eninmacrolanguage(suchasMicrosoftOce
orMicrosoftExcelmacros)
Bootsectorvirus:virusthatinfectsthebootsectorofaPC,which
ensuresthatthevirusloadsuponsystemstartup
Polymorphicvirus:avirusthatchangesitscodeuponinfectionofanew
system,a emptingtoevadesignaturebasedantivirussoftware
Multipartitevirus:avirusthatspreadsviamultiplevectors.Alsocalled
multipartvirus.
Worms
Wormsaremalwarethatselfpropagates(spreadsindependently).Worms
typicallycausedamagetwoways:rstbythemaliciouscodetheycarry;the
secondtypeofdamageislossofnetworkavailabilityduetoaggressiveself
propagation.
Trojans
ATrojan(alsocalledaTrojanhorse)ismalwarethatperformstwofunctions:
onebenign(suchasagame)andonemalicious.Thetermderivesfromthe
TrojanhorsedescribedinVirgilspoemTheAeneid.
Rootkits
Arootkitismalwarethatreplacesportionsofthekerneland/oroperating
system.Ausermoderootkitoperatesinring3onmostsystems,replacing
operatingsystemcomponentsinuserland.
Akernelmoderootkitreplacesthekernelorloadsmaliciousloadablekernel
modules.Kernelmoderootkitsoperateinring0onmostoperatingsystems.
Web architecture and attacks
TheWorldWideWebof10yearsagowasasimplerWeb:mostWebpages
werestatic,renderedinHTML.TheadventofWeb2.0,withdynamic
content,multimedia,andusercreateddata,hasincreasedthea acksurface
oftheWeb:creatingmorea ackvectors.
Applets
Appletsaresmallpiecesofmobilecodethatareembeddedinothersoftware
suchasWebbrowsers.UnlikeHTML(HyperTextMarkupLanguage),which
providesawaytodisplaycontent,appletsareexecutables.Theprimary
securityconcernisthatappletsaredownloadedfromserversandthenrun
locally.Maliciousappletsmaybeabletocompromisethesecurityofthe
client.
Appletscanbewri eninavarietyofprogramminglanguages;two
prominentappletlanguagesareJava(byOracle/SunMicrosystems)and
ActiveX(byMicrosoft).ThetermappletisusedforJava,andcontrolfor
ActiveX,thoughtheyarefunctionallysimilar.
Java
Javaisanobjectorientedlanguageusednotonlytowriteappletsbutalsoasa
generalpurposeprogramminglanguage.Javabytecodeisplatform
independent:itisinterpretedbytheJavavirtualmachine(JVM).
Javaappletsruninasandbox,whichsegregatesthecodefromtheoperating
system.Thesandboxisdesignedtopreventana ackerwhoisableto
compromiseajavaappletfromaccessingsystemles,suchasthepassword
le.
ActiveX
ActiveXcontrolsarethefunctionalequivalentofJavaapplets.Theyuse
digitalcerticatesinsteadofasandboxtoprovidesecurity.UnlikeJava,
ActiveXisaMicrosofttechnologythatworksonMicrosoftWindows
operatingsystemsonly.
OWASP
TheOpenWebApplicationSecurityProject(OWASP;see
h p://www.owasp.org)representsoneofthebestapplicationsecurity
resources.OWASPprovidesatremendousnumberoffreeresources
dedicatedtoimprovingorganizationsapplicationsecurityposture.Oneof
theirbestknownprojectsistheOWASPTop10project,whichprovides
consensusguidanceonwhatareconsideredtobethetenmostsignicant
applicationsecurityrisks.TheOWASPTop10isavailableat
h ps://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project.
Inadditiontothewealthofinformationaboutapplicationsecuritythreats,
vulnerabilities,anddefenses,OWASPalsomaintainsanumberofsecurity
toolsavailableforfreedownloadincludingtwoleadinginterceptionproxies:
WebScarabandZAP,theZedA ackProxy.
XML and SAML
XML(ExtensibleMarkupLanguage)isamarkuplanguagedesignedasa
standardwaytoencodedocumentsanddata.XMLissimilarto,butmore
universalthan,HTML.XMLisusedontheWeb,butisnottiedtoit:XMLcan
beusedtostoreapplicationconguration,outputfromauditingtools,and
manyotheruses.ExtensiblemeansusersmayuseXMLtodenetheirown
dataformats.
SecurityAssertionMarkupLanguage(SAML)isanXMLbasedframeworkfor
exchangingsecurityinformation,includingauthenticationdata.Onegoalof
SAMListoenableWebsinglesignon(SSO)atanInternetscale.
Service-Oriented Architecture
ServiceOrientedArchitecture(SOA)a emptstoreduceapplication
architecturedowntoafunctionalunitofaservice.SOAisintendedtoallow
multipleheterogeneousapplicationstobeconsumersofservices.Theservice
canbeusedandreusedthroughoutanorganizationratherthanbuiltwithin
eachindividualapplicationthatneedsthefunctionalityoeredbytheservice.
Servicesareexpectedtobeplatformindependentandabletobecalledina
genericwaynotdependentuponaparticularprogramminglanguage.The
intentisthatthatanyapplicationmayleveragetheservicesimplybyusing
standardmeansavailablewithintheirprogramminglanguageofchoice.
Servicesaretypicallypublishedinsomeformofadirectorythatprovides
detailsabouthowtheservicecanbeusedandwhattheserviceprovides.
ThoughWebservicesarenottheonlyexample,theyarethemostcommon
exampleprovidedfortheSOAmodel.XMLorJSON(JavaScriptObject
Notation)iscommonlyusedfortheunderlyingdatastructuresofWeb
services,SOAP(originallyanacronymforSimpleObjectAccessProtocol,
butnowsimplySOAP)orREST(RepresentationalStateTransfer)provides
theconnectivity,andtheWSDL(WebServicesDescriptionLanguage)
providesdetailsabouthowtheWebservicesaretobeinvoked.
Mobile device attacks
ArecentinformationsecuritychallengeismobiledevicesrangingfromUSB
ashdrivestolaptopsthatareinfectedwithmalwareoutsideofasecurity
perimeterandthencarriedintoanorganization.Traditionalnetworkbased
protection,suchasrewallsandintrusiondetectionsystems,ispowerlessto
preventtheinitiala ack.
Mobile device defenses
Defensesincludepolicyadministrativecontrolssuchasrestrictingtheuseof
mobiledevicesviapolicy.Technicalcontrolstomitigateinfectedmobile
computersincluderequiringauthenticationatOSImodellayer2via802.1X.
802.1Xauthenticationmaybebundledwithadditionalsecurityfunctionality,
suchasvericationofcurrentpatchesandantivirussignatures.
Anothermobiledevicesecurityconcernisthelossortheftofamobiledevice,
whichthreatenscondentiality,integrity,andavailabilityofthedeviceand
thedatathatresidesonit.Backupscanassuretheavailabilityandintegrityof
mobiledata.
Fulldiskencryption(alsoknownaswholediskencryption)shouldbeusedto
ensurethecondentialityofmobiledevicedata.
Remotewipecapabilityisanothercriticalcontrol,whichdescribestheability
toerase(andsometimesdisable)amobiledevicethatislostorstolen.
Database security
Databasespresentuniquesecuritychallenges.Thesheeramountofdatathat
maybehousedinadatabaserequiresspecialsecurityconsideration.The
logicalconnectionsdatabaseusersmaymakebycreating,viewing,and
comparingrecordsmayleadtoinferenceandaggregationa acks,requiring
databasesecurityprecautionssuchasinferencecontrolsandpolyinstantiation.
Polyinstantiation
Polyinstantiationallowstwodierentobjectstohavethesamename.The
nameisbasedontheLatinrootsformultiple(poly)andinstances
(instantiation).Databasepolyinstantiationmeanstworowsmayhavethe
sameprimarykey,butdierentdata.
Inference and aggregation
Inferenceandaggregationoccurwhenauserisabletouselowerlevelaccessto
learnrestrictedinformation.Theseissuesoccurinmultiplerealms,including
databasesecurity.
Inferencerequiresdeduction:thereisamysterytobesolved,andlowerlevel
detailsprovidetheclues.Aggregationisamathematicalprocess:auserasks
everyquestion,receiveseveryanswer,andderivesrestrictedinformation.
SECURITY MODELS
Nowthatweunderstandthelogical,hardware,andsoftwarecomponents
requiredtohavesecuresystems,andtheriskposedtothosesystemsby
vulnerabilitiesandthreats,securitymodelsproviderulesforsecurely
operatingthosesystems.
Bell-LaPadula model
TheBellLaPadulamodelwasoriginallydevelopedfortheU.S.Departmentof
Defense.Itisfocusedonmaintainingthecondentialityofobjects.Protecting
condentialitymeansnotallowingusersatalowersecurityleveltoaccess
objectsatahighersecuritylevel.
FastFacts
BellLaPadulaincludesthefollowingrulesandproperties:
SimpleSecurityProperty:noreadup:asubjectataspecic
classicationlevelcannotreadanobjectatahigherclassicationlevel.
SubjectswithaSecretclearancecannotaccessTopSecretobjects,for
example.
SecurityProperty:nowritedown:asubjectatahigherclassication
levelcannotwritetoalowerclassicationlevel.Forexample,subjectswho
areloggedintoaTopSecretsystemcannotsendemailstoaSecretsystem.
StrongTranquilityProperty:securitylabelswillnotchangewhilethe
systemisoperating.
WeakTranquilityProperty:securitylabelswillnotchangeinawaythat
conictswithdenedsecurityproperties.
La icebasedaccesscontrolallowssecuritycontrolsforcomplexenvironments.
Foreveryrelationshipbetweenasubjectandanobject,therearedened
upperandloweraccesslimitsimplementedbythesystem.Thisla ice,which
allowsreachinghigherandlowerdataclassication,dependsontheneedof
thesubject,thelabeloftheobject,andtherolethesubjecthasbeenassigned.
SubjectshaveaLeastUpperBound(LUB)andGreatestLowerBound(GLB)
ofaccesstotheobjectsbasedontheirla iceposition.
Integrity models
ModelssuchasBellLaPadulafocusoncondentiality,sometimesatthe
expenseofintegrity.TheBellLaPadulanowritedownrulemeanssubjects
canwriteup:aSecretsubjectcanwritetoaTopSecretobject.Whatifthe
SecretsubjectwriteserroneousinformationtoaTopSecretobject?Integrity
modelssuchasBibaaddressthisissue.
Biba model
Whilemanygovernmentsareprimarilyconcernedwithcondentiality,most
businessesdesiretoensurethattheintegrityoftheinformationisprotectedat
thehighestlevel.Bibaisthemodelofchoicewhenintegrityprotectionisvital.
FastFacts
TheBibamodelhastwoprimaryrules:theSimpleIntegrityAxiomand
the*IntegrityAxiom:
SimpleIntegrityAxiom:noreaddown:asubjectataspecic
classicationlevelcannotreaddataatalowerclassication.Thisprevents
subjectsfromaccessinginformationatalowerintegritylevel.Thisprotects
integritybypreventingbadinformationfrommovingupfromlower
integritylevels.
*IntegrityAxiom:nowriteup:asubjectataspecicclassication
levelcannotwritedatatoahigherclassication.Thispreventssubjects
frompassinginformationuptoahigherintegritylevelthantheyhave
clearancetochange.Thisprotectsintegritybypreventingbadinformation
frommovinguptohigherintegritylevels.
Bibaisoftenusedwhereintegrityismoreimportantthancondentiality.
Examplesincludetimeandlocationbasedinformation.
D i d Yo u K n o w ?
BibatakestheBellLaPadularulesandreversesthem,showinghow
condentialityandintegrityareoftenatodds.IfyouunderstandBell
LaPadula(noreadup;nowritedown),youcanextrapolateBibaby
reversingtherules:noreaddown;nowriteup.
Clark-Wilson
ClarkWilsonisarealworldintegritymodelthatprotectsintegrityby
requiringsubjectstoaccessobjectsviaprograms.Becausetheprogramshave
speciclimitationstowhattheycanandcannotdotoobjects,ClarkWilson
eectivelylimitsthecapabilitiesofthesubject.ClarkWilsonusestwo
primaryconceptstoensurethatsecuritypolicyisenforced:wellformed
transactionsandseparationofduties.Theconceptofwellformed
transactionsprovidesintegrity.Theprocessiscomprisedoftheaccess
controltriple:user,transformationprocedure,andconstraineddataitem.
Chinese Wall model
TheChineseWallmodel(alsoknownasBrewerNash)isdesignedtoavoid
conictsofinterestbyprohibitingoneperson,suchasaconsultant,from
accessingmultipleconictofinterestcategories(CoIs).
Access control matrix
Anaccesscontrolmatrixisatabledeningwhataccesspermissionsexist
betweenspecicsubjectsandobjects.Amatrixisadatastructurethatactsas
atablelookupfortheoperatingsystem.Therowsofthetableshowthe
capabilitiesofeachsubject;eachrowiscalledacapabilitylist.Thecolumnsof
thetableshowtheACLforeachobjectorapplication.
TheNationalComputerSecurityCenter(NCSC),partoftheNational
InstituteofStandardsandTechnology(NIST),withhelpfromtheNational
SecurityAgency(NSA)developedtheTrustedComputerSystemEvaluation
Criteria(TCSEC),whichisalsoknownastheOrangeBook.Itwasoneofthe
rstsecuritystandardsimplementedandmajorportionsofthosestandards
arestillusedtodayintheformofU.S.GovernmentProtectionProleswithin
theInternationalCommonCriteriaframework.
FastFacts
ThedivisionsofTCSEC:
D:Minimalprotection.ThisdivisiondescribesTCSECevaluated
systemsthatdonotmeettherequirementsofhigherdivisions(Cthrough
A).
C:Discretionaryprotection.Discretionarymeansdiscretionaryaccess
controlsystems(DAC).
B:Mandatoryprotection.Mandatorymeansmandatoryaccesscontrol
systems(MAC).
A:Veriedprotection.IncludesallrequirementsofB,plusadditional
controls.
ITSEC
TheEuropeanInformationTechnologySecurityEvaluationCriteria(ITSEC)was
therstsuccessfulinternationalevaluationmodel.ItreferstoTCSECOrange
Booklevels,separatingfunctionality(F,howwellasystemworks)from
assurance(theabilitytoevaluatethesecurityofasystem).Therearetwo
typesofassurance:eectiveness(Q)andcorrectness(E).
AssurancecorrectnessratingsrangefromE0(inadequate)toE6(formal
modelofsecuritypolicy);functionalityratingsrangeincludeTCSEC
equivalentratings(FC1,FC2,etc.).
FastFacts
TheequivalentITSEC/TCSECratingsare
E0:D
FC1,E1:C1
FC2,E2:C2
FB1,E3:B1
FB2,E4:B2
FB3,E5:B3
FB3,E6:A1
TheInternationalCommonCriteriaisaninternationallyagreeduponstandard
fordescribingandtestingthesecurityofITproducts.Itpresentsahierarchy
ofrequirementsforarangeofclassicationsandsystems.
CrunchTime
TheCommonCriteriausesspecictermswhendeningspecicportions
ofthetestingprocess:
TargetofEvaluation(ToE):thesystemorproductthatisbeingevaluated
SecurityTarget(ST):thedocumentationdescribingtheTOE,including
thesecurityrequirementsandoperationalenvironment
ProtectionProle(PP):anindependentsetofsecurityrequirementsand
objectivesforaspeciccategoryofproductsorsystems,suchasrewalls
orintrusiondetectionsystems
EvaluationAssuranceLevel(EAL):theevaluationscoreofthetested
productorsystem
Levels of evaluation
WithintheCommonCriteria,therearesevenEALs,eachbuildinguponthe
previouslevel.Forexample,EAL3ratedproductscanbeexpectedtomeetor
exceedtherequirementsofproductsratedEAL1orEAL2.
FastFacts
Thecommoncriterialevelsare:
EAL1:Functionallytested
EAL2:Structurallytested
EAL3:Methodicallytestedandchecked
EAL4:Methodicallydesigned,tested,andreviewed
EAL5:Semiformallydesignedandtested
EAL6:Semiformallyveried,designed,andtested
EAL7:Formallyveried,designed,andtested
2
TheCommonCriteriaforInformationSecurityTechnology.
h p://www.commoncriteriaportal.org/les/ccles/CCPART1V3.1R3.pdf
[accessedJune26,2013].
PCI-DSS
ThePaymentCardIndustryDataSecurityStandard(PCIDSS)isasecurity
standardcreatedbythePaymentCardIndustrySecurityStandardsCouncil
(PCISSC).ThecounciliscomprisedofAmericanExpress,Discover,Master
Card,Visa,andothers.PCIDSSseekstoprotectcreditcardsbyrequiring
vendorsusingthemtotakespecicsecurityprecautions.
Certification and Accreditation
Certicationmeansasystemhasbeencertiedtomeetthesecurity
requirementsofthedataowner.Certicationconsidersthesystem,the
securitymeasurestakentoprotectthesystem,andtheresidualrisk
representedbythesystem.Accreditationisthedataownersacceptanceofthe
Certication,andoftheresidualrisk,requiredbeforethesystemisputinto
production.
Oncebuilt,welearnedwaystosecurelyoperatethesystem,includingmodes
suchastheBellLaPadulacondentialitymodelandtheBibaintegritymodel,
aswellasmodesofoperationincludingdedicated,systemhigh,
compartmented,andmultilevelsecure.Finally,welearnedofwaysto
determineassurance:proofthatoursystemsreallyaresecure.Evaluation
modelsrangedfromTCSEC,toITSEC,totheCommonCriteria,andbeyond.
4.Whattypeofsystemrunsmultipleprogramssimultaneouslyonmultiple
CPUs?
A.Multiprocessing
B.Multiprogramming
C.Multitasking
D.Multithreading
5.Ana ackerdeducesthatanorganizationisholdinganositemeetingand
hasfewpeopleinthebuilding,basedonthelowtracvolumetoandfrom
theparkinglot,andusestheopportunitytobreakintothebuildingtosteal
laptops.Whattypeofa ackhasbeenlaunched?
A.Aggregation
B.Emanations
C.Inference
D.MaintenanceHook
ANSWERS
1.Correctanswerandexplanation:D.AnswerDiscorrect;SRAM(Static
RandomAccessMemoryisfastandexpensive,oftenusedforcachememory
includingCPUregisters).
Incorrectanswersandexplanations:A,B,andC.AnswersA,B,andCare
incorrect.DRAMisslowerandlessexpensivethanSRAM,oftenusedasmain
RAM.FirmwareisatechnologyusedbyPLDssuchasEEPROMs.ReadOnly
MemoryisatypeofFirmware,providingnonvolatilememoryforusessuch
astheBIOS.
2.Correctanswerandexplanation:C.AnswerCiscorrect;IaaS
(InfrastructureasaService)providesanentirevirtualizedoperatingsystem,
whichthecustomerconguresfromtheOSonup.
Incorrectanswersandexplanations:A,B,andD.AnswersA,B,andDare
incorrect.LaaSisadistracteranswer.SaaS(SoftwareasaService)is
completelycongured,fromtheoperatingsystemtoapplications,andthe
customersimplyusestheapplication.PaaS(PlatformasaService)providesa
preconguredoperatingsystem,andthecustomerconguresthe
applications.
3.Correctanswerandexplanation:C.AnswerCiscorrect;layeringmeansa
changeinonelayer(hardware)hasnodirecteectonanonadjacentlayer
(application).
Incorrectanswersandexplanations:A,B,andD.AnswersA,B,andDare
incorrect.Abstractionhidesunnecessarydetailsfromtheuser,whichis
relatedto(butdierent)fromlayering.Hardwaresegmentationprovides
dedicatedhardwareorportionsofhardwaretospecicsecuritydomains.
Processisolationpreventsoneprocessfromaectingthecondentiality,
integrity,oravailabilityofanother.
4.Correctanswerandexplanation:A.AnswerAiscorrect;multiprocessing
systemsrunmultipleprogramsorprocessesperCPU.Twotypesare
SymmetricMultiprocessing(SMP)andAsymmetricMultiprocessing(AMP).
Incorrectanswersandexplanations:B,C,andD.AnswersB,C,andDare
incorrect.AlluseoneCPU.Multiprogrammingrunsmultipleprograms
simultaneouslyononeCPU;multitaskingrunsmultipletaskssimultaneously
ononeCPU,andmultithreadingrunsmultiplethreadssimultaneouslyon
oneCPU.
5.Correctanswerandexplanation:C.AnswerCiscorrect;inferencerequires
ana ackertollintheblanks,anddeducesensitiveinformationfrom
publicinformation.
Incorrectanswersandexplanations:A,B,andD.AnswersA,B,andDare
incorrect.Aggregationisamathematicaloperationwhereallquestionsare
askedandallanswersarereceived:thereisnodeductionrequired.
Emanationsareenergybroadcastfromelectronicequipment.Maintenance
Hooksaresystemmaintenancebackdoorsleftbyvendors.
1
InformationTechnologySecurityEvaluationCriteria.(ITSEC)Provisional
HarmonisedCriteriah p://www.ssi.gouv.fr/site_documents/ITSEC/ITSEC
uk.pdf[accessedJune26,2013].
CHAPTER7
KEYWORDS
Collusion;Subject;Object;Label;Fullbackup;Incrementalbackup;
Dierentialbackup;Clearance;Remanence;RedundantArrayofInexpensive
Disks(RAID);Mirroring;Striping
IncidentResponseManagement
Introduction
Operationssecurityisconcernedwiththreatstoaproductionoperating
environment.Threatagentscanbeinternalorexternalactors,andoperations
securitymustaccountforbothofthesethreatsourcesinordertobeeective.
Operationssecurityisaboutpeople,data,media,hardware,andthethreats
associatedwitheachoftheseinaproductionenvironment.
ADMINISTRATIVE SECURITY
Afundamentalaspectofoperationssecurityisensuringthatcontrolsarein
placetoinhibitpeopleeitherinadvertentlyorintentionallycompromisingthe
condentiality,integrity,oravailabilityofdataorthesystemsandmedia
holdingthatdata.Administrativesecurityprovidesthemeanstocontrol
peoplesoperationalaccesstodata.
Labels
Objectshavelabelsandsubjectshaveclearances.Theobjectlabelsusedby
manyworldgovernmentsarecondential,secret,andtopsecret.According
toExecutiveOrder12356NationalSecurityInformation,
topsecretshallbeappliedtoinformation,theunauthorizeddisclosureof
whichreasonablycouldbeexpectedtocauseexceptionallygravedamageto
thenationalsecurity.
secretshallbeappliedtoinformation,theunauthorizeddisclosureof
whichreasonablycouldbeexpectedtocauseseriousdamagetothenational
security.
condentialshallbeappliedtoinformation,theunauthorizeddisclosure
ofwhichreasonablycouldbeexpectedtocausedamagetothenational
security.
PrivatesectorcompaniesuselabelssuchasInternalUseOnlyand
CompanyProprietary.
