97 terms

Review Notes - CO212

Chapter 6 - 10
Processings modes:Packet filtering firewalls1
scan network data packets looking for compliance with or
violations of the rules of the firewall's database. The restrictions most commonly
implemented are based on a combination of:
o IP Source and destination address
o Direction (inbound/outbound)
o TCP and UDP Source and destination ports
1Processings modes:Stateful firewalls
1keep track of each network connection between internal and
external systems and look for patterns that indicate attacks and intrusions.
1Processings modes:Circuit Gateway firewalls
1prevents direct connections between one network and
another. They instead create a tunnel connecting specific processes or systems on
each side of the firewall and then allows only authorized traffic in these tunnels. An
example would be a telnet session, once established data flows through.
1Processings modes:MAC level Firewalls
1operate at the media access control sublayer of the data link
layer of the OSI network model and use the Network Interface Card (NIC) address in
its filtering decisions.
1Processings modes:Hybrid firewalls
1combine elements of other types of firewalls.
1Processings modes:Application gateways
1(application-level firewall or application firewall) also know as
a proxy server processes requests to the actual server thus shielding it from direct
access from the untrusted network. It is often placed in an unsecure area of the
network or in the demilitarized zone (DMZ).
1Firewall Architectures: PSDSS
1• Packet Filtering Routers
• Screened Host Firewalls - configured with a bastion host
• Dual-Homed Host Firewalls - uses NAT
• Screened Subnet Firewalls (with DMZ) - dominate architecture used today
• SOCKS Servers
2Best Practices for Firewalls: 7THINGS
2• All traffic from the trusted network is allowed out.
• The firewall device is never directly accessible from the public network for configuration or
management purposes.
• Simple Mail Transport Protocol (SMTP) data is allowed to enter through the firewall, but is
routed to a well configured SMTP gateway.
• All Internet Control Message Protocol (ICMP) data should be denied (i.e., pings).
• Telnet (terminal emulation) access to all internal servers from the public networks should be
• When Web services are offered outside the firewall, HTTP traffic should be blocked from your
internal networks through the use of some form of proxy access or DMZ architecture.
• All data that is not verifiably authentic should be denied.
2virtual private network (VPN) is
2a private and secure network connection between systems that uses
the data communication capability of an unsecure and public network.
2VPN's operate 2 MODES
1 transport mode
2 tunnel mode
2in one of two modes, transport mode and tunnel mode.
the data
within an IP packet is encrypted, but the header information is not.(transport mode)
the organization
establishes two perimeter tunnel servers that encrypt all traffic that will transverse an unsecure
network. In tunnel mode, the entire client packet is encrypted and added as the data portion of a
packet from one tunnel server to another.TUNNEL MODE
2intrusion (ATTACKS)
2occurs when an attacker attempts to gain entry or disrupt the normal operations of an
information system.
2false attack stimulus (ATTACKS)
2is an event that triggers an alarm when no actual attack is in progress.
2false positive (ATTACKS)
2is an alert or alarm that occurs in the absence of an attack.
2false negative (ATTACKS)
2is the failure of an Intrusion Detection/Prevention System (IDPS) to react to an actual
attack event.
2Noise (ATTACKS)
2is the alarm events that are accurate and noteworthy but that do not pose a significant threat to
an information system.
2Confidence value (ATTACKS)
2is the value placed upon an IDPS's ability to correctly detect and identify certain types
of attacks.
2Preambles of an attack, (ATTACKS)
2The attacker will determine the initial estimate of the defenses of a system by a
series of probes referred to as doorknob rattling.
2doorknob rattling (ATTACKS)
2The attacker will determine the initial estimate of the defenses of a system by a
series of probes
2footprinting, (ATTACKS)
2The first activity will be _________, which involves
gathering information about the organization and its network activities and assets.
2fingerprinting (ATTACKS
2Another set of
activities is known as ____________. This involves scanning network locales for active systems, and then
the network services offered by the host systems on the network are identified.
3Host-based (HIDPS) (Two types of IDPS Systems:)
3system protects the server or host's information assets. It resides on a
particular computer or server and monitors activity only on that system. This is accomplished
through benchmarking and monitoring the status of key system files and detects when an
intruder creates, modifies or deletes monitored files.
