CISSP

Certified Information Systems

Security Professional

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

1 Used with permission.
 CISSP Training
• This course is based off of the book:
• (ISC)2 CISSP: Certified Information
Systems Security Professional Official
Study Guide, 8th Edition
by Mike Chapple, James Michael
Stewart, and Darril Gibson
• ISBN-13: 978-1119475934
• ISBN-10: 1119475937
• Published: May 8, 2018

2
 (ISC) 2

• International Information Systems Security

Certification Consortium (ISC)2
• Missions:
• Maintain the Common Body of Knowledge
(CBK)
• Provide certification for IT/IS security
professionals and practitioners
• Conduct certification training & administer
exams
• Oversee the ongoing accreditation through
continued education.
• www.isc2.org

3
 CISSP Focus
• CISSP focuses on security:
– Design
– Architecture
– Theory
– Concept
– Planning
– Managing

4
 Topical Domains
• Security and Risk Management
• Asset Security
• Security Architecture and Engineering
• Communication and Network Security
• Identity and Access Management (IAM)
• Security Assessment and Testing
• Security Operations
• Software Development Security

5
 Exam Topic Outline
• www.isc2.org/Certifications/CISSP
• Download the CISSP Exam Outline
– Under “2: Register and Prepare
for the Exam”
• Previously known as the Candidate
Information Bulletin
• Also, view the CISSP Ultimate Guide

6
 Prequalifications
• For taking the CISSP exam:
– 5 years full-time paid work experience
– Or, 4 years experience with a recent
college degree
– Or, 4 years experience with an approved
security certification, such as CAP, CISM,
CISA, Security+, CCNA Security, MCSA,
MCSE, and GIAC
– Or, Associate of (ISC)2 if you don’t yet have
experience
– Agree to (ISC)2 Code of Ethics

7
 CISSP Exam Overview
• CISSP-CAT (Computerized Adaptive
Testing)
• Minimum 100 questions
• Maximum 150 questions
• 25 unscored items mixed in
• 3 hours to take the exam
• No score issues, just pass or fail
• Must achieve “passing standard” for each
domain within the last 75 questions seen

8
 Exam Retakes
• Take the exam a maximum of 3 times
per 12-month period
• Wait 30 days after your first attempt
• Wait an additional 90 days after your
second attempt
• Wait an additional 180 days after your
third attempt
• You will need to pay full price for each
additional exam attempt.

9
 Question Types
• Most questions are standard multiple
choice with four answer options with a
single correct answer
• Some questions require to select two,
select three, or select all that apply
• Some questions may be based on a
provided scenario or situation
• Advanced innovative questions may
require drag-and-drop, hot-spot, or re-
order tasks

1
0
 Exam Advice
• Work promptly, don’t waste time, keep
an eye on your remaining time
• It is not possible to return to a
question.
• Try to reduce/eliminate answer options
before guessing
• Pay attention to question format and
how many answers are needed
• Use the provided dry-erase board for
notes

11
 Updates and Changes
• As updates, changes, and errata are
need for the book, they are posted
online at:

www.wiley.com/go/cissp8e

• Visit and write in the corrections to

your book!

12
 Exam Prep Recommendations
• Read each chapter thoroughly
• Research each practice question you get
wrong
• Complete the written labs
• View the online flashcards
• Use the 6 online bonus exams to test your
knowledge across all of the domains
• Consider using: (ISC)² CISSP Official
Practice Tests, 2nd Edition (ISBN:978-1-
119-47592-7)

13
 Completing Certification
• Endorsement
• A CISSP certified individual in good
standing
• Within 90 days of passing the exam

• After CISSP, consider the post-CISSP

Concentrations:
– Information Systems Security Architecture Professional (ISSAP)
– Information Systems Security Management Professional
(ISSMP)
– Information Systems Security Engineering Professional (ISSEP)

14
 Book Organization 1/2
• Security and Risk Management
– Chapters 1-4
• Asset Security
– Chapter 5
• Security Architecture and Engineering
– Chapters 6-10
• Communication and Network Security
– Chapters 11-12