Clearance
Aclearanceisadeterminationconcerningwhetherornotausercanbetrusted
withaspeciclevelofinformation.Clearancesmustdeterminethesubjects
currentandpotentialfuturetrustworthiness;thela erisharder(andmore
expensive)toassess.Arethereanyissues,suchasdebtordrugoralcohol
abuse,whichcouldleadanotherwiseethicalpersontoviolatetheirethics?Is
thereapersonalsecretthatcouldbeusedtoblackmailthisperson?Some
higherlevelclearancesincludeaccesstocompartmentedinformation.
Compartmentalizationisatechnicalmethodforenforcingneedtoknow.
Separation of duties
Separationofduties(alsocalledsegregationofduties)allowsanorganizationto
maintainchecksandbalancesamongtheemployeeswithprivilegedaccess.
Byhavingmorethanoneindividualperformpartofasensitivetransaction,
eachpersoninvolvedissupervisingtheotherwhenaccessisgrantedand
used.Noonepersonshouldhavetotalcontrolofasensitivetransaction.As
therolebecomesmoresensitive,separationofdutiesshouldbeimplemented
morestringently.Forexample,administrationofanuclearweaponssystem
shouldrequiremanypeoplesoversightandcompletionofduties.
Rotation of duties
Rotationofdutiesdescribesaprocessthatrequiresdierentstamembersto
performthesameduty.Byrotatingthosestamembers,theorganization
protectsitselfbyhavingthesevaryingstamembersperformandreviewthe
workoftheirpeerswhoperformedthesameworkduringthelastrotation.
Rotationofdutieshelpsmitigatecollusion,wheretwoormorepeoplework
tosubvertthesecurityofasystem.Rotationofdutiescanserveasaeither
detectiveordeterrentcontrol:thefearofbeingcaughtmaydetersomeone
fromcommi ingfraud;therotationmaydetectfraudthathasalready
occurred.
Mandatory leave/forced vacation
Anadditionaloperationalcontrolthatiscloselyrelatedtorotationofdutiesis
thatofmandatoryleave,alsoknownasforcedvacation.Thoughthereare
variousjusticationsforrequiringemployeestobeawayfromwork,the
primarysecurityconsiderationsaresimilartothataddressedbyrotationof
duties,reducingordetectingpersonnelsinglepointsoffailure,anddetection
anddeterrenceoffraud.
Nondisclosure agreement
Anondisclosureagreement(NDA)isaworkrelatedcontractualagreementthat
ensuresthat,priortobeinggivenaccesstosensitiveinformationordata,an
individualororganizationappreciatestheirlegalresponsibilitytomaintain
thecondentialityofsensitiveinformation.Jobcandidates,consultants,or
contractorsoftensignnondisclosureagreementsbeforetheyarehired.
Nondisclosureagreementsarelargelyadirectivecontrol.
Background checks
Backgroundchecks(alsoknownasbackgroundinvestigationsor
preemploymentscreening)areanadditionaldirectivecontrol.Themajorityof
backgroundinvestigationsareperformedaspartofapreemployment
screeningprocess.Someorganizationsperformcursorybackground
investigationsthatincludeacriminalrecordcheck.Othersperformmorein
depthchecks,suchasverifyingemploymenthistory,obtainingcreditreports,
andinsomecasesrequiringthesubmissionofadrugscreening.
Sensitiveinformationrequiresprotection,andthatinformationphysically
residesonsomeformofmedia.Inadditiontoprimarystorage,backup
storagemustalsobeconsidered.Itisalsolikelythatsensitiveinformationis
transferred,whetherinternallyorexternally,foruse.Whereverthedata
exists,theremustbeprocessesthatensurethedataisnotdestroyedor
inaccessible(abreachofavailability),disclosed(abreachofcondentiality),
oraltered(abreachofintegrity).
Labeling/marking
Perhapsthemostimportantstepinmediasecurityistheprocessoflocating
sensitiveinformationandlabelingormarkingitassensitive.Howthedatais
labeledshouldcorrespondtotheorganizationaldataclassicationscheme.
Handling
Peoplehandlingsensitivemediashouldbetrustedindividualswhohave
beenve edbytheorganization.Theymustunderstandtheirroleinthe
organizationsinformationsecurityposture.Sensitivemediashouldhave
strictpoliciesregardingitshandling.Policiesshouldrequiretheinclusionof
wri enlogsdetailingthepersonresponsibleforthemedia.Historically,
backupmediahasposedasignicantproblemfororganizations.
Storage
Whenstoringsensitiveinformation,itispreferabletoencryptthedata.
Encryptionofdataatrestgreatlyreducesthelikelihoodofthedatabeing
disclosedinanunauthorizedfashionduetomediasecurityissues.Physical
storageofthemediacontainingsensitiveinformationshouldnotbe
performedinahaphazardfashion,whetherthedataisencryptedornot.
Retention
Mediaandinformationhavealimitedusefullife.Retentionofsensitive
informationshouldnotpersistbeyondtheperiodofusefulnessorlegal
requirement(whicheverisgreater),asitneedlesslyexposesthedatato
threatsofdisclosurewhenthedataisnolongerneededbytheorganization.
Keepinmindtheremayberegulatoryorotherlegalreasonsthatmaycompel
theorganizationtomaintainsuchdataforkeepingdatabeyonditstimeof
utility.
Media sanitization or destruction of data
Whilesomedatamightnotbesensitiveandnotwarrantthoroughdata
destructionmeasures,anorganizationwillhavedatathatmustbeveriably
destroyedorotherwiserenderednonusableincasethemediaonwhichitwas
housedisrecoveredbyathirdparty.Theprocessforsanitizationofmediaor
destructionofdatavariesdirectlywiththetypeofmediaandsensitivityof
data.
Data remanence
Dataremanenceisdatathatpersistsbeyondnoninvasivemeanstodeleteit.
Thoughdataremanenceissometimesusedspecicallytorefertoresidual
datathatpersistsonmagneticstorage,remanenceconcernsgobeyondjust
thatofmagneticstoragemedia.
Wiping, overwriting, or shredding
Inmostlesystems,ifauserdeletesale,thelesystemmerelyremoves
metadatapointersorreferencestothele.Theleallocationtablereferences
areremoved,buttheledataitselfremains.Signicantamountsofdeleted
datamayberecovered(undeleted);forensictoolsarereadilyavailabletodo
so.Reforma ingalesystemmayalsoleavedataintact.
Thoughsimpledeletionoflesorreforma ingofharddisksisnotsucient
torenderdataunrecoverable,lesmaybesecurelywipedoroverwri en.
Wiping,alsocalledoverwritingorshredding,writesnewdataovereachbitor
blockofledata.Oneoftheshortcomingsofwipingiswhenharddisks
becomephysicallydamaged,preventingthesuccessfuloverwritingofall
data.
Degaussing
Byintroducinganexternalmagneticeldthroughuseofadegausser,thedata
onmagneticstoragemediacanbemadeunrecoverable.Adegausserdestroys
theintegrityofthemagnetizationofthestoragemediaitself,makingthedata
unrecoverable.
Physical destruction
Physicaldestruction,whencarriedoutproperly,isconsideredthemost
securemeansofmediasanitization.Oneofthereasonsforthehigherdegree
ofassuranceisbecauseofthegreaterlikelihoodoferrorsresultingindata
remanencewithwipingordegaussing.Physicaldestructioniswarrantedfor
themostsensitiveofdata.Commonmeansofdestructioninclude
incinerationandpulverization.
Shredding
Asimpleformofmediasanitizationisshredding,atypeofphysical
destruction.Thoughthistermissometimesusedinrelationtooverwritingof
data,hereshreddingreferstotheprocessofmakingdataprintedonhard
copy,oronsmallerobjectssuchasoppyoropticaldisks,unrecoverable.
Sensitiveinformationsuchasprintedinformationneedstobeshreddedprior
todisposalinordertothwartadumpsterdivinga ack.Dumpsterdivingisa
physicala ackinwhichapersonrecoverstrashinhopesofndingsensitive
informationthathasnotbeensecurelyerasedordestroyed.
ASSET MANAGEMENT
Aholisticapproachtooperationalinformationsecurityrequires
organizationstofocusonsystemsaswellasthepeople,data,andmedia.
Systemssecurityisanothervitalcomponenttooperationssecurity,andthere
arespeciccontrolsthatcangreatlyhelpsystemsecuritythroughoutthe
systemslifecycle.
Configuration management
Basiccongurationmanagementpracticesassociatedwithsystemsecuritywill
involvetaskssuchasdisablingunnecessaryservices;removingextraneous
programs;enablingsecuritycapabilitiessuchasrewalls,antivirus,and
intrusiondetectionorpreventionsystems;andtheconguratingsecurityand
auditlogs.
Baselining
Securitybaseliningistheprocessofcapturingapointintimeunderstandingof
thecurrentsystemsecurityconguration.Establishinganeasymeansfor
capturingthecurrentsystemsecuritycongurationcanbeextremelyhelpful
inrespondingtoapotentialsecurityincident.
Vulnerability management
Vulnerabilityscanningisawaytodiscoverpoorcongurationsandmissing
patchesinanenvironment.Thetermvulnerabilitymanagementisusedrather
thanjustvulnerabilityscanningtoemphasizetheneedformanagementofthe
vulnerabilityinformation.Theremediationormitigationofvulnerabilities
shouldbeprioritizedbasedonbothrisktotheorganizationandeaseof
remediationprocedures.
Zero-day vulnerabilities and zero-day exploits
Azerodayvulnerabilityisavulnerabilitythatisknownbeforetheexistence
ofapatch.Zerodayvulnerabilities,alsocommonlywri en0day,arebecoming
increasinglyimportantasa ackersarebecomingmoreskilledindiscovery,
anddisclosureofzerodayvulnerabilitiesisbeingmonetized.Azeroday
exploit,ratherthanvulnerability,referstotheexistenceofexploitcodefora
vulnerabilitythathasyettobepatched.
Change management
Inordertomaintainconsistentandknownoperationssecurity,aregimented
changemanagementorchangecontrolprocessneedstobefollowed.The
purposeofthechangecontrolprocessistounderstand,communicate,and
documentanychangeswiththeprimarygoalofbeingabletounderstand,
control,andavoiddirectorindirectnegativeimpactthatthechangemight
impose.
FastFacts
Becauseofthevariabilityofthechangemanagementprocess,specic
namedphaseshavenotbeenoeredinthissection.However,thegeneral
owofthechangemanagementprocessincludes:
Identifyingachange
Proposingachange
Assessingtheriskassociatedwiththechange
Testingthechange
Schedulingthechange
Notifyingimpactedpartiesofthechange
Implementingthechange
Reportingresultsofthechangeimplementation
Allchangesmustbecloselytrackedandauditable.Adetailedchangerecord
shouldbekept.Somechangescandestabilizesystemsorcauseother
problems;changemanagementauditingallowsoperationsstatoinvestigate
recentchangesintheeventofanoutageorproblem.Auditrecordsalsoallow
auditorstoverifythatchangemanagementpoliciesandprocedureshave
beenfollowed.
CONTINUITY OF OPERATIONS
Continuityofoperationsisprincipallyconcernedwiththeavailabilityportion
ofthecondentiality,integrity,andavailabilitytriad.
Service-Level Agreements
Service-Level Agreements
AServiceLevelAgreement(SLA)stipulatesallexpectationsregardingthe
behaviorofthedepartmentororganizationthatisresponsibleforproviding
servicesandthequalityoftheservicesprovided.Often,ServiceLevel
Agreementswilldictatewhatisconsideredacceptableregardingthingssuch
asbandwidth,timetodelivery,responsetimes,etc.
Fault tolerance
Inorderforsystemsandsolutionswithinanorganizationtobeableto
continuallyprovideoperationalavailability,theymustbeimplementedwith
faulttoleranceinmind.Availabilitynotonlyissolelyfocusedonsystem
uptimerequirementsbutalsorequiresthatdatabeaccessibleinatimely
fashion.
Backup
Inorderfordatatobeabletoberecoveredincaseofafault,someformof
backuporredundancymustbeprovided.Thoughmagnetictapemediais
quiteanoldtechnology,itisstillthemostcommonrepositoryofbackupdata.
Thethreebasictypesofbackupsare:fullbackup,incrementalbackup,and
dierentialbackup.
Full
Thefullbackupisareplicaofallallocateddataonaharddisk.Becauseofthe
largeramountofmedia,andthereforecostofmedia,andthelongerbackup
windowrequirements,fullbackupsareoftencoupledwitheitherincremental
ordierentialbackupstobalancethetimeandmediaconsiderations.
Incremental and di erential
Incrementalbackupsonlyarchivelesthathavechangedsincethelast
backupofanykindwasperformed.Dierentialbackupswillarchiveanyles
thathavebeenchangedsincethelastfullbackup.
D i d Yo u K n o w ?
AssumeafullbackupisperformedeverySunday,andeitherincremental
ordierentialbackupsareperformeddailyfromMondaytoSaturday.
DataislostafterWednesdaysbackup.
Ifincrementaldailybackupswereusedinadditiontotheweeklyfull
backup,thetapesfromSunday,Monday,Tuesday,andWednesday
wouldbeneededtorecoverallarchiveddata.
Ifdierentialbackupswereusedinadditiontothefullweeklybackup,
onlytheSundayandWednesdaytapeswouldbeneeded.
Evenifonlyonefullbackuptapeisneededforrecoveryofasystemduetoa
harddiskfailure,thetimetorecoveralargeamountofdatacaneasilyexceed
therecoverytimedictatedbytheorganization.ThegoalofaRedundantArray
ofInexpensiveDisks(RAID)istohelpmitigatetheriskassociatedwithhard
diskfailures.TherearevariousRAIDlevelsthatconsistofdierent
approachestodiskarraycongurations.
FastFacts
ThreecriticalRAIDtermsare:mirroring,striping,andparity.
Mirroringachievesfulldataredundancybywritingthesamedatato
multipleharddisks.
Stripingfocusesonincreasingreadandwriteperformancebyspreading
dataacrossmultipleharddisks.Writescanbeperformedinparallelacross
multipledisksratherthanseriallyononedisk.Thisparallelization
providesaperformanceincreaseanddoesnotaidindataredundancy.
Parityachievesdataredundancywithoutincurringthesamedegreeof
costasthatofmirroringintermsofdiskusageandwriteperformance.
RAID0employsstripingtoincreasetheperformanceofreadandwrites.
StripingoersnodataredundancysoRAID0isapoorchoiceifrecoveryof
dataiscritical.Figure7.1showsRAID0.
FIGURE7.1 RAID0:stripedset.
RAID1creates/writesanexactduplicateofalldatatoanadditionaldisk.The
writeperformanceisdecreased,thoughthereadperformancecanseean
increase.Figure7.2showsRAID1.
FIGURE7.2 RAID1:mirroredset.
RAID2isalegacytechnologythatrequireseither14or39harddisksanda
speciallydesignedhardwarecontroller,whichmakesRAID2cost
prohibitive.RAID2stripesatthebitlevel.
E x a m Wa r n i n g
WhiletheabilitytoquicklyrecoverfromadiskfailureisagoalofRAID,
therearecongurationsthatdonothavereliabilityasacapability.Forthe
exam,understandthatnotallRAIDcongurationsprovideadditional
reliability.
Stripingisdesirableduetotheperformancegainsassociatedwithspreading
dataacrossmultipledisks.However,stripingaloneisnotasdesirabledueto
thelackofredundancy.WithRAID3,data,atthebytelevel,isstripedacross
multipledisks,butanadditionaldiskisleveragedforstorageofparity
information,whichisusedforrecoveryintheeventofafailure.
RAID 4: Striped set with dedicated parity (block level)
RAID4providesthesamefunctionalityasRAID3butstripesdataatthe
block,ratherthanbyte,level.LikeRAID3,RAID4employsadedicated
paritydriveratherthanhavingparitydatadistributedamongalldisks,asin
RAID5.
RAID 5: Striped set with distributed parity
OneofthemostpopularRAIDcongurationsisthatofRAID5,stripedset
withdistributedparity.LikeRAIDs3and4,RAID5writesparityinformation
thatisusedforrecoverypurposes.RAID5writesattheblocklevel,likeRAID
4.However,unlikeRAIDs3and4,whichrequireadedicateddiskforparity
information,RAID5distributestheparityinformationacrossmultipledisks.
OneofthereasonsforRAID5spopularityisthatthediskcostfor
redundancyislowerthanthatofamirroredset.RAID5allowsfordata
recoveryintheeventthatanyonediskfails.Figure7.3showsRAID5.
FIGURE7.3 RAID5:stripedsetwithdistributedparity.
WhileRAID5accommodatesthelossofanyonedriveinthearray,RAID6
canallowforthefailureoftwodrivesandstillfunction.Thisredundancyis
achievedbywritingthesameparityinformationtotwodierentdisks.
RAID 1+0 or RAID 10
RAID1+0orRAID10isanexampleofwhatisknownasnestedRAIDor
multiRAID,whichsimplymeansthatonestandardRAIDlevelis
encapsulatedwithinanother.WithRAID10,whichisalsocommonlywri en
asRAID1+0toexplicitlyindicatethenesting,thecongurationisthatofa
stripedsetofmirrors.
CrunchTime
Table7.1providesabriefdescriptionofthevariousRAIDlevelsthatare
mostcommonlyused.
Table7.1
RAIDLevels
RAIDLevel
Description
RAID0
Blocklevelstripedset
RAID1
Mirroredset
RAID3
Bytelevelstripingwithdedicatedparity
RAID4
Blocklevelstripingwithdedicatedparity
RAID5
Blocklevelstripingwithdistributedparity
RAID6
Blocklevelstripingwithdualdistributedparity
System redundancy
Thoughredundancyandresiliencyofdata,providedbyRAIDandbackup
solutions,areimportant,furtherconsiderationneedstobegiventothe
systemsthemselvesthatprovideaccesstothisredundantdata.
Redundant hardware and redundant systems
Manysystemscanprovideinternalhardwareredundancyofcomponentsthat
areextremelypronetofailure.Themostcommonexampleofthisinbuilt
redundancyissystemsordevicesthathaveredundantonboardpowerinthe
eventofapowersupplyfailure.Sometimes,systemssimplyhaveeld
replaceablemodularversionsofcommonlyfailingcomponents.Though
physicallyreplacingapowersupplymightincreasedowntime,havingan
inventoryofsparemodulestoservicetheentiredatacentersserverswouldbe
lessexpensivethanhavingallserversconguredwithaninstalledredundant
powersupply.
Redundantsystems(akaalternativesystems)makeentiresystemsavailablein
caseoffailureoftheprimarysystem.
High-availability clusters
Ahighavailabilitycluster(alsocalledafailovercluster)usesmultiplesystems
thatarealreadyinstalled,congured,andpluggedin,suchthatifafailure
causesoneofthesystemstofailthentheothercanbeseamlesslyleveragedto
maintaintheavailabilityoftheserviceorapplicationbeingprovided.
EachmemberofanactiveactiveHAclusteractivelyprocessesdatainadvance
ofafailure.Thisiscommonlyreferredtoasloadbalancing.Havingsystems
inanactiveactive,orloadbalancing,congurationistypicallymorecostly
thanhavingthesystemsinanactivepassive,orhotstandby,congurationin
whichthebackupsystemsonlybeginprocessingwhenafailureisdetected.
damageassociatedwithincidentsandtomaketherecoveryofimpacted
systemsquicker.
Methodology
Figure7.4isfromtheNISTSpecialPublication80061:ComputerSecurity
IncidentHandlingGuide(seeh p://csrc.nist.gov/publications/nistpubs/800
61rev2/SP80061rev2.pdf),whichoutlinestheincidentresponselifecyclein
foursteps:
1.Preparation
2.Detectionandanalysis
3.Containment,eradication,andrecovery
4.Postincidentactivity
FIGURE7.4 NISTIncidentResponseLifecycle.
Manyincidenthandlingmethodologiestreatcontainment,eradication,and
recoveryasthreedistinctsteps,aswewillinthisbook.Othernamesforeach
steparesometimesused;hereisthesixsteplifecyclewewillfollow,with
alternatenameslisted:
1.Preparation
2.Detectionandanalysis(akaidentication)
3.Containment
4.Eradication
5.Recovery
6.Lessonslearned(akapostincidentactivity,postmortem,orreporting)
Itisimportanttorememberthatthenalstepfeedsbackintotherststep,as
shownpreviouslyinFigure7.4.Anorganizationmaydeterminethatsta
wereinsucientlytrainedtohandleincidentsduringlessonslearnedphase.
Thatlessonisthenappliedtocontinuedpreparation,wherestawouldbe
properlytrained.
Preparation
Thepreparationphaseincludesstepstakenbeforeanincidentoccurs.These
includetraining,writingincidentresponsepoliciesandprocedures,and
providingtoolssuchaslaptopswithsningsoftware,crossovercables,
originalOSmedia,removabledrives,etc.Preparationshouldinclude
anythingthatmayberequiredtohandleanincidentorthatwillmake
incidentresponsefasterandmoreeective.
Detection and analysis
Detection(alsocalledidentication)isthephasewhereeventsareanalyzedin
ordertodeterminewhethertheycompriseasecurityincident.Aneventis
anyauditableactiononasystemornetwork(suchasaserverrebootorauser
loggingintocheckemail).Anincidentisaharmfulevent(suchasadenialof
servicea ackthatcrashesaserver).
Containment
Thecontainmentphaseisthepointatwhichtheincidentresponseteam
a emptstokeepfurtherdamagefromoccurringasaresultoftheincident.
Containmentmightincludetakingasystemothenetwork,isolatingtrac,
poweringothesystem,orotheritemstocontrolboththescopeandseverity
oftheincident.Thisphaseisalsotypicallywhereabinary(bitbybit)forensic
backupismadeofsystemsinvolvedintheincident.
Eradication
Theeradicationphaseinvolvestwosteps:removinganymalicioussoftware
fromacompromisedsystemandunderstandingthecauseoftheincidentso
thatthesystemcanbereliablycleanedandsafelyrestoredtooperational
statuslaterintherecoveryphase.Inorderforanorganizationtoreliably
recoverfromanincident,thecausemustbedeterminedsothatthesystemsin
questioncanbereturnedtoaknowngoodstatewithoutriskofcompromise
persistingorreoccurring.
Recovery
Therecoveryphaseinvolvescautiouslyrestoringthesystemorsystemsto
operationalstatus.Typically,thebusinessunitresponsibleforthesystemwill
dictatewhenthesystemwillgobackonline.Considerthepossibilitythatthe
infectionmighthavepersistedthroughtheeradicationphase.Forthisreason,
closemonitoringofthesystemafteritisreturnedtoproductionisnecessary.
Lessons learned
Unfortunately,thelessonslearnedphase(alsoknownaspostincidentactivity,
reporting,orpostmortem)islikelytobeneglectedinimmatureincident
responseprograms.Thisfactisunfortunatebecausethelessonslearned
phase,ifdoneright,isthephasethathasthegreatestpotentialtoeecta
positivechangeinsecurityposture.Thegoalofthelessonslearnedphaseisto
provideanalreportontheincident,whichwillbedeliveredto
management.
