Some Quick Security Terms
Thanks to Ashok for these must know security terms!
But remember, the CISSP isn’t a test of memorization, it’s a test of concepts.
Read these terms, understand what they mean, and then try to visualize where they reside in the BIG picture of information security!
For more private and comprehensive notes, become a member:
Firewalls are specifically designed to control access between networks of different security or classification levels.
Block Cipher method called Confusion, the relationship between the plaintext and key are so complicated that the attacker can’t alter the plaintext in an attempt to determine the key used to encrypt the plaintext.
The computations involved in selecting keys and in enciphering data are complex, and are not practical for manual use. However, using mathematical properties of modular arithmetic and a method known as computing in Galois fields.
Digital envelope : A message encrypted with a secret key attached with the message. The secret key is encrypted with the public key of the receiver.
Media Viability Controls include marking, handling and storage.
load balancing/disk replication offers the highest availability, measured in terms of minutes of lost data or server downtime.
A Network-Attached Storage (NAS) or a Storage Area Network (SAN) solution combined with virtualization would offer an even higher availability.
For maximum security design, the use of double fencing with rolls of concertina wire positioned between the two fences is the most effective deterrent and cost-efficient method.
The system and information owners are responsible for ensuring that proper controls are in place to address integrity, confidentiality, and availability of the IT systems and data they own.
Fail closed – A control failure that results all accesses blocked. Fail open – A control failure that results in all accesses permitted. Failover – A failure mode where, if a hardware or software failure is detected, the system automatically transfers processing to a hot backup component, such as a clustered server. Fail-safe – A failure mode where, if a hardware or software failure is detected, program execution is terminated, and the system is protected from compromise.
Fail-soft (or resilient) – A failure mode where, if a hardware or software failure is detected, certain, noncritical processing is terminated, and the computer or network continues to function in a degraded mode. Fault-tolerant – A system that continues to operate following failure of a computer or network component.
Electronic vaulting is defined as “a method of transferring bulk information to off-site facilities for backup purposes”.
Remote Journaling is the same concept as electronic vaulting, but has to do with journals and transaction logs, not the actual files.
Trusted paths provide trustworthy interfaces into privileged user functions and are intended to provide a way to ensure that any communications over that path cannot be intercepted or corrupted.
The five types of BCP testing
Checklist—Copies of the plan are sent to different department managers and business unit managers for review. This is a simple test and should be used in conjunction with other tests.
Structured Walk-through—Team members and other individuals responsible for recovery meet and walk through the plan step-by-step to identify errors or assumptions.
Simulation—This is a simulation of an actual emergency. Members of the response team act in the same way as if there was a real emergency.
Parallel—This is similar to simulation testing, but the primary site is uninterrupted and critical systems are run in parallel at the alternative and primary sites. The systems are then compared to ensure all systems are in sync.
Full interruption—This test involves all facets of the company in a response to an emergency. It mimics a real disaster where all steps are performed to test the plan. Systems are shut down at the primary site and all individuals who would be involved in a real emergency, including internal and external organizations, participate in the test. This test is the most detailed, time-consuming, and expensive all of these.
IT security practitioners are responsible for proper implementation of security requirements in their IT systems.
Evidence : The chain of custody of the evidence must show who collected, secured, controlled, handled, transported the evidence, and that it was not tampered with.
Computer-generated evidence normally falls under the category of hearsay evidence, or second-hand evidence, because it cannot be proven accurate and reliable. Under the U.S. Federal Rules of Evidence, hearsay evidence is generally not admissible in court.
Best evidence is original or primary evidence rather than a copy or duplicate of the evidence. It does not apply to computer-generated evidence. Direct evidence is oral testimony by witness.
Demonstrative evidence are used to aid the jury (models, illustrations, charts).
Natural (e.g., hurricane, tornado, flood and fire) human (e.g. operator error, sabotage, malicious code) technological (e.g. equipment failure, software error, telecommunications network outage, electric power failure).
TCSEC focused on confidentiality while ITSEC added integrity and availability as security goals.
RSA can be used for encryption, key exchange, and digital signatures.
The Computer Security Policy Model Orange Book is based on the Bell-LaPadula Model.
Preaction – most recommended water system for a computer room.
TCSEC – Developed by the National Computer Security Center (NCSC) for the US Department of Defense
Reference monitor refers to abstract machine that mediates all access to objects by subjects.
Accreditation is the authorization by management to implement software or systems in a production environment.
security domain is a domain of trust that shares a single security policy and single management.