15
 Book Organization 2/2
• Identity and Access Management
(IAM)
– Chapters 13-14
• Security Assessment and Testing
– Chapter 15
• Security Operations
– Chapters 16-19
• Software Development Security
– Chapters 20-21

16
 Study Guide Elements
• Exam Essentials
• Chapter Review Questions
• Written Labs
• Real-World Scenarios
• Summaries

17
 Additional Study Tools
www.wiley.com/go/cissptestprep

• Electronic flashcards
• Glossary in PDF
• Bonus Practice Exams:
– 6x 150 question practice exams
covering the full range of domain
topics

18
 Chapter 1
Security Governance Through Principles and
Policies

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

19 Used with permission.
 Understand and Apply
Concepts of Confidentiality,
Integrity, and Availability

• CIA Triad
• AAA Services
• Protection Mechanisms

20 overview
 CIA Triad
• Confidentiality
• Integrity
• Availability

21
 Confidentiality
• Sensitivity
• Discretion
• Criticality
• Concealment
• Secrecy
• Privacy
• Seclusion
• Isolation
22
 Integrity 1/3
• Preventing unauthorized subjects
from making modifications
• Preventing authorized subjects
from making unauthorized
modifications
• Maintaining the internal and
external consistency of objects

23
 Integrity 2/3
• Accuracy: Being correct and precise
• Truthfulness: Being a true reflection of
reality
• Authenticity: Being authentic or
genuine
• Validity: Being factually or logically
sound
• Nonrepudiation: Not being able to deny
having performed an action or activity
or being able to verify the origin of a
communication or event

24
 Integrity 3/3
• Accountability: Being responsible or
obligated for actions and results
• Responsibility: Being in charge or
having control over something or
someone
• Completeness: Having all needed and
necessary components or parts
• Comprehensiveness: Being complete in
scope; the full inclusion of all needed
elements

25
 Availability
• Usability: The state of being easy to use
or learn or being able to be understood
and controlled by a subject
• Accessibility: The assurance that the
widest range of subjects can interact
with a resource regardless of their
capabilities or limitations
• Timeliness: Being prompt, on time,
within a reasonable time frame, or
providing low latency response

26
 AAA Services
• Identification
• Authentication
• Authorization
• Auditing
• Accounting/
Accountability

27
 Protection Mechanisms
• Layering/Defense in Depth
• Abstraction
• Data Hiding
• Security through obscurity
• Encryption

28
 Evaluate and Apply Security
Governance Principles
• Alignment of Security Function
• Security Management Plans
• Organizational Processes
• Change Control/Management
• Data Classification
• Organizational Roles and
Responsibilities
• Security Control Frameworks
• Due Care and Due Diligence
29
overview
 Alignment of Security Function

• Alignment to Strategy, Goals,

Mission, and Objectives
• Security Policy
• Based on business case
• Top-Down Approach
• Senior Management Approval
• Security Management:
• InfoSec team, CISO, CSO, ISO

30
 Security Management Plans
• Strategic
• Tactical
• Operational

31
 Organizational Processes
• Security governance
• Acquisitions and divestitures risks:
• Inappropriate information disclosure
• Data loss
• Downtime
• Failure to achieve sufficient return on
investment (ROI)

32
 Change Control/
Management 1/2
• Implement changes in a monitored and
orderly manner. Changes are always
controlled.
• A formalized testing process is included to
verify that a change produces expected
results.
• All changes can be reversed (also known as
backout or rollback plans/procedures).
• Users are informed of changes before they
occur to prevent loss of productivity.

33
 Change Control/
Management 2/2
• The effects of changes are systematically
analyzed to determine whether security
or business processes are negatively
affected.
• The negative impact of changes on
capabilities, functionality, and
performance is minimized.
• Changes are reviewed and approved by a
change approval board (CAB).

34
 Data Classification 1/2
• Determines: effort, money, and
resources
• Government/military vs.
commercial/private sector
• Declassification

35
 Data Classification 2/2
1. Identify the custodian, define
responsibilities.
2. Specify the evaluation criteria.
3. Classify and label each resource.
4. Document any exceptions.
5. Select the security controls for each level.
6. Specify declassification and external
transfer.
7. Create an enterprise-wide awareness
program.