3Network-based (NIDPS) (Two types of IDPS Systems:)
3system resides on a computer or appliance connected to a segment of
an organization's network and monitors network traffic on that network segment, looking for
indications of on-going or successful attacks. This is accomplished by comparing the traffic with
known attack signatures in the NIDPS's signature database.
3Signature-Based IDPS (IDPS Detections methods:)
3(knowledge-based IDPS or Misuse-detection IDPS) examines network
traffic in search of patterns that match known signatures.
3Statistical Anomaly-Based IDPS (IDPS Detections methods:)
3stat IDPS or Behavior-based IDPS) collects statistical summaries
by observing traffic that is known to be normal creating a baseline. Future traffic is compared
against the baseline.
3Stateful Protocol Analysis IDPS tracks (IDPS Detections methods:)
3tracks each network connection between internal and external
systems using a state table searching for deviations from generally accepted definitions of
benign activity.
3Log File Monitors (IDPS Detections methods:)
3Review log files generated by servers, network devices and other IDPS's,
looking for patterns and signatures which may indicate an attack or intrusion is in process or has
already occurred.
3Intrusion Detection / Prevention Service
3Selecting IDPS Approaches and Products: 3 THINGS
3Technical and Policy Considerations - In determining which IDPS best meets an organization's
needs, first consider the organizational environment, in technical, physical, and political terms.
• Organizational Requirements and Constraints - Your organization's operational goals,
constraints, and culture will affect the selection of IDPS and other security tools and
• IDPS's Product Features and Quality Questions - is the product scalable, how has the product
been tested, what is user level of expertise required, is the product designed to evolve with the
organization, what are the support provisions for the product?
3Honey Pots
3decoy systems
3Honey Nets
3(collection for honey pots)
3Padded Cell Systems
pot that has been protected so that it cannot be easily compromised) are used to:
3Honey Nets,Honey Pots,Padded Cell Systems are used to: 3THINGS DCE
3• Divert an attacker from critical systems
• Collect information about attacker's activity
• Encourage the attacker to stay on the system long enough for administrators to document the
event and, perhaps respond
Operating System Detection Tools Page 4
use the way that operating systems respond to network requests
(ICMP's in particular but other protocols also) to determine which operating systems are on the
network. Page 4
Active Vulnerability Scanners Page 4
nitiates traffic on a network in order to determine highly detailed
information which includes host available and the services (ports) they are offering, operating
system and version, types of packet filters and firewalls in use. Page 4
Passive Vulnerability Scanners Page 4
istens in on a network and determines vulnerable versions of
both server and client software. Page 4
Packet Sniffer Page 4
(network protocol analyzer) is a network tool that collects copies of packets from
the network and analyzes them. Page 4
ICMP Page 4
, or Internet Control Message Protocol Page 4
Authentication Page 4
is the validation of a supplicant's identity. Methods of authentication: Page 4
Authentication what who Page 4
• What a supplicant knows: for example, user ID, password, passphrase
• What a supplicant has: for example, tokens, smart cards
• Who a supplicant is: for example, fingerprints, face recognition, retinal and iris recognition
• What a supplicant produces: voice and signature pattern recognition Page 4
Encryption Page 4
the process of converting an original message (plaintext) into a form that is unreadable to
unauthorized individuals (ciphertext). Page 4
Decryption Page 4
is the process of converting ciphertext message back into plaintext so that it can be readily
understood. Page 4
Alogrithm Page 4
s the programmatic steps used to convert an unencrypted message into an encrypted
message and vice versa. Page 4
A Key Page 4
or cryptovariable) is the information used in conjunction with an algorithm to create the
ciphertext from the plaintext or vice versa. Page 4
• Substitution ciphers Cipher Methods: Page 4
replace (or substitutes) one value for another. Various methods include
monoalphabetic substitution (e.g., Orphan Annie Decoder), polyalphabetic substitution (e.g.,
Vigenere cipher) Page 4
Transposition cipher Cipher Methods: Page 4
(or permutation cipher) simply rearranges the values within a block to
create the ciphertext. Page 4