Feedbackfromthisphasefeedsdirectlyintocontinuedpreparation,where
thelessonslearnedareappliedtoimprovepreparationforhandlingfuture
incidents.
Types of attacks
Thissectionwillprovidebasicinformationonthetypesofa acksmore
commonlyexperiencedandrespondedtoinorganizations.
Session hijacking and MITM
Sessionhijackingcompromisesanexistingnetworksession,sometimesseizing
controlofit.OlderprotocolssuchasTelnetmaybevulnerabletosession
hijacking.
AManintheMiddle(MITM,alsocalledMonkeyintheMiddle)a ackplaces
thea ackerbetweenthevictimandanothersystem:thea ackersgoalisto
beabletoserveasanundiscoveredproxyforeitherorbothoftwoendpoints
engagingincommunication.Encryptedcommunicationsthatprovidemutual
endpointauthenticationcanmitigatebothsessionhijackingandMITM.
Malware
Malware,ormaliciouscode/software,representsoneofthebestknowntypes
ofthreatstoinformationsystems.Therearenumeroustypesofmalware,
somedetailedinTable7.2,thathaveevolvedovertheyearstocontinually
causestresstooperations.
Table7.2
TypesofMalware
Malicious
Code
Virus
Description
Avirusismalwarethatdoesnotselfpropagate:itrequiresa
carrier,suchasahumanmanuallymovinganinfected
USBdevicefromonesystemtoanother
Macro
virus
AmacrovirusismalwarethatinfectsMicrosoftOffice
documentsbymeansofembeddingmaliciousmacros
withinthem
Worm
Awormismalwarethatselfpropagates.Someofthemost
wellknownnamesofmalwarefallundertheworm
category:CodeRed,Nimda,SQLSlammer,Blaster,
MyDoom,andWitty
Trojan
Horse
ATrojanHorseismalwarethathastwofunctions:oneovert
(suchasagame)andonecovert(suchasprovidingan
attackerwithpersistentbackdooraccess)
Rootkit
Arootkitismalwarethatviolatessystemintegrityandis
focusedonhidingfromsystemadministrators.Typical
capabilitiesincludefile,folder,process,andnetwork
connectionhiding
DenialofService(DoS)isaonetooneavailabilitya ack;DistributedDenialof
Service(DDoS)isamanytooneavailabilitya ack.DoSa ackscomeinall
shapesandsizes,rangingfromthoseinvolvingonespeciallycraftedpacket
andavulnerablesystemtoseethatpackettoDDoSa acksthatleveragetens
ofthousands(ormore)ofbotstotargetanonlineserviceproviderwitha
oodofseeminglylegitimatetraca emptingtooverwhelmtheircapacity.
Table7.3includeshistoricalexamplesofmaliciouspacketa acksaswellas
somegeneralresourceexhaustion,orooding,techniques.
Table7.3
DenialofServiceExamples
DoSName
Type
Description
Land
Malformed
ThelandattackusesaspoofedSYN
packet
packetthatincludesthevictim'sIP
addressasbothsourceand
destination
Smurf
Resource
exhaustion
ASmurfattackinvolvesICMPflooding.
TheattackersendsICMPEcho
Requestmessageswithspoofed
sourceaddressesofthevictimtothe
directedbroadcastaddressofa
networkknowntobeaSmurfamplifier.
ASmurfamplifierisapublicfacing
networkthatsendsalargenumberof
responsesfromtrafficsenttodirected
broadcastaddresses
SYNFlood
Resource
exhaustion
ASYNFloodsendsmanyTCPpackets
withtheSYNflagsettoavictimand
ignoresthevictim'sSYN/ACKpackets.
Thevictim'shalfopenconnection
queuemayeventuallyfillandbe
unabletoprocessnewconnections
Teardrop
Malformed
Theteardropattacksendspacketswith
packet
overlappingfragmentoffsets,which
maycrashthesystemthatis
attemptingtoreassemblethe
fragments
Pingof
Death
Malformed
packet
ThePingofDeathsendsfragmented
ICMPEchoRequeststhat,once
reassembled,arelargerthanthe
maximumsizeofanIPpacket
Fraggle
Resource
TheFraggleattackisavariationofthe
exhaustion
Smurfattack.WhileSmurfusesICMP,
fraggleusesUDP
DNS
ADNSreflectionattacksendshigh
reflection
numbersofDNSrequestsspoofed
fromthevictimtopubliclyaccessible
recursiveDNSnameservers
D.RAID5
3.Whichprincipleinvolvesdeningatrustedsecuritybaselineimageof
criticalsystems?
A.Congurationmanagement
B.Changemanagement
C.Patchmanagement
D.Vulnerabilitymanagement
4.Whichtypeofa ackleveragesoverlappingfragmentstocauseaDenialof
Service?
A.Smurf
B.Teardrop
C.Fraggle
D.PingofDeath
5.Whichofthefollowingcanbeeitheradetectiveordeterrentcontrol?
A.Separationofduties
B.Principleofleastprivilege
C.Rotationofduties
D.Collusion
ANSWERS
1.Correctanswerandexplanation:C.AnswerCiscorrect;destructionisthe
mostsecurewaytodestroydata:itoersphysicalandvisualevidenceof
successfulcompletion.
Incorrectanswersandexplanations:A,B,andD.AnswersA,B,andDare
incorrect.Degaussingandbitleveloverwritesmaybeadequatewhen
performedsuccessfullyagainstmagneticmediabutoernovisualproofof
successfulcompletion.Thismeansundetectederrorsmayresultinrisk.
Forma ingisincorrectbecauseitusuallyreplacestheFileAllocationTable
(FAT)withanewversionbutusuallyleavesunallocateddataasis.
2.Correctanswerandexplanation:B.AnswerBiscorrect;RAID3stripes
dataacrossmultipledisksatthebytelevel.
Incorrectanswersandexplanations:A,C,andD.AnswersA,C,andDare
incorrect.RAID2stripesatthebitlevel.BothRAID4andRAID5stripeatthe
blocklevel.
3.Correctanswerandexplanation:A.AnswerAiscorrect;conguration
managementinvolvesthecreationofknownsecuritybaselineforsystems
andisoftenbuiltleveragingthirdpartysecuritycongurationguides.
Incorrectanswersandexplanations:B,C,andD.AnswersB,C,andDare
incorrect.Changemanagementisconcernedwithensuringaregimented
processisfollowedforanychangesmadetosystems.Patchmanagement
ensuresthatsystemsreceivetimelyupdatestoinstalledsoftware.
Vulnerabilitymanagementspurposeistocometounderstandwhatknown
vulnerabilitiesexistinanorganizationandtrackingtheirremediationover
time.
4.Correctanswerandexplanation:B.AnswerBiscorrect;theteardropa ack
isaDoSthatworksbysendingoverlappingfragmentsthat,whenreceivedby
avulnerablehost,cancauseasystemtocrash.
IncorrectAnswersandExplanations:A,C,andD.AnswersA,C,andDare
incorrect.Smurfa ackssendspoofedICMPEchoRequeststopublicly
accessibledirectedbroadcastaddresses.FraggleissimilartoSmurfbutuses
UDPinsteadofICMP.ThePingofDeathalsousesfragments,buttheydonot
overlap.
5.Correctanswerandexplanation:C.AnswerCiscorrect;rotationofduties
canserveasaeitherdetectiveordeterrentcontrol:thefearofbeingcaught
maydetersomeonefromcommi ingfraud;therotationmaydetectfraud
thathasalreadyoccurred.
IncorrectAnswersandExplanations:A,B,andD.AnswersA,B,andDare
incorrect.Separationofdutiesandtheprincipleofleastprivilegeare
primarilypreventivecontrols.Collusionisnotacontrol.
NISTSpecialPublication80061:ComputerSecurityIncidentHandling
Guide.h p://csrc.nist.gov/publications/nistpubs/80061rev2/SP80061rev2.pdf
[accessedMay5,2013].
1
ExecutiveOrder12356Nationalsecurityinformation.
h p://www.archives.gov/federalregister/codication/executive
order/12356.html[accessedMay5,2013].
CHAPTER8
KEYWORDS
BusinessContinuityPlan(BCP);ContinuityofOperationsPlan(COOP);
Disaster;DisasterRecoveryPlan(DRP);MeanTimeBetweenFailures(MTBF);
MeanTimetoRepair(MTTR);RecoveryPointObjective(RPO);Recovery
TimeObjective(RTO);WorkRecoveryTime(WRT);MeanTimeBetween
Failures(MTBF);MeanTimetoRepair(MTTR);MinimumOperating
Requirements(MOR)
DRPTestingandTraining
ContinuedBCP/DRPMaintenance
SpecicBCP/DRPFrameworks
Introduction
BusinessContinuityandDisasterRecoveryPlanningisanorganizationslast
lineofdefense:whenallothercontrolshavefailed,BCP/DRPisthenal
controlthatmaypreventdrasticeventssuchasinjury,lossoflife,orfailureof
anorganization.Asinformationsecurityprofessionals,wemustbevigilant
andprotectourorganizationsandstafromthesedisruptiveevents.
ThoughmanyorganizationswillsimplyusethephrasesBusinessContinuity
Planning(BCP)orDisasterRecoveryPlanninginterchangeably,theyaretwo
distinctdisciplines.TheoverarchinggoalofaBCPisforensuringthatthe
businesswillcontinuetooperatebefore,throughout,andafteradisaster
eventisexperienced.ThefocusofaBCPisonthebusinessasawholeand
ensuringthatthosecriticalservicesthatthebusinessprovidesorcritical
functionsthatthebusinessregularlyperformscanstillbecarriedoutbothin
thewakeofadisruptionandafterthedisruptionhasbeenweathered.
Disaster Recovery Planning
TheDisasterRecoveryPlan(DRP)providesashorttermplanfordealingwith
specicITorienteddisruptions.Mitigatingamalwareinfectionthatshows
riskofspreadingtoothersystemsisanexampleofaspecicIToriented
disruptionthataDRPwouldaddress.TheDRPfocusesoneciently
a emptingtomitigatetheimpactofadisasterandtheimmediateresponse
andrecoveryofcriticalITsystemsinthefaceofasignicantdisruptiveevent.
DisasterRecoveryPlanningisconsideredtacticalratherthanstrategicand
providesameansforimmediateresponsetodisasters.
Relationship between BCP and DRP
TheBusinessContinuityPlanisanumbrellaplanthatincludesmultiple
specicplans,mostimportantlytheDisasterRecoveryPlan.TheDisaster
RecoveryPlanservesasasubsetoftheoverallBusinessContinuityPlan,
becauseaBCPwouldbedoomedtofailifitdidnotcontainatacticalmethod
forimmediatelydealingwithdisruptionofinformationsystems.Figure8.1,
fromNISTSpecialPublication80034,providesavisualmeansfor
understandingtheinterrelatednessofaBCPandaDRP,aswellasContinuity
ofOperationsPlan(COOP),OccupantEmergencyPlan(OEP),andothers.
11
FIGURE8.1 BCPandrelatedplans.
GiventhatorganizationsBusinessContinuityandDisasterRecoveryPlans
arecreatedbecauseofthepotentialofdisastersimpactingoperations,
understandingdisastersanddisruptiveeventsisnecessary.
FastFacts
Thethreecommonwaysofcategorizingthecausesfordisastersare
whetherthethreatagentisnatural,human,orenvironmentalinnature.
NaturalThemostobvioustypeofthreatthatcanresultinadisasteris
naturallyoccurring.Thiscategoryincludesthreatssuchasearthquakes,
hurricanes,tornadoes,oods,andsometypesofres.Historically,natural
disastershaveprovidedsomeofthemostdevastatingdisastersthatan
organizationcanhavetorespondto.
HumanThehumancategoryofthreatsrepresentsthemostcommon
sourceofdisasters.Humanthreatscanbefurtherclassiedbywhether
theyconstituteanintentionalorunintentionalthreat.
EnvironmentalThreatsfocusedoninformationsystemsordatacenter
environmentsincludeitemssuchaspowerissues(blackout,brownout,
surge,spike),systemcomponentorotherequipmentfailures,and
applicationorsoftwareaws.
1
ibid.
Theanalysisofthreatsanddeterminationoftheassociatedlikelihoodofthe
threatsbeingmanifestedareanimportantpartoftheBCPandDRPprocess.
Table8.1providesaquicksummaryofsomeofthedisastereventsandwhat
typeofdisastertheyconstitute.
FastFacts
Typesofdisruptiveeventsinclude:
Errorsandomissions:typicallyconsideredthemostcommonsourceof
disruptiveevents.Thistypeofthreatiscausedbyhumanswho
unintentionallyserveasasourceofharm.
Naturaldisasters:includeearthquakes,hurricanes,oods,tsunamis,etc.
Electricalorpowerproblems:lossofpowermaycauseavailabilityissues
andintegrityissuesduetocorrupteddata.
Temperatureandhumidityfailures:maydamageequipmentdueto
overheating,corrosion,orstaticelectricity.
Warfare,terrorism,andsabotage:threatcanvarydramaticallybasedon
geographiclocation,industry,brandvalue,andtheinterrelatednesswith
otherhighvaluetargetorganizations.
Financiallymotivateda ackers:a ackerswhoseektomakemoneyby
a ackingvictimorganizationsandincludeexltrationofcardholderdata,
identitytheft,pumpanddumpstockschemes,bogusantimalwaretools,
orcorporateespionageandothers.
Personnelshortages:maybecausedbystrikes,pandemics,or
transportationissues.Alackofstamayleadtooperationaldisruption.
Table8.1
ExamplesofDisruptiveEvents
DisruptiveEvent
Type
Earthquake/tornado/hurricane/etc. Natural
Strike
Human(intentional)
Cyberterrorism
Human(intentional)/technical
Malware
Human(intentional)/technical
DenialofService
Human(intentional)/technical
Errorsandomissions
Human(unintentional)
Electricalfire
Environmental
Equipmentfailure
Environmental
HavingdiscussedtheimportanceofBusinessContinuityandDisaster
RecoveryPlanningandexamplesofthreatsthatjustifythisdegreeof
planning,wewillnowfocusonthefundamentalstepsinvolvedinrecovering
fromadisaster.
Respond
Inordertobeginthedisasterrecoveryprocess,theremustbeaninitial
responsethatbeginstheprocessofassessingthedamage.Speedisessential
duringthisinitialassessment.Theinitialassessmentwilldetermineifthe
eventinquestionconstitutesadisaster.
Activate team
Ifadisasterisdeclared,thentherecoveryteamneedstobeactivated.
Dependingonthescopeofthedisaster,thiscommunicationcouldprove
extremelydicult.Theuseofcallingtrees,whichwillbediscussedinSection
CallTreesinthischapter,canhelptofacilitatethisprocesstoensurethat
memberscanbeactivatedassmoothlyaspossible.
Communicate
Oneofthemostdicultaspectsofdisasterrecoveryisensuringthat
consistenttimelystatusupdatesarecommunicatedbacktothecentralteam
managingtheresponseandrecoveryprocess.Thiscommunicationoftenmust
occuroutofband,meaningthatthetypicalcommunicationmethodof
leveraginganocephonewillquiteoftennotbeaviableoption.Inaddition
tocommunicationofinternalstatusregardingtherecoveryactivities,the
organizationmustbepreparedtoprovideexternalcommunications,which
involvedisseminatingdetailsregardingtheorganizationsrecoverystatus
withthepublic.
Assess
Thoughaninitialassessmentwascarriedoutduringtheinitialresponse
portionofthedisasterrecoveryprocess,amoredetailedandthorough
assessmentwillbeperformedbythedisasterrecoveryteam.Theteamwill
proceedtoassessingtheextentofthedamagetodeterminethepropersteps
necessarytoensuretheorganizationsabilitytomeetitsmission.
Reconstitution
Theprimarygoalofthereconstitutionphaseistosuccessfullyrecovercritical
businessoperationsateitherprimaryorsecondarysite.Ifanalternatesiteis
leveraged,adequatesafetyandsecuritycontrolsmustbeinplaceinorderto
maintaintheexpecteddegreeofsecuritytheorganizationtypicallyemploys.
Theuseofanalternatecomputingfacilityforrecoveryshouldnotexposethe
organizationtofurthersecurityincidents.Inadditiontotherecoveryteams
eortsatreconstitutionofcriticalbusinessfunctionsatanalternatelocation,a
salvageteamwillbeemployedtobegintherecoveryprocessattheprimary
facilitythatexperiencedthedisaster.Ultimately,theexpectationis,unless
whollyunwarrantedgiventhecircumstances,thattheprimarysitewillbe
recoveredandthatthealternatefacilitysoperationswillfailbackorbe
transferredagaintotheprimarycenterofoperations.
DEVELOPING A BCP/DRP
DevelopingaBCP/DRPisvitalforanorganizationsabilitytorespondand
recoverfromaninterruptioninnormalbusinessfunctionsorcatastrophic
event.Inordertoensurethatallplanninghasbeenconsidered,theBCP/DRP
hasaspecicsetofrequirementstoreviewandimplement.Belowarelisted
thesehighlevelsteps,accordingtoNIST80034,toachievingasound,logical
BCP/DRP.NIST80034istheNationalInstituteofStandardsand
TechnologiesInformationTechnologyContingencyPlanningGuide.
ProjectInitiation
ScopetheProject
BusinessImpactAnalysis
IdentifyPreventiveControls
RecoveryStrategy
PlanDesignandDevelopment
Implementation,Training,andTesting
BCP/DRPMaintenance
Project Initiation
InordertodeveloptheBCP/DRP,thescopeoftheprojectmustbe
determinedandagreedupon.
FastFacts
ProjectInitiationinvolvessevendistinctmilestones
aslistedbelow:
1.Developthecontingencyplanningpolicystatement:Aformaldepartment
oragencypolicyprovidestheauthorityandguidancenecessaryto
developaneectivecontingencyplan.
2.Conductthebusinessimpactanalysis(BIA):TheBIAhelpstoidentifyand
prioritizecriticalITsystemsandcomponents.Atemplatefordeveloping
theBIAisalsoprovidedtoassisttheuser.
3.Identifypreventivecontrols:Measurestakentoreducetheeectsofsystem
disruptionscanincreasesystemavailabilityandreducecontingencylife
cyclecosts.
4.Developrecoverystrategies:Thoroughrecoverystrategiesensurethatthe
systemmayberecoveredquicklyandeectivelyfollowingadisruption.
5.DevelopanITcontingencyplan:Thecontingencyplanshouldcontain
detailedguidanceandproceduresforrestoringadamagedsystem.
6.Plantesting,training,andexercises:Testingtheplanidentiesplanning
gaps,whereastrainingpreparesrecoverypersonnelforplanactivation;
bothactivitiesimproveplaneectivenessandoverallagency
preparedness.
7.Planmaintenance:Theplanshouldbealivingdocumentthatisupdated
regularlytoremaincurrentwithsystemenhancements.
3
ibid.
ibid.
Assessingthecriticalstatecanbedicultbecausedeterminingwhichpieces
oftheITinfrastructurearecriticaldependssolelyonhowitsupportsthe
userswithintheorganization.Forexample,withoutconsultingallofthe
users,asimplemappingprogrammaynotseemtobecriticalassetsforan
organization.However,ifthereisausergroupthatdrivestrucksandmakes
deliveriesforbusinesspurposes,thismappingsoftwaremaybecriticalfor
themtoschedulepickupsanddeliveries.
Conduct Business Impact Analysis
TheBusinessImpactAnalysis(BIA)istheformalmethodfordetermininghow
adisruptiontotheITsystem(s)ofanorganizationwillimpactthe
organizationsrequirements,processes,andinterdependencieswithrespectto
thebusinessmission.
ItisananalysistoidentifyandprioritizecriticalIT
systemsandcomponents.ItenablestheBCP/DRPprojectmanagertofully
characterizetheITcontingencyrequirementsandpriorities.
Theobjective
istocorrelatetheITsystemcomponentswiththecriticalserviceitsupports.It
alsoaimstoquantifytheconsequenceofadisruptiontothesystem
componentandhowthatwillaecttheorganization.Theprimarygoalofthe
BIAistodeterminetheMaximumTolerableDowntime(MTD)foraspecicIT
asset.Thiswilldirectlyimpactwhatdisasterrecoverysolutionischosen.
Identify critical assets
ThecriticalassetlistisalistofthoseITassetsthataredeemedbusiness
essentialbytheorganization.ThesesystemsDRP/BCPmusthavethebest
availablerecoverycapabilitiesassignedtothem.
Conduct BCP/DRP-focused risk assessment
TheBCP/DRPfocusedriskassessmentdetermineswhatrisksareinherentto
whichITassets.AvulnerabilityanalysisisalsoconductedforeachITsystem
andmajorapplication.ThisisdonebecausemosttraditionalBCP/DRP
evaluationsfocusonphysicalsecuritythreats,bothnaturalandhuman.
Determine Maximum Tolerable Downtime
TheprimarygoaloftheBIAistodeterminetheMaximumTolerableDowntime
(MTD),whichdescribesthetotaltimeasystemcanbeinoperablebeforean
organizationisseverelyimpacted.Itisthemaximumtimeittakestoexecute
thereconstitutionphase.Reconstitutionistheprocessofmovingan
organizationfromthedisasterrecoverytobusinessoperations.
MaximumTolerableDowntimeiscomposedoftwometrics:theRecoveryTime
Objective(RTO)andtheWorkRecoveryTime(WRT);seebelow.
Alternate terms for MTD
Dependingonthebusinesscontinuityframeworkthatisused,otherterms
maybesubstitutedforMaximumTolerableDowntime.Theseinclude
MaximumAllowableDowntime(MAD),MaximumTolerableOutage(MTO),
andMaximumAcceptableOutage(MAO).
Failure and recovery metrics
Anumberofmetricsareusedtoquantifyhowfrequentlysystemsfail,how
longasystemmayexistinafailedstate,andthemaximumtimetorecover
fromfailure.ThesemetricsincludetheRecoveryPointObjective(RPO),
RecoveryTimeObjective(RTO),WorkRecoveryTime(WRT),MeanTime
BetweenFailures(MTBF),MeanTimetoRepair(MTTR),andMinimum
OperatingRequirements(MOR).
Recovery Point Objective
TheRecoveryPointObjective(RPO)istheamountofdatalossorsystem
inaccessibility(measuredintime)thatanorganizationcanwithstand.Ifyou
performweeklybackups,someonemadeadecisionthatyourcompanycould
toleratethelossofaweeksworthofdata.Ifbackupsareperformedon
SaturdayeveningsandasystemfailsonSaturdayafternoon,youhavelost
theentireweeksworthofdata.ThisistheRecoveryPointObjective.Inthis
case,theRPOis1week.
TheRPOrepresentsthemaximumacceptableamountofdata/worklossfora
givenprocessbecauseofadisasterordisruptiveevent.
Recovery Time Objective and Work Recovery Time
TheRecoveryTimeObjective(RTO)describesthemaximumtimeallowedto
recoverbusinessorITsystems.RTOisalsocalledthesystemsrecoverytime.