36
 Organizational Roles and
Responsibilities
• Senior Manager
• Security Professional
• Data Owner
• Data Custodian
• User
• Auditor

37
 Security Control Frameworks
• COBIT (see next slide)
• Used to plan the IT security of an
organization and as a guideline for auditors
• Information Systems Audit and Control
Association (ISACA)
• Open Source Security Testing
Methodology Manual (OSSTMM)
• ISO/IEC 27001 and 27002
• Information Technology Infrastructure
Library (ITIL)

38
 Control Objectives for Information and
Related Technologies (COBIT)

• Principle 1: Meeting Stakeholder Needs

• Principle 2: Covering the Enterprise
End-to-End
• Principle 3: Applying a Single,
Integrated Framework
• Principle 4: Enabling a Holistic
Approach
• Principle 5: Separating Governance
From Management

39
 Due Care and Due Diligence
• Due care is using reasonable care to
protect the interests of an
organization.
• Due diligence is practicing the
activities that maintain the due care
effort.

40
 Develop, Document, and
Implement Security Policy,
Standards, Procedures, and
Guidelines

• Security Policies
• Security Standards, Baselines, and
Guidelines
• Security Procedures

41 overview
 Security Policies
• Defines the scope of security
needed by the organization
• Organizational, issue-specific,
system-specific
• Regulatory, advisory, informative

42
 Security Standards, Baselines, and
Guidelines
• Standards define compulsory
requirements
• Baselines define a minimum level of
security
• Guidelines offer recommendations
on how standards and baselines are
implemented

43
 Security Procedures
• Standard operating procedure (SOP)
• A detailed, step-by-step how-to
• To ensure the integrity of business
processes

44
 Understand and Apply Threat
Modeling Concepts and
Methodologies
• Threat Modeling
• Identifying Threats
• Threat Categorization Schemes
• Determining and Diagramming
Potential Attacks
• Performing Reduction Analysis
• Prioritization and Response
45 overview
 Threat Modeling
• Microsoft’s Security Development
Lifecycle (SDL)
• “Secure by Design, Secure by Default,
Secure in Deployment and
Communication”
(also known as SD3+C)
• Proactive vs. reactive approach

46
 Identifying Threats
• Focused on Assets
• Focused on Attackers
• Focused on Software

47
 Threat Categorization Schemes

• STRIDE (next slide)

• Process for Attack Simulation and

Threat Analysis (PASTA)(later slide)

• Trike
• Visual, Agile, and Simple Threat
(VAST)

48
 STRIDE
• Spoofing
• Tampering
• Repudiation
• Information disclosure
• Denial of service
• Elevation of privilege

49
 PASTA 1/2
• Stage I: Definition of the Objectives (DO) for the
Analysis of Risks
• Stage II: Definition of the Technical Scope (DTS)
• Stage III: Application Decomposition and Analysis
(ADA)
• Stage IV: Threat Analysis (TA)
• Stage V: Weakness and Vulnerability Analysis
(WVA)
• Stage VI: Attack Modeling and Simulation (AMS)
• Stage VII: Risk Analysis and Management (RAM)

50
 PASTA 2/2

51
Determining and Diagramming
Potential Attacks
• Diagram the infrastructure
• Identify data flow
• Identify privilege boundaries
• Identify attacks for each
diagrammed element

52
 Diagramming to Reveal Threat
Concerns

53
 Performing Reduction Analysis

• Decomposing
• Trust boundaries
• Data flow paths
• Input points
• Privileged operations
• Details about security stance and
approach

54
 Prioritization and Response
• Probability × Damage Potential
ranking
• High/medium/low rating
• DREAD system
– Damage potential
– Reproducibility
– Exploitability
– Affected users
– Discoverability

55
 Apply Risk-Based Management
Concepts to the Supply Chain
• Resilient integrated security
• Cost of ownership
• Outsourcing
• Integrated security assessments
• Monitoring and management
– On-site assessment
– Document exchange and review
– Process/policy review
– Third-party audit (AICPA SOC1 and SOC2)