Exclusive OR (XOR) Cipher Methods: Page 4
is a function of Boolean algebra which operates on the bit level to create the
ciphertext. Page 4
Hash functions5
are mathematical algorithms that generate a message summary or digest (of fingerprint)
to confirm the identity of a specific message and to confirm that there have not been any changes to the
content. Hash functions are considered one-way operations in that the same message always provides
the same hash value, but the hash value cannot be used to determine the contents of the message.5
Hash algorithms5
are public functions that create a hash value, also known as a message digest, by
converting variable-length messages into a single fixed length value.5
a message
authentication code (MAC)5
a key-dependent, one-way hash function - that allows only specific
recipients (symmetric key holders) to access the message digest.Hashing functions do not typically require the use of keys5
private key encryption5
Encryption methodologies that require the same secret key to encipher and decipher the message are
using what is called private key encryptionor symmetric encryption.5
Examples of symmetric encryption5
s are Data Encryption Standard (DES), Triple DES (3DES) and Advanced Encryption Standard
Asymmetric encryption (or public-key encryption)5
uses two different but related keys, either key can be
used to encrypt or decrypt the message. However, if key A is used to encrypt the message, key B must
be used to decrypt it; and vice-versa. The first (1977) and one of the most popular public key
cryptosystems is RSA named for the algorithm's developers Rivest-Shamir-Adleman.5
Public-key Infrastructure (PKI)5
is an integrated system of software, encryption methodologies,
protocols, legal agreements, and third party services that enables users to communicate securely.5
Digital Certificates (PKI)5
are public-key container files that allow computer programs to validate the
key and identity to whom it belongs.5
certificate authority (CA) (PKI)5
issues, manages, authenticates, signs, and revokes users' digital
registration authority (RA) (PKI)5
operates under the trusted collaboration of the certificate
authority and can handle day-to-day certification functions.5
Certificate directories(PKI)5
are central locations for certificate storage that provide a single access
point for administration and distribution.5
Management protocols
organize and manage the communications between CA's, RA's, and end
Policies and procedures(PKI)5
assist an organization in the application and management of
certificates, the formalization of legal liabilities and limitations, and actual business use.5
Digital signatures(PKI)5
are encrypted messages that can be mathematically proven authentic. They are used
to verify that message was sent by the sender and cannot be refuted (non-repudiation).5
asymmetric key encryption 6
in its pure form is not widely usedbut is often
used in conjunction with symmetric key encryption as part of a hybrid encryption system.,Except in digital certificates,
common hybrid system6
Diffie-Hellman Key Exchange method, which is a method for
exchanging private keys using public key encryption.6
Secure internet communication uses 6
Secure Sockets Layer (SSL) protocol and Secure-HTTP (S-HTTP), an
extended version of Hypertext Transfer Protocol that provides for encryption.6
Secure E-mail uses TWO THINGS6
Secure Multipurpose Internet Mail Extensions (S/MIME) or Privacy Enhanced Mail
(PEM) or Pretty Good Privacy (PGP) to encrypt email or to verify the contents of a plaintext email
message using a hash function and public key.6
Man-in-the-MiddleAttacks on Cryptosystems:6
attack attempts to intercept a public key or even to insert a known key
structure in place of the requested public key.6
• Correlation attack Attacks on Cryptosystems:6
is a collection of brute-force methods that attempt to deduce statistical
relationships between the structure of the unknown key and the ciphertext generated by the
dictionary attack, Attacks on Cryptosystems:6
the attacker encrypts every word in a dictionary using the same
cryptosystem as used by the target in an attempt to locate a match between the target cipertext
and the list of encrypted words. Used primarily to determine passwords from a hashed
timing attack, Attacks on Cryptosystems:6
the attacker eavesdrops on the victim's session and uses statistical analysis of
patterns and inter-keystroke timings to discern sensitive session information.6
Physical security6
Requires the design, implementation, and maintenance of countermeasures that
protect the physical resources of an organization.