ThisisonepartofMaximumTolerableDowntime:oncethesystemis
physicallyrunning,itmustbecongured.
CrunchTime
WorkRecoveryTime(WRT)describesthetimerequiredtocongurea
recoveredsystem.Downtimeconsistsoftwoelements,thesystems
recoverytimeandtheworkrecoverytime.Therefore,
MTD=RTO+WRT.
8
ibid.
MeanTimeBetweenFailures(MTBF)quantieshowlonganeworrepaired
systemwillrunbeforefailing.Itistypicallygeneratedbyacomponent
vendorandislargelyapplicabletohardwareasopposedtoapplicationsand
software.
Mean Time to Repair
TheMeanTimetoRepair(MTTR)describeshowlongitwilltaketorecovera
specicfailedsystem.ItisthebestestimateforreconstitutingtheITsystemso
thatbusinesscontinuitymayoccur.
Minimum Operating Requirements
MinimumOperatingRequirements(MOR)describetheminimum
environmentalandconnectivityrequirementsinordertooperatecomputer
equipment.ItisimportanttodetermineanddocumentwhattheMORisfor
eachITcriticalassetbecause,intheeventofadisruptiveeventordisaster,
properanalysiscanbeconductedquicklytodetermineiftheITassetswillbe
abletofunctionintheemergencyenvironment.
Identify Preventive Controls
Preventivecontrolspreventdisruptiveeventsfromhavinganimpact.For
example,asstatedinChapter10,Domain10:Physical(Environmental)
Security,HVACsystemsaredesignedtopreventcomputerequipmentfrom
overheatingandfailing.
D i d Yo u K n o w ?
TheBIAwillidentifysomerisksthatmaybemitigatedimmediately.This
isanotheradvantageofperformingBCP/DRP,includingtheBIA:it
improvesyoursecurity,evenifnodisasteroccurs.
Recovery strategy
OncetheBIAiscomplete,theBCPteamknowstheMaximumTolerable
Downtime.Thismetric,aswellasothersincludingtheRecoveryPoint
ObjectiveandRecoveryTimeObjective,isusedtodeterminetherecovery
strategy.AcoldsitecannotbeusediftheMTDis12hours,forexample.Asa
generalrule,theshortertheMTD,themoreexpensivetherecoverysolution
willbe.
Redundant site
Aredundantsiteisanexactproductionduplicateofasystemthathasthe
capabilitytoseamlesslyoperateallnecessaryIToperationswithoutlossof
servicestotheenduserofthesystem.Aredundantsitereceivesdatabackups
inrealtimesothatintheeventofadisaster,theusersofthesystemhaveno
lossofdata.Itisabuildingconguredexactlyliketheprimarysiteandisthe
mostexpensiverecoveryoptionbecauseiteectivelymorethandoublesthe
costofIToperations.Tobefullyredundant,asitemusthaverealtimedata
backupstotheproductionsystemandtheendusershouldnotnoticeany
dierenceinITservicesoroperationsintheeventofadisruptiveevent.
Hot site
Ahotsiteisalocationthatanorganizationmayrelocatetofollowingamajor
disruptionordisaster.Itisadatacenterwitharaisedoor,power,utilities,
computerperipherals,andfullyconguredcomputers.Thehotsitewillhave
allnecessaryhardwareandcriticalapplicationsdatamirroredinrealtime.A
hotsitewillhavethecapabilitytoallowtheorganizationtoresumecritical
operationswithinaveryshortperiodoftimesometimesinlessthanan
hour.
Itisimportanttonotethedierencebetweenahotandredundantsite.Hot
sitescanquicklyrecovercriticalITfunctionality;itmayevenbemeasuredin
minutesinsteadofhours.However,aredundantsitewillappearasoperating
normallytotheendusernoma erwhatthestateofoperationsisfortheIT
program.Ahotsitehasallthesamephysical,technical,andadministrative
controlsimplementedoftheproductionsite.
Warm site
Awarmsitehassomeaspectsofahotsite,forexample,readilyaccessible
hardwareandconnectivity,butitwillhavetorelyuponbackupdatainorder
toreconstituteasystemafteradisruption.Itisadatacenterwitharaised
oor,power,utilities,computerperipherals,andfullyconguredcomputers.
Cold site
Acoldsiteistheleastexpensiverecoverysolutiontoimplement.Itdoesnot
includebackupcopiesofdatanordoesitcontainanyimmediatelyavailable
hardware.Afteradisruptiveevent,acoldsitewilltakethelongestamountof
timeofallrecoverysolutionstoimplementandrestorecriticalITservicesfor
theorganization.Especiallyinadisasterarea,itcouldtakeweekstoget
vendorhardwareshipmentsinplacesoorganizationsusingacoldsite
recoverysolutionwillhavetobeabletowithstandasignicantlylongMTD.
Acoldsiteistypicallyadatacenterwitharaisedoor,power,utilities,and
physicalsecurity,butnotmuchbeyondthat.
Reciprocal agreement
Reciprocalagreementsareabidirectionalagreementbetweentwoorganizations
inwhichoneorganizationpromisesanotherorganizationthatitcanmovein
andsharespaceifitexperiencesadisaster.Itisdocumentedintheformofa
contractwri entogainsupportfromoutsideorganizationsintheeventofa
disaster.TheyarealsoreferredtoasMutualAidAgreements(MAAs)and
theyarestructuredsothateachorganizationwillassisttheotherintheevent
ofanemergency.
Mobile site
Mobilesitesaredatacentersonwheels:towabletrailersthatcontainracksof
computerequipment,aswellasHVAC,resuppression,andphysical
security.Theyareagoodtfordisasterssuchasadatacenterood,where
thedatacenterisdamagedbuttherestofthefacilityandsurrounding
propertyareintact.Theymaybetowedonsite,suppliedpowerandnetwork,
andbroughtonline.
Related plans
Asdiscussedpreviously,theBusinessContinuityPlanisanumbrellaplan
thatcontainsotherplans.InadditiontotheDisasterRecoveryPlan,other
plansincludetheContinuityofOperationsPlan(COOP),theBusiness
Resumption/RecoveryPlan(BRP),ContinuityofSupportPlan,CyberIncident
ResponsePlan,OccupantEmergencyPlan(OEP),andtheCrisisManagement
Plan(CMP).Table8.2,fromNISTSpecialPublication80034,summarizes
theseplans.
Table8.2
SummaryofBCPPlansfromNISTSP80034
NISTSP80034.
Call Trees
Call Trees
AkeytoolleveragedforstacommunicationbytheCrisisCommunications
PlanistheCallTree,whichisusedtoquicklycommunicatenewsthroughout
anorganizationwithoutoverburdeninganyspecicperson.TheCallTree
worksbyassigningeachemployeeasmallnumberofotheremployeesthey
areresponsibleforcallinginanemergencyevent.Forexample,the
organizationpresidentmaynotifyexecutiveleadershipofanemergency
situationandthey,inturn,willnotifytheirtoptiermanagers.Thetoptier
managerswillthencallthepeopletheyhavebeenassignedtocall.TheCall
Treecontinuesuntilallaectedpersonnelhavebeencontacted.
InordertoensurethataDisasterRecoveryPlanrepresentsaviableplanfor
recovery,thoroughtestingisneeded.GiventheDRPsdetailedtacticalsubject
ma er,itshouldcomeasnosurprisethatroutineinfrastructure,hardware,
software,andcongurationchangeswillalterthewaytheDRPneedstobe
carriedout.Organizationsinformationsystemsareinaconstantstateofux,
butunfortunately,muchofthesechangesdonotreadilymaketheirwayinto
anupdatedDRP.ToensureboththeinitialandcontinuedecacyoftheDRP
asafeasiblerecoverymethodology,testingneedstobeperformed.
DRP review
TheDRPreviewisthemostbasicformofinitialDRPtestingandisfocused
onsimplyreadingtheDRPinitsentiretytoensurecompletenessofcoverage.
Thisreviewistypicallytobeperformedbytheteamthatdevelopedtheplan
andwillinvolveteammembersreadingtheplaninitsentiretytoquickly
reviewtheoverallplanforanyobviousaws.TheDRPreviewisprimarily
justasanitychecktoensurethattherearenoglaringomissionsincoverageor
fundamentalshortcomingsintheapproach.
Checklist
Checklist(alsoknownasconsistency)testinglistsallnecessarycomponents
requiredforsuccessfulrecoveryandensuresthattheyare,orwillbe,readily
availableshouldadisasteroccur.Forexample,ifthedisasterrecoveryplan
callsforthereconstitutionofsystemsfromtapebackupsatanalternate
computingfacility,doesthesiteinquestionhaveanadequatenumberoftape
drivesonhandtocarryouttherecoveryintheindicatedwindowoftime?
Thechecklisttestisoftenperformedconcurrentlywiththestructuredwalk
throughortabletoptestingasasolidrsttestingthreshold.Thechecklisttest
isfocusedonensuringthattheorganizationhas,orcanacquireinatimely
fashion,sucientlevelresourcesonwhichtheirsuccessfulrecoveryis
dependent.
Structured walk-through/tabletop
Anothertestthatiscommonlycompletedatthesametimeasthechecklist
testisthatofthestructuredwalkthrough,whichisalsooftenreferredtoasa
tabletopexercise.DuringthistypeofDRPtest,usuallyperformedpriortomore
indepthtesting,thegoalistoallowindividualswhoareknowledgeable
aboutthesystemsandservicestargetedforrecoverytothoroughlyreviewthe
overallapproach.Thetermstructuredwalkthroughisillustrative,asthe
groupwilltalkthroughtheproposedrecoveryproceduresinastructured
mannertodeterminewhetherthereareanynoticeableomissions,gaps,
erroneousassumptions,orsimplytechnicalmisstepsthatwouldhinderthe
recoveryprocessfromsuccessfullyoccurring.
Simulation test/walk-through drill
Asimulationtest,alsocalledawalkthroughdrill(nottobeconfusedwiththe
discussionbasedstructuredwalkthrough),goesbeyondtalkingaboutthe
processandactuallyhasteamstocarryouttherecoveryprocess.Apretend
disasterissimulatedtowhichtheteammustrespondastheyaredirectedto
bytheDRP.Thescopeofsimulationswillvarysignicantlyandtendtogrow
tobemorecomplicatedandinvolvemoresystems,assmallerdisaster
simulationsaresuccessfullymanaged.Thoughsomewillseethegoalas
beingabletosuccessfullyrecoverthesystemsimpactedbythesimulation,
ultimately,thegoalofanytestingofaDRPistohelpensurethatthe
organizationiswellpreparedintheeventofanactualdisaster.
Parallel processing
AnothertypeofDRPtestisthatofparallelprocessing.Thistypeoftestis
commoninenvironmentswheretransactionaldataisakeycomponentofthe
criticalbusinessprocessing.Typically,thistestwillinvolverecoveryof
criticalprocessingcomponentsatanalternatecomputingfacilityandthen
restoredatafromapreviousbackup.Notethatregularproductionsystems
arenotinterrupted.
Partial and complete business interruption
Arguably,themosthighdelityofallDRPtestsinvolvesbusinessinterruption
testing.However,thistypeoftestcanactuallybethecauseofadisaster,so
extremecautionshouldbeexercisedbeforea emptinganactualinterruption
test.Asthenameimplies,thebusinessinterruptionstyleoftestingwillhave
theorganizationactuallystopprocessingnormalbusinessattheprimary
locationbutwillinsteadleveragethealternatecomputingfacility.Thesetypes
oftestsaremorecommoninorganizationswherefullyredundant,oftenload
balanced,operationsalreadyexist.
Training
AlthoughthereisanelementofDRPtrainingthatcomesaspartof
performingthetestsdiscussedabove,thereiscertainlyaneedformore
detailedtrainingonsomespecicelementsoftheDRPprocess.Another
aspectoftrainingistoensureadequaterepresentationonstaofthose
trainedinbasicrstaidandCPR.
Starting emergency power
Thoughitmightseemsimple,convertingadatacentertoemergencypower,
suchasbackupgeneratorsthatwillbegintakingtheloadastheUPSfail,is
nottobetakenlightly.Specictrainingandtestingofchangingoverto
emergencypowershouldberegularlyperformed.
Calling tree training/test
Anotherexampleofcombinationtrainingandtestingisinregardtocalling
trees,whichwasdiscussedpreviouslyinSectionCallTrees.The
hierarchicalrelationshipsofcallingtreescanmakeoutagesinthetree
problematic.Individualswithcallingresponsibilitiesaretypicallyexpectedto
beabletoanswerwithinaveryshorttimeperiodorotherwisemake
arrangements.
Changemanagementincludestrackinganddocumentingallplanned
changes,formalapprovalforsubstantialchanges,anddocumentationofthe
resultsofthecompletedchange.Allchangesmustbeauditable.
CrunchTime
TheBCPteamshouldbeamemberofthechangecontrolboardand
a endallmeetings.ThegoaloftheBCPteamsinvolvementonthe
changecontrolboardistoidentifyanychangesthatmustbeaddressedby
theBCP/DRP.
BCP/DRP mistakes
BCP/DRP mistakes
Businesscontinuityanddisasterrecoveryplanningisabusinesslastlineof
defenseagainstfailure.Ifothercontrolshavefailed,BCP/DRPisthenal
control.Ifitfails,thebusinessmayfail.
ThesuccessofBCP/DRPiscritical,butmanyplansfail.TheBCPteamshould
considerthefailureofotherorganizationsplanandviewtheirownunder
intensescrutiny.Theyshouldaskthemselvesthisquestion:Havewemade
mistakesthatthreatenthesuccessofourplan?
FastFacts
CommonBCP/DRPmistakesinclude:
Lackofmanagementsupport
Lackofbusinessunitinvolvement
Lackofprioritizationamongcriticalsta
Improper(oftenoverlynarrow)scope
Inadequatetelecommunicationsmanagement
Inadequatesupplychainmanagement
Incompleteorinadequatecrisismanagementplan
Lackoftesting
Lackoftrainingandawareness
FailuretokeeptheBCP/DRPuptodate
withouta emptingtomaptoanumberofdierent(andsometimes
inconsistent)termsandprocessesdescribedbyvariousBCP/DRP
frameworks.
NIST SP 800-34
TheNationalInstituteofStandardsandTechnology(NIST)Special
Publication80034Rev.1ContingencyPlanningGuideforFederal
InformationSystemsmaybedownloadedat
h p://csrc.nist.gov/publications/nistpubs/80034rev1/sp80034rev1_errata
Nov112010.pdf.Thedocumentishighqualityandpublicdomain.Planscan
sometimesbesignicantlyimprovedbyreferencingSP80034whenwriting
orupdatingaBCP/DRP.
ISO/IEC 27031
ISO/IEC27031ispartoftheISO27000series,whichalsoincludesISO27001
andISO27002(discussedinChapter1,Domain1:InformationSecurity
GovernanceandRiskManagement).ISO/IEC27031focusesonBCP(DRPis
handledbyanotherframework;seebelow).
FastFacts
Accordingtoh p://www.iso27001security.com/html/27031.html,ISO/IEC
27031isdesignedto:
Provideaframework(methodsandprocesses)foranyorganization
private,governmental,andnongovernmental
Identifyandspecifyallrelevantaspectsincludingperformancecriteria,
design,andimplementationdetails,forimprovingICTreadinessaspartof
theorganizationsISMS,helpingtoensurebusinesscontinuity.
Enableanorganizationtomeasureitscontinuity,securityandhence
readinesstosurviveadisasterinaconsistentandrecognizedmanner.
TermsandacronymsusedbyISO/IEC27031include:
ICTInformationandCommunicationsTechnology
ISMSInformationSecurityManagementSystem
9
ISO/IEC27031InformationtechnologySecuritytechniques
GuidelinesforICTReadinessforBusinessContinuity(nalcommi ee
draft).h p://www.iso27001security.com/html/27031.html[accessedJuly2,
2013].
AseparateISOplanfordisasterrecoveryisISO/IEC24762:2008,Information
technologySecuritytechniquesGuidelinesforinformationand
communicationstechnologydisasterrecoveryservices.Moreinformationis
availableath p://www.iso.org/iso/catalogue_detail.htm?csnumber=41532
BCI
TheBusinessContinuityInstitute(BCI,h p://www.thebci.org/)publisheda
sixstepGoodPracticeGuidelines(GPG)in2008thatdescribestheBusiness
ContinuityManagement(BCM)process:
Section1consistsoftheintroductoryinformationplusBCMPolicyand
ProgrammeManagement.
Section2isUnderstandingtheOrganisation
Section3isDeterminingBCMStrategy
Section4isDevelopingandImplementingBCMResponse
Section5isExercising,Maintaining&ReviewingBCMarrangements
Section6isEmbeddingBCMintheOrganisationsCulture10
Beyondmitigatingsuchstarkrisks,BusinessContinuityandDisaster
RecoveryPlanninghasevolvedtoprovidetruebusinessvalueto
organizations,evenintheabsenceofdisaster.Theorganizationaldiligence
requiredtobuildacomprehensiveBCP/DRPcanpaymanydividends,
throughthethoroughunderstandingofkeybusinessprocesses,asset
tracking,prudentbackupandrecoverystrategies,andtheuseofstandards.
Mappingrisktokeybusinessprocessescanresultinpreventiveriskmeasures
takeninadvanceofanydisaster,aprocessthatmayavoidfuturedisasters
entirely.
D.RecoveryTimeObjective(RTO)
4.MaximumTolerableDowntime(MTD)iscomposedofwhichtwometrics?
A.RecoveryPointObjective(RPO)andWorkRecoveryTime(WRT)
B.RecoveryPointObjective(RPO)andMeanTimetoRepair(MTTR)
C.RecoveryTimeObjective(RTO)andWorkRecoveryTime(WRT)
D.RecoveryTimeObjective(RTO)andMeanTimetoRepair(MTTR)
5.Whichdraftbusinesscontinuityguidelineensuresbusinesscontinuityof
theInformationandCommunicationsTechnology(ICT)aspartofthe
organizationsInformationSecurityManagementSystem(ISMS)?
A.BCI
B.BS7799
C.ISO/IEC27031
D.NISTSpecialPublication80034
ANSWERS
1.Correctanswerandexplanation:B.AnswerBiscorrect.Business
ResumptionPlanningdetailsthestepsrequiredtorestorenormalbusiness
operationsafterrecoveringfromadisruptiveevent.
Incorrectanswersandexplanations:A,C,andD.AnswersA,C,andDare
incorrect.BusinessContinuityPlanningdevelopsalongtermplantoensure
thecontinuityofbusinessoperations.TheContinuityofOperationsPlan
describestheproceduresrequiredtomaintainoperationsduringadisaster.
TheOccupantEmergencyPlanprovidestheresponseproceduresfor
occupantsofafacilityintheeventasituationposesathreattothehealthand
safetyofpersonnel,theenvironment,orproperty.
2.Correctanswerandexplanation:C.AnswerCiscorrect.TheMeanTimeto
Repair(MTTR)describeshowlongitwilltaketorecoverafailedsystem.Itis
thebestestimateforreconstitutingtheITsystemsothatbusinesscontinuity
mayoccur.
Incorrectanswersandexplanations:A,B,andD.AnswersA,B,andDare
incorrect.MinimumOperatingRequirementsdescribetheminimum
environmentalandconnectivityrequirementsinordertooperatecomputer
equipment.MeanTimeBetweenFailuresquantieshowlonganewor
repairedsystemwillrunbeforefailing.TheRecoveryPointObjective(RPO)is
themomentintimeinwhichdatamustberecoveredandmadeavailableto
usersinordertoresumebusinessoperations.
3.Correctanswerandexplanation:C.AnswerCiscorrect.TheRecovery
PointObjective(RPO)isthemomentintimeinwhichdatamustberecovered
andmadeavailabletousersinordertoresumebusinessoperations.
Incorrectanswersandexplanations:A,B,andD.AnswersA,B,andDare
incorrect.MeanTimeBetweenFailuresquantieshowlonganeworrepaired
systemwillrunbeforefailing.MeanTimetoRepairdescribeshowlongitwill
taketorecoverafailedsystem.RecoveryTimeObjectivedescribesthe
maximumtimeallowedtorecoverbusinessorITsystems.
4.Correctanswerandexplanation:C.AnswerCiscorrect.TheRecovery
TimeObjective(RTO,thetimeittakestobringafailedsystembackonline)
andWorkRecoveryTime(WRT,thetimerequiredtocongureafailed
system)areusedtocalculatetheMaximumTolerableDowntime.
RTO+WRT=MTD.
Incorrectanswersandexplanations:A,B,andD.AnswersA,B,andDare
incorrect.MaximumTolerableDowntimedoesnotdirectlyuseRecovery
PointObjectiveorMeanTimetoRepairasmetrics.
5.Correctanswerandexplanation:C.AnswerCiscorrect.TheISO/IEC27031
guidelineensuresbusinesscontinuityoftheInformationand
CommunicationsTechnology(ICT)aspartoftheorganizationsInformation
SecurityManagementSystem(ISMS).
Incorrectanswersandexplanations:A,B,andD.AnswersA,B,andDare
incorrect.BCIandNISTSpecialPublication80034arebusinesscontinuity
frameworks,butdonotmatchthetermsinthequestion.BS7799isnot
BCP/DRPfocused:itdescribesinformationsecuritymanagementsbest
practices.
11
Swanson,M.,Wohl,A.,Pope,L.,Grance,T.,Hash,J.,Thomas,R.NISTSP
80034ContingencyPlanningGuideforInformationTechnologySystems.
ibid.
ibid.
ibid.
Understandingsecurityriskmanagement:Recoverytimerequirements.
h p://searchsecuritychannel.techtarget.com/generic/0,295582,sid97_gci1268749,00.html
[accessedJuly2,2013].
10
BusinessContinuityManagementGOODPRACTICEGUIDELINES2008.
h p://www.calamityprevention.com/links/GPG_2008[accessedJuly2,2013].
CHAPTER9
KEYWORDS
Civillaw;Criminallaw;Administrativelaw;Religiouslaw;Commonlaw;
Patent;Copyright;Trademark;TradeSecret;Entrapment;Enticement;Due
care;DueDiligence;Hearsay
SecurityandThirdParties
Ethics
Introduction
Thischapterwillintroducesomeofthebasicconceptsthatareimportantto
allinformationsecurityprofessionals.Theactualimplementationoflaws
surroundingintellectualproperty,privacy,reasonablesearches,andbreach
notication,tonameafew,willdieramongvariousregionsoftheworld,
buttheimportanceoftheseconceptsisstilluniversal.
Themostcommonofthemajorlegalsystemsiscivillaw,whichmany
countriesthroughouttheworldemploy.Thesystemofcivillawleverages
codiedlawsorstatutestodeterminewhatisconsideredwithinthebounds
oflaw.Thoughalegislativebranchtypicallywieldsthepowertocreatelaws,
therewillstillexistajudicialbranchthatistaskedwithinterpretationofthe
existinglaws.Themostsignicantdierencebetweencivilandcommonlaw
isthat,undercivillaw,judicialprecedentsandparticularcaserulingsdonot
carrytheweighttheydoundercommonlaw.