56
 Conclusion
• Read the Exam Essentials
• Review the Chapter
• Perform the Written Labs
• Answer the Review Questions

57
 Chapter 2
Personnel Security and Risk Management
Concepts

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

58 Used with permission.
 Personnel Security Policies
and Procedures
• Personnel Management
• Candidate Screening and Hiring
• Employment Agreements and Policies
• Onboarding and Termination Processes
• Vendor, Consultant, and Contractor
Agreements and Controls
• Compliance Policy Requirements
• Privacy Policy Requirements
59 overview
 Personnel Management
• Job descriptions, position
descriptions
• Separation of duties
• Job responsibilities
• Job rotation
• Cross-training
• Collusion

60
 Candidate Screening and Hiring

• Based on job description

• Background checks
• Reference checks
• Education verification
• Security clearance validation
• Online background checks

61
 Employment
Agreements and Policies
• Non-disclosure agreement
• Non-compete agreement
• Audit job descriptions, work tasks,
privileges, and responsibilities
• Mandatory vacations

62
 Onboarding and
Termination Processes
• Onboarding vs. offboarding
• Maintain control and minimize risks
• Exit interview
• Terminate access
• Return company property

63
 Vendor, Consultant, and Contractor
Agreements and Controls

• Define the levels of performance,

expectation, compensation, and
consequences
• Service-level agreement (SLA)
• Risk reduction and risk avoidance

64
 Compliance Policy Requirements

• Conforming to or adhering to rules,

policies, regulations, standards, or
requirements
• Maintain high levels of quality,
consistency, efficiency, and cost
savings

65
 Privacy Policy Requirements
• Active prevention of unauthorized access to
information that is personally identifiable
• Freedom from unauthorized access to information
deemed personal or confidential
• Freedom from being observed, monitored, or
examined without consent or knowledge
• Legislative and regulatory compliance issues
• HIPAA, SOX, FERPA, GLB, DPD, and GDPR
• PCI-DSS

66
 Security Governance

• Maintain business processes while

striving toward growth and resiliency
• Third-party governance
• Auditing security objectives,
requirements, regulations, and
contractual obligations
• Compliance
• Documentation review
• Authorization to operate (ATO)

67
 Understand and Apply Risk
Management Concepts
• Risk Terminology
• Identify Threats and Vulnerabilities
• Risk Assessment/Analysis
• Risk Responses
• Countermeasure Selection and
Implementation
• Types of Controls
• Security Control Assessment
• Monitoring and Measurement
• Asset Valuation and Reporting
• Continuous Improvement
• Risk Frameworks
68 overview
 Risk Terminology
• Asset
• Asset valuation
• Threats
• Vulnerability
• Exposure
• Risk
• Safeguard, security control,
countermeasure
• Attack, breach

69
 Identify Threats and Vulnerabilities

• Inventory all threats for each asset

• Threat agents
• Threat events
• Include non-IT sources

70
 Risk Assessment/Analysis
• Quantitative analysis
• Qualitative analysis

71 overview
 Quantitative Analysis
• AV
• EF
• SLE = AV * EF
• ARO
• ALE = SLE * ARO

• Cost benefit:
– ALE before – ALE after – annual cost
safeguard (ACS) = value of the safeguard to
the company

72
 Qualitative Analysis
• Brainstorming
• Delphi technique
• Storyboarding, scenarios
• Focus groups
• Surveys
• Questionnaires
• Checklists
• One-on-one meetings
• Interviews
73
 Risk Responses
• Reduce or mitigate
• Assign or transfer
• Accept
• Deter
• Avoid
• Reject or ignore
• Total risk vs. residual risk
• threats × vulnerabilities × asset value =
total risk
• total risk – controls gap = residual risk

74
 Countermeasure Selection
• Costs and benefits
• Reduce attack benefit
• Solve a real problem
• Not dependent upon secrecy
• Testable
• Uniform protection
• No dependencies
• Tamperproof
75
 Countermeasure Implementation

• Administrative
• Logical/technical
• Physical
• Defense in depth

76
 Types of Controls
• Deterrent
• Preventive
• Detective
• Compensating
• Corrective
• Recovery
• Directive

77
 Security Control Assessment
• Formal evaluation of a security
infrastructure’s individual mechanisms
against a baseline or reliability expectation
• Ensure the effectiveness
• Evaluate the quality and thoroughness
• Identify relative strengths and weaknesses
of security infrastructures
• NIST SP 800-53A “Guide for Assessing the
Security Controls in Federal Information Systems”