Physical security controls: 10THINGS WGDILMEACI6
Physical security controls:
• Walls, fencing, and gates - controls access to the external perimeter
• Guards - have the ability to apply human reasoning using standard operating procedures (SOP's)
in unfamiliar situations
• Dogs - using their keen sense of smell and hearing can detect intrusions that human guards
• ID cards and badges - used to authenticate access through biometrics or magnetic strips or
radio chips. An inherent weakness of this method of access control is the human factor. Where
tailgating occurs when an authorized individual presents a key to open a door, and other
individuals, who may or may not be authorized, also enter.
• Lock and keys - includes mechanical locks, electro-mechanical locks, manual locks, electronic
locks, proximity readers (specialized type of keycard reader which allows individuals to simply
Review Notes - CO212
Chapter 6 - 10
Review Notes - Principles of Information Security - Whitman and Mattord Page 7
carry their cards within the lock's range of recognition), biometric locks (uses fingerprint, retina
or iris scans, etc. as keys)
• Mantraps - small enclosure that has separate entry and exit points
• Electronic monitoring - includes closed-circuit television (CCT)
• Alarms and alarm systems - motion detectors, thermal detectors, contact and weight sensors
and vibration sensors
• Computer room and wiring closets - require special attention to ensure the confidentiality,
integrity, and availability of information
• Interior walls and doors - include firewalls to retard the spread of fires and limit unauthorized
access by climbing over an interior wall through the space between the top of a normal interior
wall and the top of the storey (i.e., the plenum).6
Fail-safe lock -7
if the door lock fails, the door becomes unlocked.7
Fail-secure lock -7
if the door lock fails, the door remains locked.7
Manual fire detection FIRE7
systems include human responses, such as calling the fire department,
manually activating alarms and manually activating fire suppression systems.
Thermal detection FIRE7
uses fixed temperature method which is activated when a target
temperature is detected or a rate-of-rise method where the sensor detects a rapid rate of
temperature increase.7
Smoke detection FIRE7
used photoelectric sensors, ionization sensor or air-aspirating detectors.7
Flame detector FIRE7
detects infrared or ultraviolet light produced by an open flame. Compares the
flame light signature detected to a database of known flame light signatures.7
Sprinkler systems FIRE7
include wet-pipe systems which contain pressurized water in all pipes and
has some form of valve in each protected area; dry-pipe system which contains pressurized air
in the pipes keeping the water away from the equipment until deployed when water then flows
through the pipes; deluge system where all sprinkler heads are kept open; pre-action system
keeps the pipes empty and has a two phased approach, the first phase fills the system with
water and the second phase acts the same as a wet-pipe system; water mist sprinklers are the
newest form of sprinkler and create an ultra fine mist instead of the traditional shower-type
system and lowers the ambient7
Gaseous emission systems FIRE7
can be self pressurizing or must be pressurized with an additional
agent. Until recently only two gases were used, carbon dioxide and Halon. However, halon has
been found to be detrimental to the ozone layer and has been replaced by various alternatives.7
Heating, Ventilation and Air Conditioning: 3THINGS8
• The optimum temperature for a computing environment (and for people) is between 70 and 74
degrees Fahrenheit. Temperatures that are too cold can damage computer media.
Temperatures too hot can cause damage to the electronics.
• High humidity can cause damage due to condensation. Low humidity can increase the amount
of static electricity. Electrostatic discharge (ESD) can cause two types of damage, immediate
failures which are usually totally destructive and latent failures which can be occur weeks or
months later.
• If the ventilation shafts are large enough for a person to crawl through, wire mesh grids should
be placed at various points to compartmentalize the runs.8
Power Management and Conditioning:8
Grounding ensures that the returning flow of current is properly discharged to the ground. All
electrical circuits should be properly grounded. In addition, areas where water can accumulate
circuits must be uniquely grounded using ground fault circuit interruption (GFCI) equipment.
• Uninterruptible Power Supply (UPS) assures the delivery of electric power without interruption.
Various methods can be used, these include standby or offline UPS, ferroresonant standby UPS,
line-interactive UPS, true online UPS.
• Computer rooms and wiring closets should be equipped with and emergency shutoff.8
Mobile and Portable Systems: 11 8RULES DONT'S
Don't leave a laptop in an unlocked vehicle.
• Don't leave a laptop or any device in plain sight in your car even if locked.
• Be aware of damage which can be caused by extreme temperatures.
• Carry your laptop in a nondescript carrying case.