Common law
CommonlawisthelegalsystemusedintheUnitedStates,Canada,theUnited
Kingdom,andmostformerBritishcolonies,amongothers.Theprimary
distinguishingfeatureofcommonlawisthesignicantemphasison
particularcasesandjudicialprecedentsasdeterminantsoflaws.Though
thereistypicallyalsoalegislativebodytaskedwiththecreationofnew
statutesandlaws,judicialrulingscan,attimes,supersedethoselaws.
Becauseoftheemphasisonjudgesinterpretations,thereissignicant
possibilitythatassocietychangesovertime,sotoocanjudicial
interpretationschangeinkind.
Religious and customary law
Religiouslawservesasthethirdofthemajorlegalsystems.Religiousdoctrine
orinterpretationservesasasourceoflegalunderstandingandstatutes.While
Christianity,Judaism,andHinduismhaveallhadsignicantinuenceon
nationallegalsystems,Islamservesasthemostcommonsourceforreligious
legalsystems.ShariaisanexampleofIslamiclawthatusestheQuranand
Hadithasitsfoundation.
Customarylawreferstothosecustomsorpracticesthataresocommonly
acceptedbyagroupthatthecustomistreatedasalaw.Thesepracticescanbe
latercodiedaslawsinthemoretraditionalsense,buttheemphasison
prevailingacceptanceofagroupisquiteimportantwithrespecttothe
conceptofnegligence,which,inturn,isimportantininformationsecurity.
Criminallawpertainstothoselawswherethevictimcanbeseenassociety
itself.Whileitmightseemoddtoconsidersocietythevictimwhenan
individualismurdered,thegoalofcriminallawistopromoteandmaintain
anorderlyandlawabidingcitizenry.Criminallawcanincludepenaltiesthat
removeanindividualfromsocietybyincarcerationor,insomeextremecases
insomeregions,death.Thegoalsofcriminallawaretodetercrimeandto
punishoenders.
Duetotheseriousnessofpotentiallydeprivingsomeoneofeithertheir
freedomor,inthemostextremecases,hisorherlife,theburdenofproofin
criminalcasesisbeyondanyreasonabledoubt.
Civil law
Inadditiontocivillawbeingamajorlegalsystemintheworld,italsoserves
asatypeoflawwithinthecommonlawlegalsystem.Anotherterm
associatedwithcivillawistortlaw,whichdealswithinjury,looselydened,
thatresultsfromsomeoneviolatingtheirresponsibilitytoprovideadutyof
care.Tortlawistheprimarycomponentofcivillawandisthemost
signicantsourceoflawsuitsseekingnancialdamages.
IntheUnitedStates,theburdenofproofinacriminalcourtisbeyonda
reasonabledoubt,whiletheburdenofproofincivilproceedingsisthe
preponderanceoftheevidence.Preponderancemeansitismorelikelythan
not.Satisfyingtheburdenofproofrequirementofthepreponderanceofthe
evidenceinacivilma erisamucheasiertaskthanmeetingtheburdenof
proofrequirementincriminalproceedings.Themostcommontypesof
nancialdamagesarepresentedinTable9.1.
Table9.1
CommonTypesofFinancialDamages
Financial
Damages
Statutory
Description
Statutorydamagesarethoseprescribedbylaw,which
canbeawardedtothevictimevenifthevictim
incurrednoactuallossorinjury
Compensatory Compensatorydamagesprovidethevictimwitha
financialawardinanefforttocompensateforthe
lossorinjuryincurredasadirectresultofthe
wrongdoing
Punitive
Punitivedamagespunishanindividualororganization.
Thesedamagesaretypicallyawardedtoattemptto
discourageaparticularlyegregiousviolationwhere
thecompensatoryorstatutorydamagesalonewould
notactasadeterrent
Administrative law
Administrativelaworregulatorylawislawenactedbygovernmentagencies.
Theexecutivebranch(derivingfromtheOceofthePresident)enacts
administrativelawintheUnitedStates.Governmentmandatedcompliance
measuresareadministrativelaws.
Theexecutivebranchcancreateadministrativelawwithoutrequiringinput
fromthelegislativebranch,butthelawmuststilloperatewithintheconnes
ofthecivilandcriminalcodeandcanstillcomeunderscrutinybythejudicial
branch.SomeexamplesofadministrativelawareFCCregulations,HIPAA
Securitymandates,FDAregulations,andFAAregulations.
Oneaspectoftheinteractionofinformationsecurityandthelegalsystemis
thatofcomputercrimes.Applicablecomputercrimelawsvarythroughoutthe
world,accordingtojurisdiction.However,regardlessofregion,some
generalitiesexist.
FastFacts
Computercrimescanbebaseduponthewayinwhichcomputersystems
relatetothewrongdoing:computersystemsastargetsandcomputer
systemsasatooltoperpetratethecrime.
ComputersystemsastargetCrimeswherethecomputersystemsserve
asaprimarytarget,suchas:disruptingonlinecommercebymeansof
DistributedDenialofServicea acks,installingmalwareonsystemsfor
thedistributionofspam,orexploitingvulnerabilityonasystemto
leverageittostoreillegalcontent.
ComputerasatoolCrimeswherethecomputerisacentralcomponent
enablingthecommissionofthecrime.Examplesinclude:stealingtrade
secretsbycompromisingadatabaseserver,leveragingcomputerstosteal
cardholderdatafrompaymentsystems,conductingcomputerbased
reconnaissancetotargetanindividualforinformationdisclosureor
espionage,andusingcomputersystemsforthepurposesofharassment.
International cooperation
Todate,themostsignicantprogresstowardinternationalcooperationin
computercrimepolicyistheCouncilofEuropeConventiononCybercrime.
Inadditiontothetreatybeingsignedandsubsequentlyratiedbyamajority
ofthe47Europeanmembercountries,theUnitedStateshasalsosignedand
ratiedthetreaty.TheprimaryfocusoftheConventiononCybercrimeis
establishingstandardsincybercrimepolicytopromoteinternational
cooperationduringtheinvestigationandprosecutionofcybercrime.
AdditionalinformationontheCouncilofEuropeConventiononCybercrime
canbefoundhere:
h p://conventions.coe.int/Treaty/en/Treaties/Html/185.htm.
Intellectual property
Asopposedtophysicalortangibleproperty,intellectualpropertyrefersto
intangiblepropertythatresultedfromacreativeact.Thepurposeof
intellectualpropertylawistocontroltheuseofintangiblepropertythatcan
oftenbetrivialtoreproduceorabuseoncemadepublicorknown.The
followingintellectualpropertyconceptseectivelycreateanexclusive
monopolyontheiruse.
Trademark
Trademarksareassociatedwithmarketing:thepurposeistoallowforthe
creationofabrandthatdistinguishesthesourceofproductsorservices.A
distinguishingname,logo,symbol,orimagerepresentsthemostcommonly
trademarkeditems.IntheUnitedStates,twodierentsymbolsareusedwith
distinctivemarksthatanindividualororganizationisintendingtoprotect.
ThesuperscriptTMsymbolcanbeusedfreelytoindicateanunregistered
markandisshowninFigure9.1.ThecircledRsymbolisusedwithmarks
thathavebeenformallyregisteredasatrademarkwiththeUSPatentand
TrademarkOceandisshowninFigure9.2.
FIGURE9.1 Trademarksymbol.
FIGURE9.2 Registeredtrademarksymbol.
Patent
Patentsprovideamonopolytothepatentholderontherighttouse,make,or
sellaninventionforaperiodoftimeinexchangeforthepatentholders
makingtheinventionpublic.Duringthelifeofthepatent,thepatentholder
can,throughtheuseofcivillitigation,excludeothersfromleveragingthe
patentedinvention.Obviously,inorderforaninventiontobepatented,it
shouldbenovelandunique.Thelengththatapatentisvalid(thepatent
term)variesthroughouttheworldandalsobythetypeofinventionbeing
patented.Generally,inbothEuropeandtheUnitedStates,thepatenttermis
20yearsfromtheinitiallingdate.
Copyright
Copyrightrepresentsatypeofintellectualpropertythatprotectstheformof
expressioninartistic,musical,orliteraryworksandistypicallydenotedby
thecircledCsymbolasshowninFigure9.3.Thepurposeofcopyrightisto
precludeunauthorizedduplication,distribution,ormodicationofacreative
work.Notethattheformofexpressionisprotectedratherthanthesubject
ma erorideasrepresented.
FIGURE9.3 Copyrightsymbol.
Licenses
Softwarelicensesareacontractbetweenaproviderofsoftwareandthe
consumer.Thoughtherearelicensesthatprovideexplicitpermissionforthe
consumertodovirtuallyanythingwiththesoftware,includingmodifyingit
foruseinanothercommercialproduct,mostcommercialsoftwarelicensing
providesexplicitlimitsontheuseanddistributionofthesoftware.Software
licensessuchasenduserlicenseagreements(EULAs)areanunusualformof
contractbecauseusingthesoftwaretypicallyconstitutescontractual
agreement,eventhoughasmallminorityofusersreadthelengthyEULA.
Trade secrets
Trade secrets
Thenalformofintellectualpropertythatwillbediscussedistheconceptof
tradesecrets.Tradesecretsarebusinessproprietaryinformationthatis
importanttoanorganizationsabilitytocompete.Theorganizationmust
exerciseduecareandduediligenceintheprotectionoftheirtradesecrets.
Someofthemostcommonprotectionmethodsusedarenoncompeteand
nondisclosureagreements(NDA).
Import/export restrictions
Duetothesuccessesofcryptography,manynationshavelimitedtheimport
and/orexportofcryptosystemsandassociatedcryptographichardware.In
somecases,countrieswouldprefertheircitizenstonothaveaccessto
cryptosystemsthattheirintelligenceagenciescannotcrackandtherefore
a empttoimposeimportrestrictionsoncryptographictechnologies.
DuringtheColdWar,CoCom,theCoordinatingCommi eeforMultilateral
ExportControls,wasamultinationalagreementtonotexportcertain
technologies,whichincludedencryption,tomanycommunistcountries.
AftertheColdWar,theWassenaarArrangementbecamethestandardfor
exportcontrols.Thismultinationalagreementwasfarlessrestrictivethanthe
formerCoCom,butdidstillsuggestsignicantrestrictionsontheexportof
cryptographicalgorithmsandtechnologiestocountriesnotincludedinthe
WassenaarArrangement.
Evidenceisoneofthemostimportantlegalconceptsforinformationsecurity
professionalstounderstand.Informationsecurityprofessionalsare
commonlyinvolvedininvestigationsandoftenhavetoobtainorhandle
evidenceduringtheinvestigation.
CrunchTime
Realevidenceconsistsoftangibleorphysicalobjects.Aknifeorbloody
glovemightconstituterealevidenceinsometraditionalcriminal
proceedings.Directevidenceistestimonyprovidedbyawitnessregarding
whatthewitnessactuallyexperiencedwithhervesenses.Circumstantial
evidenceisevidencethatservestoestablishthecircumstancesrelatedto
particularpointsorevenotherevidence.Corroborativeevidenceprovides
additionalsupportforafactthatmighthavebeencalledintoquestion.
Hearsayevidenceconstitutessecondhandevidence.Asopposedtodirect
evidence,whichsomeonehaswitnessedwithhervesenses,hearsay
evidenceinvolvesindirectinformation.Secondaryevidenceconsistsof
copiesoforiginaldocumentsandoraldescriptions.Computergenerated
logsanddocumentsmightalsoconstitutesecondaryratherthanbest
evidence.
Courtspreferthebestevidencepossible.Originaldocumentsarepreferred
overcopies:conclusivetangibleobjectsarepreferredoveroraltestimony.
Recallthatthevedesirablecriteriaforevidencesuggestthat,where
possible,evidenceshouldbe:relevant,authentic,accurate,complete,and
convincing.Thebestevidenceruleprefersevidencethatmeetsthesecriteria.
Evidence integrity
Evidencemustbereliable.Itiscommonduringforensicandincident
responseinvestigationstoanalyzedigitalmedia.Itiscriticaltomaintainthe
integrityofthedataduringthecourseofitsacquisitionandanalysis.
Checksumscanensurethatnodatachangesoccurredasaresultofthe
acquisitionandanalysis.OnewayhashfunctionssuchasMD5orSHA1are
commonlyusedforthispurpose.Chainofcustodyrequiresthat,onceevidence
isacquired,fulldocumentationregardingwho,what,andwhenandwhere
evidencewashandledbemaintained.
Entrapment and enticement
Entrapmentiswhenlawenforcement,oranagentoflawenforcement,
persuadessomeonetocommitacrimewhenthepersonotherwisehadno
intentiontocommitacrime.Enticementcouldstillinvolveagentsoflaw
enforcementmakingtheconditionsforcommissionofacrimefavorable,but
thedierenceisthatthepersonisdeterminedtohavealreadybrokenalaw
orisintentondoingso.
Oneoftheunfortunatesideeectsoftheexplosionofinformationsystems
overthepastfewdecadesisthelossofprivacy.Asmoreandmoredataabout
individualsisusedandstoredbyinformationsystems,thelikelihoodofthat
databeingeitherinadvertentlydisclosed,soldtoathirdparty,or
intentionallycompromisedbyamaliciousinsiderorthirdpartyincreases.
European Union privacy
TheEuropeanUnionhastakenanaggressiveproprivacystancewhile
balancingtheneedsofbusiness.Commercewouldbeimpactedifmember
nationshaddierentregulationsregardingthecollectionanduseof
personallyidentiableinformation.TheEUDataProtectionDirectiveallows
forthefreeowofinformationwhilestillmaintainingconsistentprotections
ofeachmembernationscitizensdata.
FastFacts
TheprinciplesoftheEUDataProtectionDirectiveare:
Notifyingindividualshowtheirpersonaldataiscollectedandused
Allowingindividualstooptoutofsharingtheirpersonaldatawiththird
parties
Requiringindividualstooptintosharingthemostsensitivepersonal
data
Providingreasonableprotectionsforpersonaldata
TheOrganizationforEconomicCooperationandDevelopment(OECD),
thoughoftenconsideredexclusivelyEuropean,consistsof30membernations
fromaroundtheworld.Themembers,inadditiontoprominentEuropean
countries,includesuchcountriesastheUnitedStates,Mexico,Australia,
Japan,andtheCzechRepublic.TheOECDprovidesaforuminwhich
countriescanfocusonissuesthatimpacttheglobaleconomy.TheOECDwill
routinelyissueconsensusrecommendationsthatcanserveasanimpetusto
changecurrentpolicyandlegislationintheOECDmembercountriesand
beyond.
Ingeneral,theOECDrecommendstheunfe eredowofinformation,albeit
withnotablelegitimateexceptionstothefreeinformationow.Themost
importantexceptionstounfe ereddatatransferwereidentiedinthePrivacy
andTransborderFlowsofPersonalData.Fiveyearsaftertheprivacy
guidance,theOECDissuedtheirDeclarationonTransborderDataFlows,
whichfurthersupportedeortstosupportunimpededdataows.
EU-US Safe Harbor
AninterestingaspectoftheEUDataProtectionDirectiveisthatthepersonal
dataofEUcitizensmaynotbetransmi ed,evenwhenpermi edbythe
individual,tocountriesoutsideoftheEUunlessthereceivingcountryis
perceivedbytheEUtoadequatelyprotecttheirdata.Thispresentsa
challengeregardingthesharingofthedatawiththeUnitedStates,whichis
perceivedtohavelessstringentprivacyprotections.Tohelpresolvethis
issue,theUnitedStatesandEuropeanUnioncreatedthesafeharbor
frameworkthatwillgiveUSbasedorganizationsthebenetofauthorized
datasharing.Inordertobepartofthesafeharbor,USorganizationsmust
voluntarilyconsenttodataprivacyprinciplesthatareconsistentwiththeEU
DataProtectionDirective.
US Privacy Act of 1974
Allgovernmentshaveawealthofpersonallyidentiableinformationontheir
citizens.ThePrivacyActof1974wascreatedtocodifyprotectionofUS
citizensdatathatisbeingusedbythefederalgovernment.ThePrivacyAct
denedguidelinesregardinghowUScitizenspersonallyidentiable
informationwouldbeused,collected,anddistributed.Anadditional
protectionwasthatthePrivacyActprovidesindividualswithaccesstothe
databeingmaintainedrelatedtothem,withsomenationalsecurityoriented
exceptions.
US Computer Fraud and Abuse Act
Title18UnitedStatesCodeSection1030,whichismorecommonlyknownas
theComputerFraudandAbuseAct,wasoriginallydraftedin1984butstill
servesasanimportantpieceoflegislationrelatedtotheprosecutionof
computercrimes.Thelawhasbeenamendednumeroustimesmostnotably
bytheUSAPATRIOTAct.
ThegoaloftheComputerFraudandAbuseActwastodevelopameansof
deterringandprosecutingactsthatdamagedfederalinterestcomputers.
Federalinterestcomputerincludesgovernment,criticalinfrastructure,or
nancialprocessingsystems;thedenitionalsoreferencedcomputers
engagingininterstatecommerce.WiththeubiquityofInternetbased
commerce,thisdenitioncanbeusedtojustifyalmostanyInternetconnected
computerasbeingaprotectedcomputer.TheComputerFraudandAbuse
Actcriminalizedactionsinvolvingintentionala acksagainstprotected
computersthatresultedinaggregatedamagesof$5000in1year.
USA PATRIOT Act
TheUSAPATRIOTActof2001waspassedinresponsetothea acksinthe
UnitedStatesthattookplaceonSeptember11,2001.ThefulltitleisUniting
andStrengtheningAmericabyProvidingAppropriateToolsRequiredto
InterceptandObstructTerrorismAct,butitisoftensimplycalledthe
PatriotAct.ThemainthrustofthePatriotActthatappliestoinformation
securityprofessionalsaddresseslessstringentoversightoflawenforcement
regardingdatacollection.Wiretapshavebecomebroaderinscope.Searches
andseizurescanbedonewithoutimmediatenoticationtothepersonwhose
dataorpropertymightbege ingseized.
FORENSICS
Digitalforensicsprovidesaformalapproachtodealingwithinvestigations
andevidencewithspecialconsiderationofthelegalaspectsofthisprocess.
Theforensicprocessmustpreservethecrimesceneandtheevidencein
ordertopreventunintentionallyviolatingtheintegrityofeitherthedataor
thedatasenvironment.Aprimarygoalofforensicsistoprevent
unintentionalmodicationofthesystem.Liveforensicsincludestakingabit
bybit,orbinaryimageofphysicalmemory,gatheringdetailsaboutrunning
processes,andgatheringnetworkconnectiondata.
Forensic media analysis
Inadditiontothevaluabledatagatheredduringtheliveforensiccapture,the
mainsourceofforensicdatatypicallycomesfrombinaryimagesofsecondary
storageandportablestoragedevicessuchasharddiskdrives,USBash
drives,CDs,DVDs,andpossiblyassociatedcellularphonesandmp3players.
FastFacts
Inordertounderstandthedierencebetweenabinaryimageanda
normalbackup,theinvestigatorneedstounderstandthefourtypesof
datathatexist.
Allocatedspaceportionsofadiskpartitionthataremarkedasactively
containingdata.
Unallocatedspaceportionsofadiskpartitionthatdonotcontainactive
data.Thisincludesmemorythathasneverbeenallocatedandpreviously
allocatedmemorythathasbeenmarkedunallocated.Ifaleisdeleted,the
portionsofthediskthatheldthedeletedlearemarkedasunallocated
andavailableforuse.
Slackspacedataisstoredinspecicsizechunksknownasclusters.A
clusteristheminimumsizethatcanbeallocatedbyalesystem.Ifa
particularle,ornalportionofale,doesnotrequiretheuseofthe
entirecluster,thensomeextraspacewillexistwithinthecluster.This
leftoverspaceisknownasslackspace:itmaycontainolddataorcanbe
usedintentionallybya ackerstohideinformation.
Badblocks/clusters/sectorsharddisksroutinelyendupwithsectors
thatcannotbereadduetoaphysicaldefect;thesesectorsaremarkedas
badandwillbeignoredbytheoperatingsystem.A ackerscould
intentionallymarksectorsorclustersasbeingbadinordertohidedata
withinthisportionofthedisk.
Network forensics
Networkforensicsisthestudyofdatainmotion,withspecialfocuson
gatheringevidenceviaaprocessthatwillsupportadmissionintocourt.This
meanstheintegrityofthedataisparamount,asisthelegalityofthecollection
process.Networkforensicsiscloselyrelatedtonetworkintrusiondetection:
thedierenceistheformerislegalfocusedandthela erisoperations
focused.
Embedded device forensics
Oneofthegreatestchallengesfacingtheeldofdigitalforensicsisthe
proliferationofconsumergradeelectronichardwareandembeddeddevices.
Whileforensicinvestigatorshavehaddecadestounderstandanddevelop
toolsandtechniquestoanalyzemagneticdisks,newertechnologiessuchas
SolidStateDrives(SSDs)lackbothforensicunderstandingandforensictools
capableofanalysis.
Contractsaretheprimarycontrolforensuringsecuritywhendealingwith
thirdpartyorganizationsprovidingservices.Thetremendoussurgein
outsourcing,especiallytheongoingshifttowardcloudservices,hasmade
contractualsecuritymeasuresmuchmoreprominent.Whilecontractual
languagewillvary,thereareseveralcommoncontractsoragreementsthat
areusedwhena emptingtoensuresecuritywhendealingwiththirdparty
organizations.
Service-Level Agreements
AcommonwayofensuringsecurityisthroughtheuseofServiceLevel
AgreementsorSLAs.TheSLAidentieskeyexpectationsthatthevendoris
contractuallyrequiredtomeet.SLAsarewidelyusedforgeneralperformance
expectationsbutareincreasinglyleveragedforsecuritypurposesaswell.
SLAsprimarilyaddressavailability.
Attestation
Informationsecuritya estationinvolveshavingathirdpartyorganization
reviewthepracticesoftheserviceproviderandmakeastatementaboutthe
securitypostureoftheorganization.Thegoaloftheserviceprovideristo
provideevidencethattheyshouldbetrusted.Typically,athirdparty
providesa estationafterperforminganauditoftheserviceprovideragainst
aknownbaseline.
Right to Penetration Test/Right to Audit
TheRighttoPenetrationTestandRighttoAuditdocumentsprovidethe
originatingorganizationwithwri enapprovaltoperformtheirowntesting
orhaveatrustedproviderperformtheassessmentontheirbehalf.Typically,
therewillbelimitationsonwhatthepentestersorauditorsareallowedtouse
ortarget,buttheseshouldbeclearlydenedinadvance.
Vendor governance
Thegoalofvendorgovernanceistoensurethatthebusinessiscontinually
ge ingsucientqualityfromitsthirdpartyproviders.Professionals
performingthisfunctionwilloftenbeemployedatboththeoriginating
organizationandthethirdparty.Ultimately,thegoalistoensurethat
strategicpartnershipsbetweenorganizationscontinuallyprovidethe
expectedvalue.