Public Key Infrastructure (PKI) provides confidentiality, access control, integrity, authentication and non-repudiation.
Data owners have the ultimate responsibility for protecting data.
Clark-Wilson model – achieves data integrity through well-formed transactions and separation of duties
DES-EDE3 – most secure form of triple-DES encryption
RC4 is a proprietary, variable-key-length stream cipher invented by Ron Rivest for RSA Data Security, Inc.
Skipjack, IDEA and Blowfish are examples of block ciphers.
One-way hashing algorithm – SHA-1, MD2, HAVAL.
A security kernel is defined as the hardware, firmware and software elements of a trusted computing base that implement the reference monitor concept.
A reference monitor is a system component that enforces access controls on an object.
A protection domain consists of the execution and memory space assigned to each process.
The use of protection rings is a scheme that supports multiple protection domains.
Certification authority (CA) is a third party entity that issues digital certificates (especially X.509 certificates) and vouches for the binding between the data items in a certificate.
Crime prevention through Environmental Design (CPTED) is a concept that encourages individuals to feel ownership and respect for the territory they consider occupy.
Target of Evaluation (TOE) is the product or system that is the subject of the evaluation.
Elliptical Curve Cryptography (ECC) demands less computational power and, therefore offers more security per bit.
Intrusion Detection methodology are knowledge-based ID systems and behavior-based ID systems, sometimes referred to as signature-based ID and statistical anomaly-based ID, respectively.
RAID Hardware implementation uses its own Central Processing Unit (CPU) for calculations on an intelligent controller card.
Digital Envelope is used to send encrypted information using symmetric keys, and the relevant session key along with it i.e. You encrypt the data using the session key and then you encrypt the session key using the receiver’s public key CPU uses absolute addresses. Applications use logical addresses. Relative addresses are based on a known address and an offset value.
The Clark-Wilson model is an integrity model that addresses all three integrity goals:
1. prevent unauthorized users from making modifications,
2. prevent authorized users from making improper modifications, and
3. maintain internal and external consistency through auditing.
Transport Layer – responsible for reliable end-to-end data transfer between end systems.
Network Layer. – responsible for routing, switching, and subnetwork access across the entire OSI environment.
Data Link Layer – serial communications path between nodes or devices without any intermediate switching nodes.
Presentation Layer – layer that determines how application information is represented (i.e., encoded) while in transit between two end systems.
add-on security – “The retrofitting of protection mechanisms, implemented by hardware or software, after the [automatic data processing] system has become operational.”
Authenticity – A third party must be able to verify that the content of a message is from a specific entity and nobody else.
Non-repudiation – The origin or the receipt of a specific message must be verifiable by a third party. A person cannot deny having sent a message if the message is signed by the originator.
Accountability – The action of an entity must be uniquely traceable to that entity
Network availability – The IT resource must be available on a timely basis to meet mission requirements or to avoid substantial losses.
Power Excess Spike –> Too much voltage for a short period of time. Surge –> Too much voltage for a long period of time.
Power Loss Fault –> A momentary power outage. Blackout –> A long power interruption.
Power Degradation Sag or Dip –> A momentary low voltage. Brownout –> A prolonged power supply that is below normal voltage.
Media Storage Precautions
USB and portable hard drive- Avoid high temperature, humidity extremes and strong magnetic field
Tape Cartridges – Store Cartridges vertically, Store cartridges in a protective container for transport, Write-protect cartridges immediately
Hard Drive – Store hard drives in anti-static bags, and be sure that person removing them from bag is static free, If the original box and padding for the hard drive is available, use it for shipping, If the hard drive has been in a cold environment, bring it to room temperature prior to installing and using it.
Network Based IDS
They identify attack within the monitored network and issue a warning to the operator. If a network based IDS is placed between the Internet and the firewall, it will detect all the attack attempts whether or not they enter the firewall
Host Based IDS
They are configured for a specific environment and will monitor various internal resources of the operating system to warn of a possible attack. They can detect the modification of executable programs, detect the detection of files and issue a warning when an attempt is made to use a privilege account.
Types of IDS includes
Signature Based IDS – These IDS system protect against detected intrusion patterns. The intrusive pattern they can identify are stored in the form of signature. Statistical Based IDS – These system need a comprehensive definition of the known and expected behavior of system Neural Network – An IDS with this feature monitors the general patterns of activity and traffic on the network, and create a database. This is similar to statistical model but with added self-learning functionality
IDS will not address
Weakness in the policy definition Application-level vulnerability Backdoor within application Weakness in identification and authentication schemes
Look for sequences of bit called signature that are typical malware programs.