• Don't leave your laptop in an empty conference room during lunch or breaks.
• Lock your laptop in your office, or a cabinet or with a cable lock during off hours.
• Don't let unaccompanied strangers wander around your workplace.
• Apply distinctive markings to your laptop to make it unique and easily identifiable.
• Consider purchasing one of the new theft alarm systems specially made for laptops. In addition,
new technologies exist to locate lost or stolen laptops (e.g., CompuTrace).
• Do not use automatic logins for email or any other accounts.
• Back up your information today and often.8
implementation phase8
of the Security Systems Development Life Cycle (SecSDLC), in general, is
accomplished by changing the configuration and operation of the organization's information system to
make it more secure.8
Developing the Project Plan8
he creation of a project plan can be accomplished using a simple
planning tool such as the work breakdown structure (WBS). Major project tasks are placed into the
WBS along with the following attributes for each:8
work breakdown structure (WBS). 8 THINGS
• Work to be accomplished (activities and deliverables) - A deliverable is a completed document
or program module that can either serve as the beginning point for a later task or become an
element in the finished project.
• Individuals (or skill set) assigned to perform the task
• Start and end dates for the task (when known)
• Amount of effort required for completion in hours or work days
• Estimated capital expense for the task
• Estimated noncapital expense for the task
• Identification of dependencies between and among tasks8
Project Planning Considerations: FPTSPOT9
• Financial - cost benefit analysis
• Priority
• Time and Scheduling
• Staffing
• Procurement
• Organizational Feasibility
• Training and Indoctrination
Project scope9
describes the amount of time and effort-hours needed to deliver the planned features
and quality level of the project deliverables.
negative feedback loop9
Once a project is underway, it is managed using a process known as a __________to ensure
progress is measured periodically by comparing measured results with expected results.
project wrap-up9
resolve any pending issues, critique the overall project effort, and
draw conclusions about how to improve the process for the future.
Conversion Strategies: 4THINGS9
Direct Changeover - involves stopping the old system and starting the new system alsi known as
going 'cold turkey'
• Phased Implementation - a measured rollout of the planned system, with part of the whole
being brought out and disseminated across an organization before the next piece is
implemented. This is the most common conversion strategy.
• Pilot Implementation - the entire security system is put in place in a single office, department or
division, and issues are dealt with before expanding the rest of the organization.
• Parallel Operation - both the old and new methods are run at the same time.9
Policies Bull's-Eye Model10
establishes the ground rules for the use of all systems and describes what is
appropriate and what is inappropriate, and enables all other information security components
to function correctly and have the desired effects in improving the organization's information
security program.10
Networks Bull's-Eye Model10
designing and implementing an effective DMZ is the primary way to secure an
organization's networks. Secondary efforts in this layer include providing necessary
authentication and authorization when allowing users to connect over public networks to the
organization's systems.10
Systems Bull's-Eye Model10
designing and implementing an effective DMZ is the primary way to secure an
organization's networks. Secondary efforts in this layer include providing necessary
authentication and authorization when allowing users to connect over public networks to the
organization's systems.10
Applications Bull's-Eye Model10
ncludes packaged applications, such as office automation and e-mail programs,
as well as high-end enterprise resource planning (ERP) packages. Custom applications are also
Every organization does not10
need to develop an information security department of its own. These
functions can be outsourced, if internal talent does not exist to complete the task.10
By managing the process of change, the organization can do the following: 5 THINGS10
Improve communication about change across the organization
• Enhance coordination between groups within the organization as change is scheduled and
• Reduce unintended consequences by having a process to resolve conflict and disruption that
change can introduce
• Improve quality of service as potential failures are eliminated and groups work together
• Assure management that all groups are complying with the organization's policies regarding
technology governance, procurement, accounting, and information security10
Culture of Change Management: 3 THINGS UMR 10
Unfreezing - thawing hard-and-fast habits and established procedures
• Moving - transition between the old way and the new
• Refreezing - integration of the new methods into the organization's culture10
Considerations for Organizational Change: 2 THINGS RD 10
Reduce resistance from the start - communicate, involve employees
• Develop a culture the supports change - successfully accomplish many projects that require
change, get strong executive-level support10