ETHICS
Ethicsisdoingwhatismorallyright.TheHippocraticOath,takenbydoctors,
isanexampleofacodeofethics.Ethicsisofparamountconcernfor
informationsecurityprofessionals:weareoftentrustedwithhighlysensitive
information,andouremployers,clients,andcustomersmustknowthatwe
willtreattheirinformationethically.
2
The(ISC)2CodeofEthicsisthemosttestablecodeofethicsontheexam.
Thatsfair:youcannotbecomeaCISSPwithoutagreeingtotheCodeof
Ethics(amongothersteps);soitisreasonabletoexpectnewCISSPsto
2
understandwhattheyareagreeingto.The(ISC) CodeofEthicsisavailable
atthefollowingWebsite:h p://www.isc2.org/ethics/default.aspx.
The(ISC)2CodeofEthicsincludesthepreamble,canons,andguidance.The
preambleistheintroductiontothecode.Thecanonsaremandatory:you
mustfollowthemtobecome(andremain)aCISSP.Theguidanceis
advisory(notmandatory):itprovidessupportinginformationforthe
canons.
TheCodeofEthicspreambleisquotedhere:Safetyofthecommonwealth,
dutytoourprincipals,andtoeachotherrequiresthatweadhere,andbeseen
toadhere,tothehighestethicalstandardsofbehavior.Therefore,strict
adherencetothisCodeisaconditionofcertication.
Therst,andthereforemostimportant,canonofthe(ISC) CodeofEthics
requirestheinformationsecurityprofessionaltoprotectsociety,the
commonwealth,andtheinfrastructure.
Thefocusoftherstcanonisonthe
publicandtheirunderstandingandfaithininformationsystems.Security
professionalsarechargedwiththepromotingofsafesecuritypracticesand
be eringthesecurityofsystemsandinfrastructureforthepublicgood.
2
Thesecondcanoninthe(ISC) CodeofEthicschargesinformationsecurity
professionalstoacthonorably,honestly,justly,responsibly,andlegally.
The
(ISC) CodeofEthicssuggeststhatprioritybegiventothejurisdictionin
whichservicesarebeingprovided.Anotherpointmadebythiscanonis
relatedtoprovidingprudentadviceandcautioningthesecurityprofessional
fromunnecessarilypromotingfear,uncertainty,anddoubt.
2
The(ISC) CodeofEthicsthirdcanonrequiresthatsecurityprofessionals
providediligentandcompetentservicetoprincipals.
Thefocusofthiscanonis
ensuringthatthesecurityprovidesqualityserviceforwhichsheisqualied
andwhichmaintainsthevalueandcondentialityofinformationandthe
associatedsystems.Anadditionalconsiderationistoensurethatthe
professionaldoesnothaveaconictofinterestinprovidingqualityservices.
2
Thefourthandnalcanoninthe(ISC) CodeofEthicsmandatesthat
informationsecurityprofessionalsadvanceandprotecttheprofession.
This
canonrequiresthatthesecurityprofessionalsmaintaintheirskillsand
advancetheskillsandknowledgeofothers.Also,thiscanonrequiresthat
individualsensurenottonegativelyimpactthesecurityprofessionby
associatinginaprofessionalfashionwiththosewhomightharmthe
profession.
D i d Yo u K n o w ?
The(ISC)2CodeofEthicsishighlytestable,includingapplyingthe
canonsinorder.Youmaybeaskedforthebestethicalanswer,whenall
answersareethical,perthecanons.Inthatcase,choosetheanswerthatis
mentionedrstinthecanons.Also,themostethicalanswerisusuallythe
best:holdyourselftoaveryhighethicallevelonquestionsposedduring
theexam.
TheComputerEthicsInstituteprovidestheirTenCommandmentsofComputer
Ethicsasacodeofcomputerethics.Thecodeisbothshortandfairly
straightforward.BoththenameandformatarereminiscentoftheTen
CommandmentsofJudaism,Christianity,andIslam,butthereisnothing
overtlyreligiousinnatureabouttheComputerEthicsInstitutesTen
Commandments.TheComputerEthicsInstitutesTenCommandmentsof
ComputerEthicsare:
1.Thoushaltnotuseacomputertoharmotherpeople.
2.Thoushaltnotinterferewithotherpeoplescomputerwork.
3.Thoushaltnotsnooparoundinotherpeoplescomputerles.
4.Thoushaltnotuseacomputertosteal.
5.Thoushaltnotuseacomputertobearfalsewitness.
6.Thoushaltnotcopyoruseproprietarysoftwareforwhichyouhavenot
paid.
7.Thoushaltnotuseotherpeoplescomputerresourceswithout
authorizationorpropercompensation.
8.Thoushaltnotappropriateotherpeoplesintellectualoutput.
9.Thoushaltthinkaboutthesocialconsequencesoftheprogramyouare
writingorthesystemyouaredesigning.
10.Thoushaltalwaysuseacomputerinwaysthatensureconsiderationand
respectforyourfellowhumans.
MuchlikethefundamentalprotocolsoftheInternet,theInternetActivities
Boards(IAB)codeofethics,EthicsandtheInternet,isdenedinanRFC
document.RFC1087,EthicsandtheInternet,waspublishedin1987to
presentapolicyrelatingtoethicalbehaviorassociatedwiththeInternet.
AccordingtotheIAB,thefollowingpracticeswouldbeconsideredunethical
behaviorifsomeonepurposely:
SeekstogainunauthorizedaccesstotheresourcesoftheInternet;
DisruptstheintendeduseoftheInternet;
Wastesresources(people,capacity,computer)throughsuchactions;
Destroystheintegrityofcomputerbasedinformation;
Compromisestheprivacyofusers.
centricworldtoday.Maintainingtheintegrityofevidence,usinghashing
algorithmsfordigitalevidence,andmaintainingaprovablechainofcustody
arevital.
Finally,thenatureofinformationsecurityandtheinherentsensitivitytherein
makeethicalframeworksanadditionalpointrequiringa ention.Thischapter
presentedtheIABsRFConEthicsandtheInternet,theComputerEthics
2
InstitutesTenCommandmentsofComputerEthics,andthe(ISC) Codeof
Ethics.TheCISSPexamwill,nodoubt,emphasizetheCodeofEthics
proeredby(ISC)2,whichpresentsanorderedsetoffourcanonsthata end
toma ersofthepublic,theindividualsbehavior,providingcompetent
service,andtheprofessionasawhole.
A.PatriotAct
B.ComputerFraudandAbuseAct
C.ECPA
D.IdentityTheftEnforcementandRestitutionAct
4.Whichcanonofthe(ISC)2CodeofEthicsshouldbeconsideredthemost
important?
A.Protectsociety,thecommonwealth,andtheinfrastructure
B.Advanceandprotecttheprofession
C.Acthonorably,honestly,justly,responsibly,andlegally
D.Providediligentandcompetentservicetoprincipals
5.Whichprinciplerequiresthatanorganizationsstakeholdersactprudently
inensuringthattheminimumsafeguardsareappliedtotheprotectionof
corporateassets?
A.Dueprotection
B.Dueprocess
C.Duediligence
D.Duecare
ANSWERS
1.Correctanswerandexplanation:A.AnswerAiscorrect;theUSEUSafe
HarboragreementprovidesaframeworkbywhichUScompaniescanbe
consideredsafeforEUstatesandcompaniestosharedatawith.
Incorrectanswersandexplanations:B,C,andD.AnswersB,C,andDare
incorrect.TheEUPrivacyHarbordoctrineissimplyamadeupanswer
choice.TheothertwooptionspresentlegitimateUSlawsimportantto
informationsecurity,butneitherspecicallyaddressestheissuesregarding
datasharingwiththeEU.
2.Correctanswerandexplanation:C.AnswerCiscorrect;abinarybackup
utilityiswhatisneededtoensurethateverysinglebitonaharddriveis
copied.Slackandunallocatedspaceisneededforaforensicallysoundimage.
Incorrectanswersandexplanations:A,B,andD.AnswersA,B,andDare
incorrect.Themostviable,butincorrect,choicewasA,diskimagingsoftware.
Whilesomediskimagingsoftwareprovidesbitbybitbackupcapabilities,
typicalusagewillonlyacquireallocatedspace.D,memorydumper,would
applytophysicalmemoryratherthanaharddiskdrive.Bisjustamadeup
phrasethatsoundslegitimate.
3.Correctanswerandexplanation:B.AnswerBiscorrect;theComputer
FraudandAbuseAct,pennedin1984,isstillanimportantpieceoflegislation
fortheprosecutionofcomputercrime.TheComputerFraudandAbuseAct
denedprotectedcomputers,whichwereintendedtobesystemsinwhich
thefederalgovernmenthadaparticularinterest.Thelawsetabarof$5000in
damagesduring1yearinorderfortheacttoconstituteacrime.
Incorrectanswersandexplanations:A,C,andD.AnswersA,C,andDare
incorrect.ThePatriotActlessenedsomeoftherestrictionsonlaw
enforcementrelatedtoelectronicmonitoring.ECPAisconcernedwiththe
wiretappingofelectroniccommunications.TheIdentityTheftEnforcement
andRestitutionActof2008amendedtheComputerFraudandAbuseActto
makesomeoftheconsiderationsmoremodern.
4.Correctanswerandexplanation:A.AnswerAiscorrect;toprotectsociety,
thecommonwealth,andtheinfrastructureistherstcanonandisthusthe
2
mostimportantofthefourcanonsofthe(ISC) CodeofEthics.
Incorrectanswersandexplanations:B,C,andD.AnswersB,C,andDare
incorrect.Thecanonsofthe(ISC)2CodeofEthicsarepresentedinorderof
importance.Thesecondcanonrequiresthesecurityprofessionaltoact
honorably,honestly,justly,responsibly,andlegally.Thethirdmandatesthat
professionalsprovidediligentandcompetentservicetoprincipals.Thenal,
andthereforeleastimportant,canonwantsprofessionalstoadvanceand
protecttheprofession.
5.Correctanswerandexplanation:D.AnswerDiscorrect;duecareprovides
aminimumstandardofcarethatmustbemet.Therearenoexplicit
requirementsthatdenewhatconstitutesduecare.Rather,duecarerequires
actinginaccordwithwhataprudentpersonwouldconsiderreasonable.
Incorrectanswersandexplanations:A,B,andC.AnswersA,B,andCare
incorrect.Dueprotectionisamadeupphrasethathasnolegalstanding.Due
processisrelatedtoensuringthatdefendantsaretreatedfairlyinlegal
proceedingswithrespecttotheirconstitutionalrights.Duediligenceisthe
mostcloselyrelatedtermtothecorrectanswer,duecare.However,due
diligencehasafocusoncontinuallyinvestigatingbusinesspracticestoensure
thatduecareismaintained.
1
(ISC) CodeofEthics.Availablefrom
h p://www.isc2.org/ethics/default.aspx[accessedMay22,2013].
2
Ibid.
Ibid.
Ibid.
Ibid.
ComputerEthicsInstitute,1992TenCommandmentsofComputerEthics.
Availablefrom
h p://computerethicsinstitute.org/publications/tencommandments.html
[accessedMay22,2013].
7
InternetActivitiesBoard,1989RFC1087EthicsandtheInternet.
Availablefromh p://tools.ietf.org/html/rfc1087[accessedMay22,2013].
CHAPTER10
KEYWORDS
Mantrap;Bollard;Smartcard;Tailgating;Degaussing;Destruction;
Shredding;MontrealAccord
Introduction
Physical(environmental)securityprotectsthecondentialityandintegrityof
physicalassets:people,buildings,systems,anddata.TheCISSPexam
considershumansafetyasthemostcriticalconcernofthisdomain,which
trumpsallotherconcerns.
PERIMETER DEFENSES
Perimeterdefenseshelpprevent,detect,andcorrectunauthorizedphysical
access.Buildings,likenetworks,shouldemploydefenseindepth.Anyone
defensemayfail,socriticalassetsshouldbeprotectedbymultiplephysical
securitycontrols,suchasfences,doors,walls,locks,etc.Theidealperimeter
defenseissafe,preventsunauthorizedingress,and,whenapplicable,oers
bothauthenticationandaccountability.
Fences
Fencesmayrangefromsimpledeterrents(suchas3ft/1mtallfencing)to
preventivedevices,suchasan8ft(2.4m)tallfencewithbarbedwireontop.
Fencesshouldbedesignedtosteeringressandegresstocontrolledpoints,
suchasexteriordoorsandgates.
Gates
Gatesrangeinstrengthfromornamental(aclassIgatedesignedtodeter
access)toaclassIVgatedesignedtopreventacarfromcrashingthrough
(suchasgatesatairportsandprisons).Formoreinformation,seeASTM
InternationalsASTMF2200StandardSpecicationforAutomated
VehicularGateConstructionath p://www.astm.org/Standards/F2200.htm.
FastFacts
Herearethefourclassesofgates:
ClassI:Residential(homeuse)
ClassII:Commercial/GeneralAccess(parkinggarage)
ClassIII:Industrial/LimitedAccess(loadingdockfor18wheelertrucks)
ClassIV:RestrictedAccess(airportorprison)
Bollards
Atracbollardisastrongpostdesignedtostopacar.Thetermderivesfrom
theshort/strongposts(calledmooringbollards)usedtotieshipstopiers
whendocked.
Lights
Lightscanactasbothadetectiveanddeterrentcontrol.Lightshouldbe
brightenoughtoilluminatethedesiredeldofvision(theareabeing
protected).TypesoflightsincludeFresnel;thesearethesametypeoflights
originallyusedinlighthouses,whichusedFresnellensestoaimlightina
specicdirection.
Lightmeasurementtermsincludelumen,theamountoflightonecandle
creates.Lightwashistoricallymeasuredinfootcandles;onefootcandleisone
lumenpersquarefoot.Lux,basedonthemetricsystem,ismorecommonly
usednow:oneluxisonelumenpersquaremeter.
CCTV
ClosedCircuitTelevision(CCTV)isadetectivedeviceusedtoaidguardsin
detectingthepresenceofintrudersinrestrictedareas.CCTVsusingthe
normallightspectrumrequiresucientvisibilitytoilluminatetheeldof
viewthatisvisibletothecamera.Infrareddevicescanseeinthedarkby
displayingheat.Oldertubecamerasareanalogdevices.Moderncameras
useCCD(ChargedCoupledDischarge),whichisdigital.
CCTVcamerasmayalsohaveothertypicalcamerafeaturessuchaspanand
tilt(movinghorizontallyandvertically).
MagnetictapesuchasVHSisusedtobackupimagesfromtubecameras.
CCDcamerasuseDVR(DigitalVideoRecorder)orNVR(NetworkVideo
Recorder)forbackups.
Locks
Locksareapreventivephysicalsecuritycontrol,usedondoorsandwindows
topreventunauthorizedphysicalaccess.Locksmaybemechanical,suchas
keylocksorcombinationlocks,orelectronic,whichareoftenusedwithsmart
cardsormagneticstripecards.
Key locks
Keylocksrequireaphysicalkeytounlock.Keysmaybesharedorsometimes
copied,whichlowerstheaccountabilityofkeylocks.Acommontypeisthe
pintumblerlock,whichhastwosetsofpins:driverpinsandkeypins.The
correctkeymakesthepinslineupwiththeshearline,allowingthelock
tumbler(plug)toturn.
Wardorwardedlocksmustturnakeythroughchannels(calledwards);a
skeletonkeyisdesignedtoopenvarietiesofwardedlocks.
Combination locks
Combinationlockshavedialsthatmustbeturnedtospecicnumbers,ina
specicorder(alternatingclockwiseandcounterclockwiseturns)tounlock.
Bu onorkeypadlocksalsousenumericcombinations.Limited
accountabilityduetosharedcombinationsistheprimarysecurityissue
concerningthesetypesoflocks.
Smart cards and magnetic stripe cards
Asmartcardisaphysicalaccesscontroldevicethatisoftenusedforelectronic
locks,creditcardpurchases,ordualfactorauthenticationsystems.Smart
meansthecardcontainsacomputercircuit.
Smartcardsmaybecontactorcontactless.Contactcardsmustbe
insertedintoasmartcardreader,whilecontactlesscardsarereadwirelessly.
OnetypeofcontactlesscardtechnologyisRadioFrequencyIdentication
(RFID).ThesecardscontainRFIDtags(alsocalledtransponders)thatareread
byRFIDtransceivers.
Amagneticstripecardcontainsamagneticstripethatstoresinformation.
Unlikesmartcards,magneticstripecardsarepassivedevicesthatcontainno
circuits.Thesecardsaresometimescalledswipecards:theyareusedby
swipingthroughacardreader.
Tailgating/piggybacking
Tailgating(alsoknownaspiggybacking)occurswhenanunauthorizedperson
followsanauthorizedpersonintoabuildingaftertheauthorizedperson
unlocksandopensthedoor.Policyshouldforbidemployeesfromallowing
tailgatingandsecurityawarenesseortsshoulddescribethisrisk.
Mantraps and turnstiles
Amantrapisapreventivephysicalcontrolwithtwodoors.Therstdoor
mustcloseandlockbeforetheseconddoormaybeopened.Eachdoor
typicallyrequiresaseparateformofauthenticationtoopen.Theintruderis
trappedbetweenthedoorsafterenteringthemantrap.
Turnstilesaredesignedtopreventtailgatingbyenforcingaonepersonper
authenticationrule,justastheydoinsubwaysystems.
Contraband checks
Contrabandchecksseektoidentifyobjectsthatareprohibitedtoenterasecure.
Thesechecksareoftenusedtodetectmetals,weapons,orexplosives.
Contrabandchecksarecasuallythoughttobeadetectivecontrol,buttheir
presencebeingknownmakesthemalsoadeterrenttoactualthreats.
Motion detectors and other perimeter alarms
UltrasonicandmicrowavemotiondetectorsworklikeDopplerradarusedto
predicttheweather.Awaveofenergyissentout,andtheechoisreturned
whenitbouncesoanobject.Theechowillbereturnedmorequicklywhena
newobject(suchasapersonwalkinginrangeofthesensor)reectsthewave.
Aphotoelectricmotionsensorsendsabeamoflightacrossamonitoredspaceto
aphotoelectricsensor.Thesensoralertswhenthelightbeamisbroken.
Ultrasonic,microwave,andinfraredmotionsensorsareactivesensors,which
meanstheyactivelysendenergy.Apassivesensorcanbethoughtofasa
readonlydevice.Anexampleisapassiveinfrared(PIR)sensor,whichdetects
infraredenergycreatedbybodyheat.
Doors and windows
Alwaysconsidertherelativestrengthsandweaknessesofdoors,windows,
walls,oors,ceilings,etc.Allshouldbeequallystrongfromadefensive
standpoint:a ackerswilltargettheweakestlinkinthechainandshould
notndaweakspottoexpose.
Egressmustbeunimpededincaseofemergency,soasimplepushbu onor
motiondetectorsarefrequentlyusedtoallowegress.Externallyfacing
emergencydoorsshouldbemarkedforemergencyuseonlyandequipped
withpanicbars.Theuseofapanicbarshouldtriggeranalarm.
Glasswindowsarestructurallyweakandcanbedangerouswhensha ered.
Bulletprooforexplosiveresistantglasscanbeusedforsecuredareas.Wire
meshorsecuritylmcanlowerthedangerofsha eredglassandprovide
additionalstrength.Alternativestoglasswindowsincludepolycarbonate
suchasLexanandacrylicsuchasPlexiglass.
Walls, floors, and ceilings
Wallsaroundanyinternalsecureperimetersuchasadatacentershouldbe
slabtoslab,meaningtheyshouldstartattheoorslabandruntothe
ceilingslab.Raisedoorsanddropceilingscanobscurewherethewallstruly
startandstop.Ana ackershouldnotbeabletocrawlunderawallthatstops
atthetopoftheraisedoororclimboverawallthatstopsatthedropceiling.
Guards
Guardsareadynamiccontrolthatmaybeusedinavarietyofsituations.
Guardsmayaidininspectionofaccesscredentials,monitorCCTVs,monitor
environmentalcontrols,respondtoincidents,actasadeterrent(allthings
beingequal,criminalsaremorelikelytotargetanunguardedbuildingovera
guardedbuilding),andmuchmore.
Professionalguardshavea endedadvancedtrainingand/orschooling;
amateurguards(sometimesderogativelycalledMallCops)havenot.The
termpseudoguardmeansanunarmedsecurityguard.
Dogs
Dogsprovideperimeterdefenseduties,guardingarigidturf.Theyare
oftenusedincontrolledareas,suchasbetweentheexteriorbuildingwalland
aperimeterfence.Theprimarydrawbacktousingdogsasaperimetercontrol
islegalliability.
Siteselectionistheprocessofchoosingasitetoconstructabuildingordata
center.
Utility reliability
Thereliabilityoflocalutilitiesisacriticalconcernforsiteselectionpurposes.
Electricaloutagesareamongthemostcommonofallfailuresanddisasters
weexperience.UninterruptiblePowerSupplies(UPSs)willprovide
protectionagainstelectricalfailureforashortperiod(usuallyhoursorless).
Generatorsprovidelongerprotectionbutwillrequirerefuelinginorderto
operateforextendedperiods.
Crime
Localcrimeratesalsofactorintositeselection.Theprimaryissueisemployee
safety:allemployeeshavetherighttoasafeworkingenvironment.
Additionalissuesincludetheftofcompanyassets.
Site design and configuration issues
Oncethesitehasbeenselected,anumberofdesigndecisionsmustbemade.
Willthesitebeexternallymarkedasadatacenter?Istheresharedtenancyin
thebuilding?Whereisthetelecomdemarc(thetelecomdemarcationpoint)?
Site marking
Manydatacentersarenotexternallymarkedtoavoiddrawinga entionto
thefacility(andtheexpensivecontentswithin).Similarcontrolsinclude
a entionavoidingdetailssuchasmutedbuildingdesign.
Shared tenancy and adjacent buildings
Othertenantsinabuildingcaseposesecurityissues:theyarealreadybehind
thephysicalsecurityperimeter.Theirphysicalsecuritycontrolswillimpact
yours:atenantspoorvisitorsecuritypracticescanendangeryoursecurity,
forexample.
Adjacentbuildingsposeasimilarrisk.A ackerscanenteralesssecure
adjacentbuildingandusethatasabasetoa ackanadjacentbuilding,often
breakinginthroughasharedwall.
Acrucialissuetoconsiderinabuildingwithsharedtenancyisashared
demarc(thedemarcationpoint,wheretheISPs(InternetServiceProvider)
responsibilityendsandthecustomersbegins).Accesstothedemarcallows
a acksonthecondentiality,integrity,andavailabilityofallcircuitsandthe
dataowingoverthem.
SYSTEM DEFENSES
Systemdefensesareoneofthelastlinesofdefenseinadefenseindepth
strategy.Thesedefensesassumeana ackerhasphysicalaccesstoadeviceor
mediacontainingsensitiveinformation.Insomecases,othercontrolsmay
havefailedandthesecontrolsarethenalcontrolprotectingthedata.