1. Malware mask or Signatures – Anti-malware scanners check files, sectors and system memory for known and new (unknown to scanner) malware, on the basis of malware malware masks or signatures. Malware masks or signature are specific code strings that are recognized as belonging to malware. For polymorphic malware, the scanner sometimes has algorithms that check for all possible combinations of a signature that could exist in an infected file. 2. Heuristic Scanner – Analyzes the instructions in the code being scanned and decide on the basis of statistical probabilities whether it could contain malicious code. Heuristic scanning result could indicate that malware may be present, that is possibly infected. Heuristic scanner tend to generate a high level false positive errors ( they indicate that malware may be present when, in fact, no malware is present)
Scanner examines memory disk- boot sector, executables, data files, and command files for bit pattern that match a known malware. Scanners, therefore, need to be updated periodically to remain effective.
Different kinds of malware Controls
A. Active Monitors – Active monitors interpret DOS and read-only memory (ROM) BIOS calls, looking for malware like actions. Active monitors can be problematic because they can not distinguish between a user request and a program or a malware request. As a result, users are asked to confirm actions, including formatting a disk or deleting a file or set of files.
B. Immunizers – Defend against malware by appending sections of themselves to files – sometime in the same way Malware append themselves. Immunizers continuously check a file for changes and report changes as possible malware behavior. Other type of Immunizers are focused to a specific malware and work by giving the malware the impression that the malware has already infected to the computer. This method is not always practical since it is not possible to immunize file against all known malware.
C. Behavior Blocker – Focus on detecting potential abnormal behavior such as writing to the boot sector or the master boot record, or making changes to executable files. Blockers can potentially detect malware at an early stage. Most hardware based anti-malware mechanism are based on this concept.
D. Integrity CRC checker – Compute a binary number on a known malware free program that is then stored in a database file. The number is called Cyclic Redundancy Check (CRC). On subsequent scans, when that program is called to execute, it checks for changes to the file as compare to the database and report possible infection if changes have occurred. A match means no infection; a mismatch means change in the program has occurred. A change in the program could mean malware within it. These scanners are effective in detecting infection; however they can do so only after infection has occurred. Also, a CRC checker can only detect subsequent changes to files, because they assume files are malware free in the first place. Therefore, they are ineffective against new files that are malware infected and that are not recorded in the database. Integrity checker take advantage of the fact that executable programs and boot sectors do not change often, if at all.
key elements of computer forensics during audit planning.
Data Protection – To prevent sought-after information from being altered, all measures must be in place. It is important to establish specific protocol to inform appropriate parties that electronic evidence will be sought and not destroy it by any means.
Data Acquisition – All information and data required should transferred into a controlled location; this includes all types of electronic media such as fixed disk drives and removable media. Each device must be checked to ensure that it is write protected. This may be achieved by using a device known as write blocker.
Imaging – The Imaging is a process that allows one to obtain bit-for bit copy of a data to avoid damage of original data or information when multiple analyses may be performed. The imaging process is made to obtain residual data, such as deleted files, fragments of deleted files and other information present, from the disk for analysis. This is possible because imaging duplicates the disk surface, sector by sector.
Extraction – This process consist of identification and selection of data from the imaged data set. This process should include standards of quality, integrity and reliability. The extraction process includes software used and media where an image was made. The extraction process could include different sources such as system logs, firewall logs, audit trails and network management information.
Interrogation – Integration is used to obtain prior indicators or relationships, including telephone numbers, IP addresses, and names of individuals from extracted data.
Investigation/ Normalization – This process converts the information extracted to a format that can be understood by investigator. It includes conversion of hexadecimal or binary data into readable characters or a format suitable for data analysis tool.
Reporting – The information obtained from computer forensic has limited value when it is not collected and reported in proper way. When an IS auditor writes report, he/she must include why the system was reviewed, how the computer data were reviewed and what conclusion were made from analysis.
The report should achieve the following goals – Accurately describes the details of an incident. – Be understandable to decision makers. – Be able to withstand a barrage of legal security – Be unambiguous and not open to misinterpretation. – Be easily referenced – Contains all information required to explain conclusions reached – Offer valid conclusions, opinions or recommendations when needed – Be created in timely manner.