78
 Monitoring and Measurement

• Quantified, evaluated, or
compared
• Native/internal monitoring or
external monitoring
• Measuring the effectiveness

79
 Asset Valuation and Reporting
• Used to justify protections
• Tangible value
• Intangible value
• Used in cost/benefit analysis
• Helps select safeguards
• Defines level of risk
• Risk reporting
• Internal or to relevant/interested third
parties

80
 Continuous Improvement
• Security is always changing
• Needs to be integrated into
deployed security solutions
• Risk analysis is a “point in time”
metric
• As threats change, so must security

81
 Risk Frameworks 1/3
• Guideline or recipe for how risk is to be
assessed, resolved, and monitored
• NIST SP 800-37
• Risk Management Framework (RMF)
– 1. Categorize 2. Select
– 3. Implement 4. Assess
– 5. Authorize 6. Monitor

82
 Risk Frameworks 2/3

83
 Risk Frameworks 3/3
• Operationally Critical Threat, Asset,
And Vulnerability Evaluation
(OCTAVE)
• Factor Analysis Of Information Risk
(FAIR)
• Threat Agent Risk Assessment
(TARA)

84
 Establish and Maintain a Security
Awareness, Education, and Training Program

• Security requires changes in user

behavior
• Seek policy compliance
• Awareness
• Training
• Education

85
 Manage the Security Function

• Security governance
• Risk assessment
• Craft security policy
• Cost effective
• Measurable security
• Resource management

86
 Conclusion
• Read the Exam Essentials
• Review the Chapter
• Perform the Written Labs
• Answer the Review Questions

87
 Chapter 3
Business Continuity Planning

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

88 Used with permission.
 Planning for Business Continuity

• Assessing risks to business processes

• Minimize impact from disruptions
• Maintain continuity of being able to
perform mission critical business tasks
• Main steps:
– Project scope and planning
– Business impact assessment
– Continuity planning
– Approval and implementation

89
 Project Scope and Planning
• Business Organization Analysis
• BCP Team Selection
• Resource Requirements
• Legal and Regulatory Requirements

overview
90
 Business Organization Analysis

• Identify all departments

• Identify critical services
• Identify corporate security teams
• Identify senior executives and key
individuals

91
 BCP Team Selection
• Needs members from every
department/division
• Include members from:
– IT
– Cybersecurity
– Senior management
– Physical security and facilities
– Legal and PR

92
 Resource Requirements
• BCP Development
• BCP Testing, Training, and
Maintenance
• BCP Implementation
• Mostly personnel, but may include
IT and physical resource allocation

93
 Legal and Regulatory
Requirements
• Federal, state, and local laws or
regulations
• Emergency services
• Industry regulations
• Country-specific laws
• Service level agreements

94
 Business Impact Assessment
• Quantitative Decision Making vs.
Qualitative Decision Making
• Identify Priorities
• Risk Identification
• Likelihood Assessment
• Impact Assessment
• Resource Prioritization

95 overview
 Identify Priorities
• Critical prioritization of business processes
• Assess by department, then organization
• Assign an AV (asset value) to each process
• Determine:
• MTD (maximum tolerable downtime)
• MTO (maximum tolerable outage)
• Choose a RTO (recovery time objective)

96
 Risk Identification
• Inventory-specific risks
• Natural and man-made
• Logical and physical and social
• Don’t overlook the cloud
• Get input from all departments

97
 Likelihood Assessment
• Determine frequency of occurrence
• Establish an ARO (annualized rate of
occurrence)
• Based on history, experience, and
experts

98
 Impact Assessment
• Evaluate consequences of a breach
• EF (exposure factor)
• SLE (single loss expectancy)
– SLE = AV x EF
• ALE (annualized loss expectancy)
– ALE = SLE x ARO
• Consider non-monetary impacts