Asset tracking
Detailedassettrackingdatabasesenhancephysicalsecurity.Youcannot
protectyourdataunlessyouknowwhere(andwhat)itis.Detailedasset
trackingdatabasessupportregulatorycompliancebyidentifyingwhereall
regulateddataiswithinasystem.Incaseofemployeetermination,theasset
databasewillshowexactlywhatequipmentanddatatheemployeemust
returntothecompany.Datasuchasserialnumbersandmodelnumbersis
usefulincasesoflossduetotheftordisaster.
Port controls
Moderncomputersmaycontainmultipleportsthatmayallowcopying
datatoorfromasystem.Portcontrolsarecriticalbecauselargeamountsof
informationcanbeplacedonadevicesmallenoughtoevadeperimeter
contrabandchecks.Portscanbephysicallydisabled;examplesinclude
disablingportsonasystemsmotherboard,disconnectinginternalwiresthat
connecttheporttothesystem,andphysicallyobstructingtheportitself.
Drive and tape encryption
Driveandtapeencryptionprotectsdataatrestandisoneofthefewcontrols
thatwillprotectdataafterphysicalsecurityhasbeenbreached.These
controlsarerecommendedforallmobiledevicesandmediacontaining
sensitiveinformationthatmayphysicallyleaveasiteorsecurityzone.Whole
diskencryptionofmobiledeviceharddrivesisrecommended.
D i d Yo u K n o w ?
ManybreachnoticationlawsconcerningPersonallyIdentiable
Information(PII)containexclusionsforlostdatathatisencrypted.
Allsensitivebackupdatashouldbestoredosite,whethertransmi edo
sitevianetworksorphysicallymovedasbackupmedia.Sitesusingbackup
mediashouldfollowstrictproceduresforrotatingmediaosite.
Media cleaning and destruction
Allformsofmediashouldbesecurelycleanedordestroyedbeforedisposalto
preventobjectreuse,whichistheactofrecoveringinformationfrom
previouslyusedobjects,suchascomputerles.Objectsmaybephysical(such
aspaperlesinmanilafolders)orelectronic(dataonaharddrive).
Objectreusea acksrangefromnontechnicala ackssuchasdumpsterdiving
(searchingforinformationbyrummagingthroughunsecuredtrash)to
technicala ackssuchasrecoveringinformationfromunallocatedblocksona
diskdrive.
Paper shredders
Papershredderscutpapertopreventobjectreuse.Stripcutshredderscutthe
paperintoverticalstrips.Crosscutshreddersaremoresecurethanstripcut
andcutbothverticallyandhorizontally,creatingsmallpaperconfe i.
Overwriting
Overwritingwritesovereverycharacterofaleorentirediskdriveandisfar
moresecurethandeletingorforma ingadiskdrive.Commonmethods
includewritingallzeroesorwritingrandomcharacters.Electronicshredding
orwipingoverwritesthelesdatabeforeremovingtheFATentry.
Degaussing and destruction
Degaussinganddestructionarecontrolsusedtopreventobjectreusea acks
againstmagneticmediasuchasmagnetictapesanddiskdrives.
Degaussingdestroystheintegrityofmagneticmediasuchastapesordisk
drivesbyexposingthemtoastrongmagneticeld,destroyingtheintegrityof
themediaandthedataitcontains.
Destructionphysicallydestroystheintegrityofmagneticmediabydamaging
ordestroyingthemediaitself,suchasthepla ersofadiskdrive.Destructive
measuresincludeincineration,pulverizing,andbathingmetalcomponentsin
acid.
ENVIRONMENTAL CONTROLS
Environmentalcontrolsaredesignedtoprovideasafeenvironmentfor
personnelandequipment.Power,HVAC,andresafetyareconsidered
environmentalcontrols.
Electricity
Reliableelectricityiscriticalforanydatacenterandisoneofthetoppriorities
whenselecting,building,anddesigningasite.Electricalfaultsinvolveshort
andlongterminterruptionofpower,aswellasvariouscasesoflowandhigh
voltage.
CrunchTime
Thefollowingarecommontypesofelectricalfaults:
Blackout:prolongedlossofpower
Brownout:prolongedlowvoltage
Fault:shortlossofpower
Surge:prolongedhighvoltage
Spike:temporaryhighvoltage
Sag:temporarylowvoltage
Surgeprotectorsprotectequipmentfromdamageduetoelectricalsurges.
Theycontainacircuitorfusethatistrippedduringapowerspikeorsurge,
shortingthepowerorregulatingitdowntoacceptablelevels.
UninterruptiblePowerSupplies(UPSs)providetemporarybackuppowerin
theeventofapoweroutage.Theymayalsocleanthepower,protecting
againstsurges,spikes,andotherformsofelectricalfaults.
Generatorsaredesignedtoprovidepowerforlongerperiodsoftimesthan
UPSsandwillrunaslongasfuelisavailable.Sucientfuelshouldbestored
onsitefortheperiodthegeneratorisexpectedtoprovidepower.Refueling
strategiesshouldconsideradisasterseectonfuelsupplyanddelivery.
HVAC
HVAC(heating,ventilation,andairconditioning)controlskeeptheairata
reasonabletemperatureandhumidity.Theyoperateinaclosedloop,
recirculatingtreatedair.Thishelpsreducedustandotherairborne
contaminants.HVACunitsshouldemploypositivepressureanddrainage.
DatacenterHVACunitsaredesignedtomaintainoptimumtemperatureand
humiditylevelsforcomputers.Humiditylevelsof4055%arerecommended.
Acommonlyrecommendedsetpointtemperaturerangeforadatacenteris
6877F(2025C).
Static and corrosion
Staticismitigatedbymaintainingproperhumidity,groundingallcircuitsina
propermanner,andusingantistaticsprays,wriststraps,andworksurfaces.
Allpersonnelworkingwithsensitivecomputerequipmentsuchasboards,
modules,ormemorychipsshouldgroundthemselvesbeforeperformingany
work.
Highhumiditylevelscanallowthewaterintheairtocondenseonto(and
into)equipment,whichmayleadtocorrosion.Bothstaticandcorrosionare
mitigatedbymaintainingproperhumiditylevels.
Heat, flame, and smoke detectors
Heatdetectorsalertwhentemperatureexceedsanestablishedsafebaseline.
Theymaytriggerwhenaspecictemperatureisexceededorwhen
temperaturechangesataspecicrate.
Smokedetectorsworkthroughtwoprimarymethods:ionizationand
photoelectric.Ionizationbasedsmokedetectorscontainasmallradioactive
sourcethatcreatesasmallelectriccharge.Photoelectricsensorsworkina
similarfashion,exceptthattheycontainanLED(LightEmi ingDiode)anda
photoelectricsensorthatgeneratesasmallchargewhilereceivinglight.Both
typesofalarmalertwhensmokeinterruptstheradioactivityorlight,
loweringorblockingtheelectriccharge.
Flamedetectorsdetectinfraredorultravioletlightemi edinre.One
drawbacktothistypeofdetectionisthatthedetectorusuallyrequireslineof
sighttodetecttheame;smokedetectorsdonothavethislimitation.
Personnel safety, training, and awareness
Personnelsafetyisthenumberonegoalofphysicalsecurity.Thisincludesthe
safetyofpersonnelwhileonsiteando.Safetytrainingprovidesaskillset
suchaslearningtooperateanemergencypowersystem.Safetyawareness
changesuserbehavior(Dontletanyonefollowyouintothebuildingafter
youswipeyouraccesscard).Bothsafetytrainingandawarenessarecriticalto
ensurethesuccessofaphysicalsecurityprogram.Youcanneverassumethat
averagepersonnelwillknowwhattodoandhowtodoit:theymustbe
trainedandmadeaware.
Evacuation routes
Evacuationroutesshouldbeprominentlyposted,astheyareinhotelrooms.
Allpersonnelshouldbeadvisedofthequickestevacuationroutefromtheir
areas.Guestsshouldbeadvisedofevacuationroutesaswell.
Allsitesshoulduseameetingpoint,whereallpersonnelwillmeetinthe
eventofemergency.Meetingpointsarecritical:tragedieshaveoccurred
whereapersonoutsidethefrontofabuildingdoesnotrealizeanotheris
outsidethebackandreentersthebuildingfora emptedrescue.
Evacuation roles and procedures
Thetwoprimaryevacuationrolesaresafetywardenandmeetingpointleader.
Thesafetywardenensuresthatallpersonnelsafelyevacuatethebuildingin
theeventofanemergencyordrill.Themeetingpointleaderassuresthatall
personnelareaccountedforattheemergencymeetingpoint.Personnelmust
followemergencyproceduresandquicklyfollowthepostedevacuationroute
incaseofemergencyordrill.
ABCD fires and suppression
Theprimarysafetyissueincaseofreissafeevacuation.Firesuppression
systemsareusedtoextinguishres,anddierenttypesofresrequire
dierentsuppressiveagents.Thesesystemsaretypicallydesignedwith
personnelsafetyastheprimaryconcern.
Classes of fire and suppression agents
ClassAresarecommoncombustiblessuchaswood,paper,etc.Thistypeof
reisthemostcommonandshouldbeextinguishedwithwaterorsodaacid.
ClassBresareburningalcohol,oil,andotherpetroleumproductssuchas
gasoline.Theyareextinguishedwithgasorsodaacid.Youshouldneveruse
watertoextinguishaclassBre.
ClassCresareelectricalresthatarefedbyelectricityandmayoccurin
equipmentorwiring.Electricalresareconductiveres,andthe
extinguishingagentmustbenonconductive,suchasanytypeofgas.Many
sourceserroneouslylistsodaacidasrecommendedforclassCres:thisis
incorrect,assodaacidcanconductelectricity.
ClassDresareburningmetalsandareextinguishedwithdrypowder.
ClassKresarekitchenres,suchasburningoilorgrease.Wetchemicalsare
usedtoextinguishclassKres.Table10.1summarizesclassesofreand
suppressionagents.
Table10.1
ClassesofFireandSuppressionAgents
Allresuppressionagentsworkviafourmethods(sometimesin
combination):reducingthetemperatureofthere,reducingthesupplyof
oxygen,reducingthesupplyoffuel,andinterferingwiththechemical
reactionwithinre.
Water
Watersuppressesrebyloweringthetemperaturebelowthekindlingpoint
(alsocalledtheignitionpoint).Wateristhesafestofallsuppressiveagentsand
recommendedforextinguishingcommoncombustibleressuchasburning
paperorwood.Itisimportanttocutelectricalpowerwhenextinguishinga
rewithwatertoreducetheriskofelectrocution.
Soda acid
Sodaacidextinguishersusesoda(sodiumbicarbonate)mixedwithwater,and
therewasaglassvialofacidsuspendedatthetop.Inadditiontosuppressing
rebyloweringtemperature,sodaacidalsohasadditionalsuppressive
propertiesbeyondplainwater:itcreatesfoamthatcanoatonthesurfaceof
someliquidres,starvingtheoxygensupply.
Dry powder
Extinguishingarewithdrypowder(suchassodiumchloride)worksby
loweringtemperatureandsmotheringthere,starvingitofoxygen.Dry
powderisprimarilyusedtoextinguishmetalres.Flammablemetalsinclude
sodium,magnesium,andmanyothers.
Wet chemical
Wetchemicalsareprimarilyusedtoextinguishkitchenres(typeKresin
theUnitedStatesandtypeFinEurope)butmayalsobeusedoncommon
combustibleres(typeA).Thechemicalisusuallypotassiumacetatemixed
withwater.Thiscoversagreaseoroilreinasoapylmthatlowersthe
temperature.
CO2
Firesrequireoxygenasfuel,soresmaybesmotheredbyremovingthe
oxygen:thisishowCO2resuppressionworks.AriskassociatedwithCO2is
thatitisodorlessandcolorless,andourbodieswillbreatheitasair.Bythe
timewebeginsuocatingduetolackofoxygen,itisoftentoolate.This
makesCO2adangeroussuppressiveagent,whichisonlyrecommendedin
unstaedareassuchaselectricalsubstations.
Halon and Halon substitutes
Halonextinguishesreviaachemicalreactionthatconsumesenergyand
lowersthetemperatureofthere.Halonisbeingphasedout,andanumber
ofreplacementswithsimilarpropertiesarenowused.
Montreal Accord
Halonhasozonedepletingproperties.Duetothiseect,the1989Montreal
Protocol(formallycalledtheMontrealProtocolonSubstancesThatDeplete
theOzoneLayer)bannedproductionandconsumptionofnewHalonin
developedcountriesbyJanuary1,1994.ExistingHalonsystemsmaybeused.
WhilenewHalonisnotbeingproduced,recycledHalonmaybeused.
FastFacts
RecommendedreplacementsforHalonincludethefollowingsystems:
Argon
FE13
FM200
Inergen
FE13isthenewestoftheseagentsandcomparativelysafe.Itmaybe
breathedinconcentrationsofupto30%.OtherHalonreplacementsare
typicallyonlysafeupto1015%concentration.
Sprinkler systems
Wetpipeshavewaterrightuptothesprinklerheads:thepipesarewet.The
sprinklerheadcontainsametal(commoninoldersprinklers)orsmallglass
bulbdesignedtomeltorbreakataspecictemperature.Oncethatoccurs,the
sprinklerheadopensandwaterows.Eachheadwillopenindependentlyas
thetriggertemperatureisexceeded.
Drypipesystemsalsohaveclosedsprinklerheads:thedierenceisthepipes
arelledwithcompressedair.Thewaterisheldbackbyavalvethatremains
closedaslongassucientairpressureremainsinthepipes.Asthedrypipe
sprinklerheadsopen,theairpressuredropsineachpipe,allowingthevalve
toopenandsendwatertothathead.
Delugesystemsaresimilartodrypipes,exceptthesprinklerheadsareopen
andlargerthandrypipeheads.Thepipesareemptyatnormalairpressure;
thewaterisheldbackbyadelugevalve.Thevalveisopenedwhenare
alarm(thatmaymonitorsmokeoramesensors)triggers.
Preactionsystemsareacombinationofwet,dry,ordelugesystemsand
requiretwoseparatetriggerstoreleasewater.Singleinterlocksystemsrelease
waterintothepipeswhenarealarmtriggers.Thewaterreleasesoncethe
headopens.Doubleinterlocksystemsusecompressedair(sameasdry
pipes):thewaterwillnotllthepipesuntilboththerealarmtriggersand
thesprinklerheadopens.
Portable fire extinguishers
Allportablereextinguishersshouldbemarkedwiththetypeofretheyare
designedtoextinguish.Portableextinguishersshouldbesmallenoughtobe
operatedbyanypersonnelwhomayneedtouseone.
IdentiableInformation(PII).WhichmethodforremovingPIIfromthe
magneticharddrivesisconsideredbest?
A.Overwriteeverysectoroneachdrivewithzeroes
B.Deletesensitiveles
C.Degaussanddestroy
D.Reformatthedrives
3.Whatistheprimarytypeofsecuritycontroloeredbyemployingaround
theclockingresscontrabandchecks?
A.Preventive
B.Directive
C.Deterrent
D.Corrective
4.Whatshouldbetrueofthesinglepointofentrydoorthatprovidesaccess
toanareaofabusinesswheretradesecretsaremaintained?
A.Thedoormustberatedtoprovideanequivalentbarriertoentranceasthe
walls.
B.Thedooringress/egressmustincorporatecapabilitiestoaccountforall
individualsentering/exiting.
C.Thedoormustnothaveaneasilybypassedlockingmechanismdueto
accountabilityconcerns.
D.Thedoormustprovidewhollyunimpededegressduringanyemergency
conditions.
5.Whichphysicalsecuritycomponentincorporatesnonrepudiation?
A.Smartcards
B.Contrabandchecks
C.Turnstiles
D.Securityguards
ANSWERS
1.Correctanswerandexplanation:A.AnswerAiscorrect;classCresare
electricalres(Cforconductive).Sodaacidcontainswater,whichisan
electricalconductor,andshouldnotbeusedtoextinguishaclassCre.
Incorrectanswersandexplanations:B,C,andD.AnswersB,C,andDare
incorrect;allaregasesthatwillnotconductelectricity.CO2gasstarvesthe
reofoxygen,andInergenandFE13areHalonsubstitutesthatchemically
interruptre.
2.Correctanswerandexplanation:C.AnswerCiscorrect;degaussingand
destroyingtheharddrivesisconsideredmostsecure.Itoershighassurance
thatthedatahasbeenremoved,andvisualinspectionofthedestroyeddrives
providesassuranceagainsterrorsmadeduringthedestructionprocess.
Incorrectanswersandexplanations:A,B,andD.AnswersA,B,andDare
incorrect;theyalloerweakerprotectionagainstexposureofthePIIonthe
drives.Overwritingthediskprovidesreasonableprotection;however,errors
madeduringtheoverwritingprocesswillnotbeevidentfromvisual
inspection.DeletingsensitivesimplyremovestheFileAllocationtable(FAT)
entry;thedatausuallyremainsasunallocatedspace.Reforma ingthedrives
replacestheentireFATwithanewone,buttheolddatausuallyremainsas
unallocatedspace.
3.Correctanswerandexplanation:C.AnswerCiscorrect;deterrenceisthe
primarytypeofcontroloeredbycontrabandchecks,ofthoselisted.
Contrabandchecksarecasuallythoughttobeadetectivecontrol,buttheir
presencebeingknownmakesthemalsoadeterrenttoactualthreats.Given
thatdetectivewasnotlistedmakestheanswereasier.
Incorrectanswersandexplanations:A,B,andD.AnswersA,B,andDare
incorrect;noneoftheseoptionsaretheprimarytypeofcontrol.Thechecks
canleadtoapreventivecontrolbeingemployed(assumingathreatisrst
detected);however,thatisnottheirprimaryrole.Contrabandchecksoer
morethansimplyindicatingexpectedbehaviors,sotheyarenotprimarily
directive.Thoughcontrabandcheckscaninformcorrectiveactions,theyare
notthemselvesprimarilyacorrectivecontrol.
4.Correctanswerandexplanation:D.AnswerDiscorrect;unimpededegress
duringemergencyconditionsiscritical.Rememberthatsafetyisthemost
importantfactor,evenmoreimportantthantheprotectionoftradesecrets.
Incorrectanswersandexplanations:A,B,andC.AnswersA,B,andCare
incorrect;thougheachcouldproveusefulfromaphysicalsecurity
standpoint,safetyismoreimportantandthereforethebestanswer.Doors
shouldprovideabarriertoentryatleastequivalenttothatofwalls.Given
thattradesecretsaremaintained,accountingforallingressandegressseems
appropriatetoo.Doorsalsoshouldnotbeeasilybypassed.
5.Correctanswerandexplanation:A.AnswerAiscorrect.Smartcards
incorporateachipthatcontainstheprivatekeyportionofapublic/private
keypairandcanbeusedtoprovethatone,andonlythatoneperson,could
haveperformedspecicactions.
Incorrectanswersandexplanations:B,C,andD.AnswersB,C,andDare
incorrect;theyalldonotallowforprovingthataparticularpersoncarried
outanactionandthereforedonotprovidenonrepudiation.Contraband
checkshaveli lebearingonnonrepudiation.Turnstilescanhelptofendo
tailgatingorpiggybacking,whichcanhelptoensuresomesimple
accountability,butwouldnotmeetthelevelofnonrepudiation.Security
guardshavemanyuses,andtheirtestimonycanproveextremelyvaluable,
but,again,theydonotprovidefortechnicalnonrepudiationinthewaythat
smartcardsdo.
Index
Note:Pagenumbersfollowedbyfindicateguresandtindicatetables.
