Transcription
CISSP - 10 Domains : 15 Key Value Points2013
SecurityFoundation
eks to prevent theunauthorized disclosureof information (i.e.Seeks to preventunauthorizedmodification ofinformation (i.e.Ensures thatinformation is at handwhen needed (i.e.Personally IdentifiableInformation)azeemkhan.netUnauthorized write accessto data)Denial of Service)Twitter: @azeemnow
Cryptography – CIA: ConfidentialitySymmetric / PrivateAsymmetric / PublicSame key to encrypt & decrypt messageTwo keys: one public & one privateOne key is shared between two or moreentitiesOne entity has a public key, and the otherentity has a private keyAlgorithm is less complex and fasterAlgorithm is more complex and slowerIncompatible with Digital SignaturesEnables Digital SignaturesEx: Des, AES, 3DES,Ex: ECC, DH, RSAazeemkhan.netTwitter: @azeemnow
Cryptography – CIA: Integrity We can encrypt data so that it is private; but how do we know it has notbeen tampered with?HASH Functions: SHA-1, MD5––Variable length plaintext is “hashed” into a fixed-length hash value (message digest)Referred to as “one way” because there is not way to reverse the hash algorithmHash alogirthmapplied to amessageazeemkhan.netResults in aMessage DigestMD value issigned withsender’s PrivateKeyProduces DigitalSignatureTwitter: @azeemnow
Cryptography in Use Link Level– Headers and all payload is encrypted– Decryption at each hop – if node is compromised, all traffic goingthrough that node can be compromised End-to-End– Only payload is encrypted; headers is in plain– Hops do not need to decrypt headersazeemkhan.netTwitter: @azeemnow
Access ControlI - AAAIDENTITY t Identity is a claim; without proof Proving an identity claim is Authentication:o Something you have, Something youknow, Something you areActions you can perform on a system onceyou have been identified & authenticated: i.e.Read, Write, Read/Write Holding users accountable for their actions vialogging and analyzing audit data. Non-repudiationoCannot deny having performed atransactionTwitter: @azeemnow
Access Control ModelDAC, MAC, RBACDiscretionary1 Data owner decideswho can accessresources Data owner is usuallythe creator & has fullcontrol of object Implemented throughACL’s Used in environmentsthat do not require ahigh level of centralizedsecurityazeemkhan.netMandatory2 Access is based onsecurity clearance ofsubject andclassification of object Each user is assigneda clearance, and eachobject has aclassification Access is decided bythe system policy andnot up to thediscreation of a dataownerRole-Based3 Allows access toobjects based on therole the user holdswithin the company Administrators assigna user to a role & thenassign access rights tothat role, not directly tothe user. Ideal for high rate ofturnoverTwitter: @azeemnow
Architecture & DesignSecurity ModelsBell-LaPadulaity Divides entities intosubjects and objects Clearance of thesubject attempting toaccess an object iscompared with thatobject’s classification Confidentialtiy modelazeemkhan.netBibaClark-Wilsony Integrity model Subject cannot writedata to an object at ahigher integrity level Subjects cannot readdata from an object ata lower integrity level Separtion of duties:ensures consistencyof data Prevents users frommaking impropermodification Subject must gothrough a program toaccess & modify dataTwitter: @azeemnow
Software DevelopmentCommon Process for Address Flawsazeemkhan.netTwitter: @azeemnow
TelecommunicationIntrusion Detection System Able to alert if you are under attack, or if a system on your network is compromisedAttackDetectionPolicyEnforcementAudit TrialResourceJustification Monitors network behavior that violates your organization’s network security oracceptable use policies (i.e. social media, IM) An IDS can provide an after-the-attack audit trail for seeking how far an attacker got,and where it came from IDS can provide info on how well your firewall is working & how many people are “outto get you”azeemkhan.netTwitter: @azeemnow
TelecommunicationFirewallsPacketFiltering: 1st Gen Simplest, least expensive Based on addresses, ports,protocol type Cannot keep state infoazeemkhan.netProxy: 2nd Gen Makes copy of each packet& transfers it from onenetwork to another No direct connectionbetween inside/outside Inserts its own address Application-level: deeppacket inspectionStateful: 3rd Gen Packets are captured byinspection engine & eachOSI layer of the packet isinspected Keeps track of “state”communication stream;state tableTwitter: @azeemnow
TelecommunicationLife Cycle Of An itter: @azeemnow
LegalLiabilities – who is at fault?Due Care – doing the right thingPerforming ongoing maintenance necessary to keep something in proper working orderOpposite: negligenceDue Diligence - InvestigationPerforming research before committing to a course of actionOpposite: haphazardly; not doing your homework- Did management fail to execute Due Care and/or Due Diligence?- Prudent Man Rule:-Perform duties that prudent people (highest integrity) would exercise insimilar circumstances- Downstream Liabilities- Civil/Tort Law: Wrongs against individuals/companies resulting in damage- Criminal Law: Violations of government law that was developed to protectthe public; can include jail timeazeemkhan.netTwitter: @azeemnow
LegalForensics - Court Admissible EvidenceReturn toVictim (owner)Common reason for improper evidence collection &prosecutions:No established IR Team / IR proceduresCollection &IdentificationPresent inCourtPoorly written policiesBroken chain of zeemkhan.netLack of proper law enforcement POCTwitter: @azeemnow
Risk Management, BCP & DRPHigh-level process overview – CIA: AvailabilityProject InitiationBusiness ImpactRisk AnalysisImplementationRisk MitigationTestingazeemkhan.netMaintenanceTwitter: @azeemnow
PhysicalCIA - AvailabilityIdentification Mechanisms1Dedicated Security GuardBadge Reader / Ease Of DuplicationGarage Entry Piggybacking2Awareness & TrainingsMantrapsSecurity Guard Live Monitoring & Recording3What area needs to be monitored?Retention policy?Sensitive Areas – restricted amountof widnowsazeemkhan.netDevice Security: Locking mechanism Tracing software Encryption Inventory system Recycling procedure Fencing & physical barriers Fail-safe or Fail-secureAudit Trails: Logs for everyone who enters &leaves the facility Logs’ storage policyTwitter: @azeemnow
Operations SecuritySomeone has to do the doing operational trationTestingAudit LogsManagementazeemkhan.netTwitter: @azeemnow
Security Goal 101:“Fundamentally, security is a function thatis supporting the business. It isn’t thebusiness itself.Broadly speaking, the more secure youmake something, the less usable itbecomes. It’s a bit like fast cars; the fasteror more sportier you want a car to be, theless practical and useful it becomes foreveryday use.” - J4vv4dazeemkhan.netTwitter: @azeemnow
THANK YOUReference: Conrad, Eric, Seth Misenar, and Joshua Feldman. Eleventh hour CISSP study guide. Burlington, MA: Syngress, 2011. Print.Know your enemy: learning about security threats. 2nd ed. Boston: Addison-Wesley, 2004. Print.Kruse, Warren G., and Jay G. Heiser. Computer forensics: incident response essentials. Boston, MA: Addison-Wesley, 2001. Print.Lucas, Julie, and Brian Moeller. The effective incident response team. Boston: Addison-Wesley, 2004. Print.Scott, Charlie, Paul Wolfe, and Bert Hayes. Snort for dummies. Hoboken, NJ: Wiley Pub., 2004. Print.
CISSP - 10 Domains : 15 Key Value Points 2013 . Security Foundation . Cryptography Confidentiality Seeks to prevent the unauthorized disclosure . Same key to encrypt & decrypt message Two keys: one public & one private One key is shared between two or more entities