99
 Resource Prioritization
• Biggest ALE is biggest risk concern
• Combine qualitative priorities with
quantitative priorities
• Work at addressing each item from
largest ALE value first

100
 Continuity Planning
• Strategy Development
• Provisions and Processes
• Plan Approval
• Plan Implementation
• Training and Education

101 overview
 Strategy Development
• Bridge between BIA and BCP
crafting
• Determine which risks to address in
this BCP crafting time frame
• Determine acceptable risks vs. those
that require mitigation
• Commit sufficient resources to
resolve priorities

102
 Provisions and Processes
• People
• Building and facilities
– Hardening provisions
– Alternate sites
• Infrastructure
– Physically hardening systems
– Alternative systems

103
 Plan Approval
• Top-level management
endorsement
• Educate top executives about plan
concepts and details
• Senior executive approval
establishes plan credibility
throughout organization

104
 Plan Implementation
• Define an implementation
schedule
• Use allocated implementation
resources
• Achieve process and provisioning
goals
• Implement BCP maintenance
program

105
 Training and Education
• Assign responsibilities
• Plan overview briefing
• Dedicated training for those with
assigned responsibilities
• A backup or replacement person
for each position

106
 BCP Documentation
• Continuity Planning Goals
• Statement of Importance
• Statement of Priorities
• Statement of Organizational Responsibility
• Statement of Urgency and Timing
• Risk Assessment
• Risk Acceptance/Mitigation
• Vital Records Program
• Emergency-Response Guidelines
• Maintenance
• Testing and Exercises

107 overview
 Continuity Planning Goals
• Set goals
• Ensure the continuous operation of
the business in the face of an
emergency situation
• Meet organizational needs

108
 Statement of Importance
• Reflects criticality of BCP
• Disclosed in a memo to all
employees
• Should be signed by CEO to avoid
compliance resistance

109
 Statement of Priorities
• Directly reflects designed BCP
priorities
• Include evaluation of priorities
• Focus on importance to the
continued operation of business
functions in the event of an
emergency

110
 Statement of
Organizational Responsibility

• Business continuity is everyone’s

responsibility
• Reinforces organization's
commitment to BCP
• Informs individuals of the
expectation to assist and support

111
 Statement of Urgency and Timing

• Stresses priority of implementation

• Defines the roll-out timetable

112
 Risk Assessment
• A recap of the BCP decision-making
process
• Summary of BIA
• Discloses quantitative and
qualitative analysis results

113
 Risk Acceptance/Mitigation
• Identifies those risks deemed
acceptable
• Identifies those risks deemed
unacceptable
– List risk management provisions
– Define processes and responses
– Define how the risk is reduced or
managed

114
 Vital Records Program
• Determine where critical records will
be stored
• Set procedures for backing up critical
records
• Identity critical records
• Digital and paper should be considered
• Vital records are those needed to
reconstruct the organization in the
event of a disaster

115
 Emergency-Response Guidelines

• Define responsibilities in an
emergency
• Details activation of BCP elements
• Immediate response procedures
• Individuals to notify of the incident
• Secondary response procedures
• Goal is to minimize response time

116
 Maintenance
• BCP is a living document
• BCP should be periodically updated
• Drastic changes may require a
complete re-design and re-crafting
• Practice good version control
• Include BCP in job
descriptions/responsibilities

117
 Testing and Exercises
• Establish a formalized testing
program
• Train personnel on their tasks and
responsibilities
• See disaster recovery testing in
Chapter 18

118
 Conclusion
• Read the Exam Essentials
• Review the Chapter
• Perform the Written Labs
• Answer the Review Questions

119
 Chapter 4
Laws, Regulations, and Compliance

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

120 Used with permission.
 Categories of Laws
• Criminal Law
• Civil Law
• Administrative Law

121 overview
 Criminal Law
• Preserve peace
• Keep society safe
• Penalties include:
– Community service
– Fines
– Prison
• Enacted through legislation

122
 Civil Law
• Provide for orderly society
• Govern matters that are not crimes
• Enacted through legislation
• Punishment can include financial
penalties

123
 Administrative Law
• Policies, procedures, and
regulations
• Govern the daily operations of an
entity
• Enacted by government agencies,
not the legislature