A
Abstraction,96
Accesscontrol
assessments
penetrationtesting,1718
securityassessments,19
securityaudit,18
vulnerabilityscanning,18
authenticationmethods,See(Authenticationmethods)
cornerstoneinformationsecurityconcepts
accountability, 3
authorization, 3
availability, 2
condentiality, 1
DAD, 2
defenseindepth, 4
identityandauthentication, 3
integrity, 2
leastprivilege, 3
nonrepudiation, 3
subjectsandobjects, 3
models
accessreviewandaudit, 6
ACL, 5
centralizedaccesscontrol, 5
DAC, 4
diameter, 6
MAC, 4
PAPandCHAP, 7
provisioninglifecycle,56
RADIUS, 6
RBAC,45
rulebasedaccesscontrol, 5
TACACSandTACACS+, 6
userentitlement, 6
technology
FIdM,16
Kerberos,1617
SESAME,17
SingleSignOn,16
types,78
Accesscontrollists(ACLs), 5
Accesscontrolmatrix,111
Accreditation,113114
Adaptivechosenciphertext,86
Adaptivechosenplaintext,86
Administrative/regulatorylaw,157
Administrativesecurity
backgroundchecks,119
clearance,118
labels,117118
mandatoryleave/forcedvacation,118
NDA,119
rotationofduties,118
separationofduties,118
Advanceandprotecttheprofession,167
AdvancedEncryptionStandard(AES),83
Agilesoftwaredevelopment,65
Annualizedlossexpectancy(ALE)
ARO,48
assetvalue,4748
denition,47
exposurefactor,48
SLE,48
AnnualRateofOccurrence(ARO),48
Antivirus,34
Applets,107
Applicationdevelopmentsecurity
agilesoftwaredevelopment,65
RAD,65
SDLC,6566
spiralmodel,65
waterfallmodel,65
Applicationlayer,26
Arithmeticlogicunit(ALU),98
Assemblylanguage,64
Assetmanagement,121122
Assetvalue(AV),4748
Asymmetricencryption
discretelogarithm,84
ECC,85
primenumberfactoring,84
privatekey,84
tradeos,85
Asynchronousdynamictokens,11
Authentication,authorization,andaccountability(AAA),23
AuthenticationHeader(AH),90
Authenticationmethods
asynchronousdynamictokens,11
biometriccontrol
dynamicsignatures,15
facialscan,15
ngerprints,13
handgeometry,1415
irisscan,14
keyboarddynamics,15
retinascan,1314
voiceprint,15
biometricsystems
crossovererrorrate,1213,13f
enrollmentandthroughput,12
falseacceptrate,12
falserejectrate,12
locationbasedaccesscontrol,15
multifactorauthentication, 9
passwords
bruteforcea acks, 6
cracking,10
dictionarya ack,10
dynamicpasswords, 9
hashing,10
hybrida ack,10
onetimepasswords, 9
passphrases, 9
rainbowtable, 6
salt,1011
staticpasswords, 9
synchronousdynamictokens,11
B
Baselining,121
BasicInputOutputSystem(BIOS),102
BCP,SeeBusinessContinuityPlanning(BCP)
BellLaPadulamodel,109110
Bibamodel,110111
Biometricsystems
crossovererrorrate,1213,13f
enrollmentandthroughput,12
falseacceptrate,12
falserejectrate,12
Bluetooth,38
Bollard,172
BrewerNashmodel,111
Bruteforcea acks, 6
Bueroverows,105
BusinessContinuityInstitute(BCI),150
BusinessContinuityPlanning(BCP)
changemanagement,148149
denition,135
development
BIA,140142
CallTree,144145
contingencyplanningguide,139140
criticalstateassessment,140
plans,144
preventivecontrols,142143
projectinitiation,140
recoverystrategy,143144
disaster/disruptiveevents,137138
disasterrecoveryprocess,138139
vs.DRP,136137
faults,149
frameworks
BCI,150
ISO/IEC27031,149150
NISTSP80034,149
BusinessImpactAnalysis(BIA),140142
Bytecode,64
C
Cablemodems,40
Cachememory,100
CallTree,144145
CapabilityMaturityModel(CMM),7071
Ceilings,174
Centralprocessingunit(CPU)
ALU,98
CISC,100
fetchandexecute,98
interrupt,99
multiprocessing,99100
multitasking,99
pipelining,9899
processandthreads,99
RISC,100
CerticateRevocationLists(CRL),89
ChallengeHandshakeAuthenticationProtocol(CHAP), 7 ,35
Changemanagement,122
Chinesewallmodel,111
CipherBlockChaining(CBC),81
Civillaw,155156,157
ClarkWilsonmodel,111
Clearance,118
ClosedCircuitTelevision(CCTV),172
Closedsourcesoftware,64
Cloudcomputing,103104
Coldsite,144
Commonlaw,156
Compilers,64
ComplexInstructionSetComputer(CISC),100
ComponentObjectModel(COM),68
Computerbus,97
Computercrimes,158
ComputerFraudandAbuseAct,163
ComputerSecurityIncidentResponseTeam(CSIRT),127
Computerviruses,106
Condentiality,integrity,andavailability(CIA),12
Congurationmanagement,121122
ContinuityofOperations
fullbackup,123
incremental/dierentialbackup,123
RAID,See(Redundantarrayofinexpensivedisks(RAID))
SLA,123
systemredundancy,127
Contrabandchecks,174
ControlObjectivesforInformationandrelatedTechnology(COBIT),58
Copyright,159
Covertchannel,105
Criminallaw,156157
Crippleware,64
Crossovererrorrate(CER),1213
Cryptography
SeealsoEncryption
adaptivechosenciphertext,86
adaptivechosenplaintext,86
authentication,78
bruteforcea ack,86
chosenciphertext,86
chosenplaintexta ack,86
condentialityandintegrity,78
denition,77
dierentialcryptanalysis,87
hashfunction
HAVAL,86
MD5,85
securehashalgorithm,85
implementation
digitalsignatures,88
escrowedencryption,91
IPsec,9091
PGP,91
PKI,89
S/MIME,91
SSLandTLS,8990
knownkeya ack,87
knownplaintexta ack,86
linearcryptanalysis,87
meetinthemiddlea ack,87
monoalphabeticandpolyalphabeticciphers,78
nonrepudiation,78
sidechannela acks,87
strength,78
substitutionandpermutation,78
types,79
XOR,79
Customarylaw,156
D
Databasesecurity,109
Datadestruction,120121
DataEncryptionStandard(DES),80
denition,80
modes
CBC,81
cipherfeedback,81
counter,82
ECB,81
outputfeedback,81
singleDES,82
TDES,82
Datalink,25
Delugesystems,182
DenialofService(DoS),130
Dictionarya ack,10
Dierentialbackup,123
DieHellmanKeyAgreementProtocol,84
Digitalforensics
embeddeddevices,165
mediaanalysis,164
networkforensics,164165
Digitalsignatures,88
DigitalSubscriberLine(DSL),40
DirectSequenceSpreadSpectrum(DSSS),37
Disaster,137138
DisasterRecoveryPlanning(DRP)
vs.BCP,136137
changemanagement,148149
denition,136
development
BIA,140142
CallTree,144145
contingencyplanningguide,139140
criticalstateassessment,140
plans,144
preventivecontrols,142143
projectinitiation,140
recoverystrategy,143144
disaster/disruptiveevents,137138
disasterrecoveryprocess,138139
faults,149
frameworks
BCI,150
ISO/IEC27031,149150
NISTSP80034,149
testing
checklist/consistency,146147
parallelprocessing,147
partialandcompletebusinessinterruption,147148
review,146
simulationtest/walkthroughdrill,147
structuredwalkthrough/tabletop,147
training,148
Disasterrecoveryprocess,138139
Disclosure,alteration,anddestruction(DAD), 2
Discretionaryaccesscontrol(DAC), 4
Diskencryption,34
Disruptiveevents,137138
Distributedcomponentobjectmodel(DCOM),6869
DistributedDenialofService(DDoS),130
Dogs,175
DomainNameSystem(DNS),29
Doors,174
DRP,SeeDisasterRecoveryPlanning(DRP)
Drypipesystems,182
Dynamicpasswords, 9
DynamicRandomAccessMemory(DRAM),101
E
ElectricallyErasableProgrammableReadOnlyMemory(EEPROM),102
Electricity,178
ElectronicCodeBook(ECB),81
EllipticCurveCryptography(ECC),85
EncapsulatingSecurityPayload(ESP),90
Encryption
asymmetricencryption
discretelogarithm,84
ECC,85
primenumberfactoring,84
privatekey,84
tradeos,85
symmetricencryption
AES,83
BlowshandTwosh,83
chaining,80
DES,See(DataEncryptionStandard(DES))
IDEAalgorithm,82
initializationvectors,80
RC5andRC6,83
secretkey,79
streamandblockciphers,80
Endpointsecurity
antivirus,34
applicationwhitelisting,34
diskencryption,34
removablemediacontrols,34
ErasableProgrammableReadOnlyMemory(EPROM),102
Escrowedencryption,91
Ethics
2
(ISC) Code,166167
ComputerEthicsInstitute,167
IAB,168
ExclusiveOr(XOR),79
Exposurefactor(EF),48
ExtensibleAuthenticationProtocol(EAP),3536
ExtensibleMarkupLanguage(XML),108
Extranet,24
ExtremeProgramming(XP),65
F
Falseacceptrate(FAR),12
Falserejectrate(FRR),12
FederatedIdentityManagement(FIdM),16
FileTransferProtocol(FTP),29
Firesuppressionsystems
classesof,180
CO2,181
delugesystems,182
drypipesystems,182
drypowder,181
Halon,182
portablereextinguishers,183
preactionsystems,182183
sodaacid,181
water,180181
wetchemicals,181
wetpipes,182
Firmware,102
Flamedetectors,179
Flashmemory,102
Floors,perimeterdefenses,174
FrameRelay,30
Freeware,64
FrequencyHoppingSpreadSpectrum(FHSS),37
Fullbackup,123
FullDiskEncryption(FDE),34
Fullduplexcommunications,24
G
Globalpositioningsystem(GPS),15
GreatestLowerBound(GLB),110
Gridcomputing,104
H
Halfduplexcommunications,24
Halon,182
Hashfunction
HAVAL,86
MD5,85
securehashalgorithm,85
Hashofvariablelength(HAVAL),86
Heatdetectors,179
Heating,ventilation,andairconditioning(HVAC),178179
Hosttohosttransportlayer,27
Hotsite,143
HypertextTransferProtocol(HTTP),29
HypertextTransferProtocolSecure(HTTPS),29
I
Incidentresponsemanagement
DDoS,130
DoS,130
malware/maliciouscode/software,130
methodology
containmentphase,129
detectionandanalysis,128129
eradicationphase,129
lessonslearnedphase,129
NISTlifecycle,127128,128f
preparation,128
recoveryphase,129
MITM,130
sessionhijacking,129
Incrementalbackup,123
Informationsecuritygovernance
auditingandcontrolframeworks
COBIT,58
ISO17799andISO27000series,58
ITIL,5859
OCTAVE,57
certicationandaccreditation,59
duecareandduediligence,57
personnelsecurity
backgroundcheck,55
employeetermination,5556
outsourcingandoshoring,56
securityawarenessandtraining,56
vendors,consultants,andcontractors,56
privacy,5657
rolesandresponsibility,5455
securitypolicyanddocuments
baselines,54,54t
guidelines,54
policy,5253
standard,54
InformationTechnologyInfrastructureLibrary(ITIL),5859
InformationTechnologySecurityEvaluationCriteria(ITSEC),112113
InternationalDataEncryptionAlgorithm(IDEA),82
Internet,24,2627
InternetActivitiesBoard(IAB),168
InternetControlMessageProtocol(ICMP),28
InternetKeyExchange(IKE),91
InternetProtocolSecurity(IPsec),9091
InternetProtocolversion4(IPv4),2728
InternetProtocolversion6(IPv6),28
Interpretedlanguages,64
IntrusionDetectionSystem(IDS),34
IntrusionPreventionSystem(IPS),34
K
Kerberos,1617
Kernel,102103
Knownkeya ack,87
Knownplaintexta ack,86
L
Legalsystems
administrative/regulatorylaw,157
civillaw,155156,157
commonlaw,156
ComputerFraudandAbuseAct,163
contractualsecurity
a estation,165
RighttoPenetrationTest/RighttoAudit,165166
SLA,165
criminallaw,156157
customarylaw,156
digitalforensics
embeddeddevices,165
mediaanalysis,164
networkforensics,164165
ethics
2
(ISC) Code,166167
ComputerEthicsInstitute,167
IAB,168
informationsecurity
computercrimes,158
import/exportrestrictions,160
intellectualproperty,158160
investigations
enticement,161
entrapment,161
evidence,161
evidenceintegrity,161
privacy
EuropeanUnion,162
EUUSsafeharbor,163
OECD,162163
PrivacyActof1974,163
religiouslaw,156
USAPATRIOTAct,163164
vendorgovernance,166
Linearcryptanalysis,87
LocalAreaNetworks(LANs)
networkarchitectureanddesign,29
Locationbasedaccesscontrol,15
M
Magneticstripecard,173
Maintenancehooks,106
Maliciouscode/malware,106107
Malware,130
Mandatoryaccesscontrol(MAC), 4
ManintheMiddle(MITM),130
Mantrap,173
MaximumTolerableDowntime(MTD),141
MeanTimeBetweenFailures(MTBF),142
MeanTimetoRepair(MTTR),142
MediaAccessControl(MAC),27
Mediasanitization,120121
Mediasecurity
handling,119120
labeling/marking,119
mediasanitization/datadestruction,120121
retention,120
storage,120
Meetinthemiddlea ack,87
Memory
cachememory,100
DRAM,101
Firmware,102
hardwaresegmentation,101
processisolation,101
RAM,100
ROM,100
SRAM,101
virtualmemory,101
MessageDigestalgorithm5(MD5),85
MinimumOperatingRequirements(MOR),142
Mobilesite,144
Modem,33
Multiprocessing,99100
MultiprotocolLabelSwitching(MPLS),30
Multitasking,99
N
NationalInstituteofStandardsandTechnology(NIST),127128,128f
Networkaccesslayer,26
Networkarchitectureanddesign
basicconcepts,2324
LANtechnology,29
OSImodel,See(OpenSystemInterconnection(OSI)model)
TCP/IPmodel,See(TransmissionControlProtocol/InternetProtocol(TCP/IP))
TCP/IPsapplicationlayer,2829
WANtechnology,30
Networka acks
DoSandDDoS,130
malware,130
MITM,129130
sessionhijacking,129130
Networkdevicesandprotocols
bridges,31
endpointsecurityproduct,34
IDSandIPS,34
modem,33
packetlter,32,32f
proxyrewalls,33
repeatersandhubs,3031
routers,32
statefulrewalls,3233
switch,31,31f
Networkswitch,31,31f
Nondisclosureagreement(NDA),119
Nonrepudiation, 3
O
ObjectOrientedProgramming(OOP)
concepts,6768
denition,66
ORBs,6869
ObjectRequestBrokers(ORBs)
COM,68
DCOM,6869
Onetimepasswords, 9
Opensourcesoftware,64
OpenSystemInterconnection(OSI)model,24
applicationlayer,26
datalink,25
network,25
physicallayer,25
presentationlayer,26
session,25
transportlayer,25
OpenWebApplicationSecurityProject(OWASP),107108
OperationallyCriticalThreat,Asset,andVulnerabilityEvaluation(OCTAVE
),57
Operationssecurity
administrativesecurity
backgroundchecks,119
clearance,118
labels,117118
mandatoryleave/forcedvacation,118
NDA,119
rotationofduties,118
separationofduties,118
assetmanagement,121122
continuityofoperations
fullbackup,123
incremental/dierentialbackup,123
RAID,See(Redundantarrayofinexpensivedisks(RAID))
SLA,123
systemredundancy,127
incidentresponsemanagement,See(Incidentresponsemanagement)
sensitiveinformation/mediasecurity
handling,119120
labeling/marking,119
mediasanitization/datadestruction,120121
retention,120
storage,120
OrangeBook,112
OrganizationforEconomicCooperationandDevelopment(OECD),162163
OrthogonalFrequencyDivisionMultiplexing(OFDM),37
P
Packetlter,32,32f
Passiveinfrared(PIR)sensor,174
Passphrases, 9
PasswordAuthenticationProtocol(PAP), 7 ,35
Passwordcracking,1011
Passwordhashes,1011
Patent,159
PaymentCardIndustryDataSecurityStandard(PCIDSS),113
Peertopeer(P2P)network,105
Penetrationtest,1718
Perimeterdefenses
bollard,172
CCTV,172
contrabandchecks,174
dogs,175
doors,174
fences,171
gates,171172
glasswindows,174
guards,175
lights,172
locks,172173
magneticstripecard,173
mantrap,173
panicbars,174
passiveinfrared(PIR)sensor,174
photoelectricmotionsensor,174
smartcard,173
tailgating/piggybacking,173
turnstiles,173
ultrasonic/microwavemotiondetectors,174
walls,oors,andceilings,174
PermanentVirtualCircuit(PVC),30
PersonallyIdentiableInformation(PII), 1
Photoelectricmotionsensor,174
Physicallayer,25
Physical(environmental)security
environmentalcontrols
electricity,178
resuppressionsystems,See(Firesuppressionsystems)
amedetectors,179
heatdetectors,179
HVAC,178179
personnelsafety,179
safetyawareness,179
safetytraining,179
smokedetectors,179
perimeterdefenses
bollard,172
CCTV,172
contrabandchecks,174
dogs,175
doors,174
fences,171
gates,171172
glasswindows,174
guards,175
lights,172
locks,172173
magneticstripecard,173
mantrap,173
panicbars,174
passiveinfrared(PIR)sensor,174
photoelectricmotionsensor,174
smartcard,173
tailgating/piggybacking,173
turnstiles,173
ultrasonic/microwavemotiondetectors,174
walls,oors,andceilings,174
sitedesignandcongurationissues,175176
siteselectionissues,175
systemdefenses
assettracking,176
driveandtapeencryption,177
mediacleaninganddestruction,177178
mediastorageandtransportation,177
portcontrols,176
Piggybacking,173
Pipelining,9899
PortBasedNetworkAccessControl,3536
PowerOnSelfTest(POST),102
Preactionsystems,182183
Presentationlayer,26
Pre ygoodprivacy(PGP),91
Preventivecontrols,142143
Privacy
EuropeanUnion,162
EUUSsafeharbor,163
OECD,162163
PrivacyAct,163
PrivacyActof1974,163
PrivilegeA ributeCerticates(PACs),17
Processisolation,101
ProgrammableLogicDevice(PLD),102
ProgrammableReadOnlyMemory(PROM),102
Programmingconcepts
assemblylanguage,64
bytecode,64
compilers,64
interpreters,64
machinecode,6364
publiclyreleasedsoftware,64
sourcecode,6364
Proxyrewalls,33
Publickeyinfrastructure(PKI),89
Q
Qualitativeriskanalysis,51
Quantitativeriskanalysis,51
Querylanguage,71
R
RadioFrequencyIdentication(RFID),39,173
Rainbowtable, 6
Randomaccessmemory(RAM),100
Rapidapplicationdevelopment(RAD),65
ReadOnlyMemory(ROM),100
RealtimeTransportProtocol(RTP),37
Reciprocalagreement,144
RecoveryPointObjective(RPO),141142
Recoverystrategy
coldsite,144
hotsite,143
mobilesite,144
reciprocalagreement,144
redundantsite,143
warmsite,143
ReducedInstructionSetComputer(RISC),100
Redundantarrayofinexpensivedisks(RAID)
hammingcode,125
mirroredset,124
RAID1+0/RAID10,126
stripedset
withdedicatedparity,125
withdistributedparity,125126
withdualdistributedparity,126
readandwrite,124
Redundantsite,143
Religiouslaw,156
Remoteaccess
cablemodems,40
DSL,40
instantmessaging,4041
remotedesktopconsoleaccess,39
remotemeetingtechnology,41
RemoteAuthenticationDialInUserService(RADIUS), 6
RemoteDesktopProtocol(RDP),39
RemoteProcedureCalls(RPCs),2526
ReturnonInvestment(ROI),4950
Ringmodel,9697
Riskanalysis
ALE,48
ARO,48
assetvalue,4748
exposurefactor,48
SLE,48
assets,45
budgetandmetrics,50
impact,46
matrix,4647
qualitativeandquantitative,51
riskchoices
acceptance,50
avoidance,51
mitigating,51
transfer,51
riskmanagementprocess,5152
ROI,4950
TCO,4849
threatandvulnerability,46
RobustSecurityNetwork(RSN),38
Rolebasedaccesscontrol(RBAC), 4
Rootkits,106107
Routers,32
S
Securecommunications
authenticationprotocolsandframeworks,3536
desktopandapplicationvirtualization,3940
remoteaccess
cablemodems,40
DSL,40
instantmessaging,4041
remotedesktopconsoleaccess,39
remotemeetingtechnology,41
RFID,39
VoIP,37
VPN,36
WLANs,See(WirelessLocalAreaNetworks(WLANs))
SecureEuropeanSystemforApplicationsinamultivendorenvironment
(SESAME),17
Secure/MultipurposeInternetMailExtensions(S/MIME),91
SecureSocketsLayer(SSL),36,8990
Securityarchitectureanddesign
accesscontrolmatrix,111
BellLaPadulamodel,109110
Chinesewallmodel,111
evaluationmethods
accreditation,113114
certication,113114
InternationalCommonCriteria,113
ITSEC,112113
OrangeBook,112
PCIDSS,113
hardwarearchitecture
computerbus,97
CPU,See(Centralprocessingunit(CPU))
systemunitandmotherboard,97
integrity,110111
la icebasedaccesscontrol,110
memory
cachememory,100
DRAM,101
Firmware,102
hardwaresegmentation,101
processisolation,101
RAM,100
ROM,100
SRAM,101
virtualmemory,101
operatingsystemandsoftwarearchitecture
cloudcomputing,103104
gridcomputing,104
kernel,102103
peertopeer(P2P)network,105
thinclients,105
virtualization,103
securesystemdesign
abstraction,96
layering,9596
ringmodel,9697
securitydomain,96
systemthreats,vulnerabilities,andcountermeasures
bueroverows,105
covertchannel,105
databasesecurity,109
maintenanceHooks,106
maliciouscode/malware,106107
mobiledevicea acks,108109
TOCTOU/raceconditions,105
webarchitectureanda acks,107108
SecurityAssertionMarkupLanguage(SAML),108
Separationofduties,118
ServiceLevelAgreements(SLA),123,165
ServiceOrientedArchitecture(SOA),108
Shareware,64
Sidechannela acks,87
Simplexcommunication,24
Simulationtest,147
SingleLossExpectancy(SLE),48
SingleSignOn(SSO),16
Smartcard,173
Smokedetectors,179
Softwaredevelopmentsecurity
applicationdevelopmentmethod
agilesoftwaredevelopment,65
RAD,65
SDLC,6566
spiralmodel,65
waterfallmodel,65
CMM,7071
databases
candidatekeys,71
denition,71
employeetable,71
foreignkey,72
integrity,74
normalization,73
querylanguages,7374
referential,semantic,andentity,7273
replicationandshadowing,74
views,73
disclosure,70
OOP
concepts,6768
denition,66
ORBs,6869
programmingconcepts
assemblylanguage,64
bytecode,64
compilers,64
interpreters,64
machinecode,6364
publiclyreleasedsoftware,64
sourcecode,6364
softwarevulnerabilities,6970
Softwarelicenses,160
Spiralmodel,65
Statefulrewalls,3233
Staticpasswords, 9
StaticRandomAccessMemory(SRAM),101
SwitchedVirtualCircuit(SVC),30
Symmetricencryption
AES,83
BlowshandTwosh,83
chaining,80
DES,See(DataEncryptionStandard(DES))
IDEAalgorithm,82
initializationvectors,80
RC5andRC6,83
secretkey,79
streamandblockciphers,80
Synchronousdynamictokens,11
Systemdefenses
assettracking,176
driveandtapeencryption,177
mediacleaninganddestruction,177178
mediastorageandtransportation,177
portcontrols,176
Systemredundancy,127
Systemsdevelopmentlifecycle(SDLC),6566
T
Tabletop,147
Tailgating,173
Telecommunicationsandnetworksecurity
devicesandprotocols,See(Networkdevicesandprotocols)
networkarchitectureanddesign,See(Networkarchitectureanddesign)
securecommunications,See(Securecommunications)
Telnet,29
TenCommandmentsofComputerEthics,167168
TerminalAccessControllerAccessControlSystem(TACACS), 6
Thinclients,105
TimeofCheck/TimeofUse(TOCTOU),105
TotalCostofOwnership(TCO),4849
Trademark,159
Tradesecrets,160
TransmissionControlProtocol/InternetProtocol(TCP/IP),28
applicationlayer,27
hosttohosttransport,27
ICMP,28
internet,2627
IPv4,2728
IPv6,28
MACaddresses,27
networkaccesslayer,26
UDP,28
TransportLayer,25
TransportLayerSecurity(TLS),36,8990
Trojanhorse,106
Turnstiles,173
Type1authentication,911
Type2authentication,11
U
Ultrasonic/microwavemotiondetectors,174
UnshieldedTwistedPair(UTP),25
USAPATRIOTAct,163164
UserDatagramProtocol(UDP),28
V
Virtualization,103
Virtualmemory,101
VirtualNetworkComputing(VNC),39
VirtualPrivateNetworks(VPNs),36
VoiceoverInternetProtocol(VoIP),37
Vulnerabilitymanagement,122
Vulnerabilityscanning,18
W
Walkthroughdrill,147
Walls,perimeterdefenses,174
Warmsite,143
Waterfallmodel,65
Wetchemicals,181
WideAreaNetwork(WAN),30
WiFiProtectedAccess2(WPA2),38
WiredEquivalentPrivacy(WEP),38
WirelessLocalAreaNetworks(WLANs)
802.11abgn,3738
bluetooth,38
FHSS,DSSS,andOFDM,37
802.11i,38
WEP,38
WorkRecoveryTime(WRT),142
X
XML,SeeExtensibleMarkupLanguage(XML)
XOR,SeeExclusiveOr(XOR)
Z
Zerodayexploits,122
Zerodayvulnerabilities,122
Zeroknowledgetest,18