124
 Laws
• Computer Crime
• Intellectual Property
• Licensing
• Import/Export
• Privacy

125 overview
 Computer Crime 1/2
• Computer Fraud and Abuse Act (CFAA)
• Federal interest computer
• Accessing classified information, accessing system,
fraud, malicious damage, modify medical records,
traffic passwords
• Any computer in use by the government, financial
institutions, and interstate offenses
• Amendments
• Creating malware code, interstate commerce,
imprisonment, and civil action from victims
• Federal Sentencing Guidelines
• Prudent man rule
• Burden of proof: negligence, compliance, causal

126
 Computer Crime 2/2
• National Information Infrastructure Protection
Act
• CFAA – international, national infrastructure
• Federal Information Security Management Act
(FISMA)
• Risk assessment, planning, training, testing, incident
management
• Federal Information Systems Modernization Act
(FISMA)
• Centralizing under DHS
• Cybersecurity Enhancement Act
• NIST establishing voluntary cybersecurity standards

127
 Intellectual Property 1/2
• Copyrights
• Original works of authorship
• Digital Millennium Copyright Act
• Trademarks
• Words, slogans, logos, etc., which identify
a company, its products, and its services
• Patents
• Intellectual property rights of inventors

128
 Intellectual Property 2/2
• Trade Secrets
• Intellectual property of an
organization
• Non-disclosure agreement (NDA)
• Economic Espionage Act
• Stealing trade secrets to benefit a
foreign government
• Stealing trade secrets

129
 Licensing
• Contractual license agreements
• Shrink‐wrap license agreements
• Click‐through license agreements
• Cloud services license agreements

130
 Import/Export
• Trans‐border data flow of new
technologies, intellectual property, and
personally identifying information
• International Traffic in Arms Regulations
(ITAR)
• United States Munitions List (USML)
• Export Administration Regulations (EAR)
• Commerce Control List (CCL)
• Computer Export Controls
• Encryption Export Controls

131
 Privacy 1/5
• U.S. Privacy Law (1/2)
– Fourth Amendment
– Privacy Act
– Electronic Communications Privacy
Act
– Communications Assistance for Law
Enforcement Act (CALEA)
– Economic Espionage Act
– Health Insurance Portability and
Accountability Act (HIPAA)
132
 Privacy 2/5
• U.S. Privacy Law (2/2)
– Health Information Technology for
Economic and Clinical Health Act (HITECH)
– Data Breach Notification Laws
– Children’s Online Privacy Protection Act
(COPPA)
– Gramm‐Leach‐Bliley Act
– USA PATRIOT Act
– Family Educational Rights and Privacy Act
(FERPA)
– Identity Theft and Assumption Deterrence
Act

133
 Privacy 3/5
• European Union Privacy Law (1/3)
– Consent
– Contract
– Legal obligation
– Vital interest of the data subject
– Balance between the interests of the
data holder and the interests of the
data subject
– Key rights of individuals
– Privacy Shield agreement

134
 Privacy 4/5
• European Union Privacy Law (2/3)
– Privacy Shield agreement
– Informing Individuals About Data Processing
– Providing Free and Accessible Dispute Resolution
– Cooperating with the Department of Commerce
– Maintaining Data Integrity and Purpose Limitation
– Ensuring Accountability for Data Transferred to
Third Parties
– Transparency Related to Enforcement Actions
– Ensuring Commitments Are Kept As Long As Data
Is Held

135
 Privacy 5/5
• European Union Privacy Law (3/3)
– European Union General Data
Protection Regulation (GDPR)
– Applies to organizations that are not
based in the EU
– 24-hour data breach notification
requirement
– Centralized data protection authorities in
each EU member state
– Individuals will have access to their own
data
– Data portability provisions
– The “right to be forgotten”

136
 Compliance
• Security regulation as become complex
• Issues with regulatory agencies and
contractual obligations
• Overlapping and often contradictory
requirements
• May require full-time compliance staff
• Compliance audits and reporting
• Payment Card Industry Data Security
Standard (PCI DSS)

137
 Contracting and Procurement

• Use of cloud and service vendors

require contract scrutiny
• Perform security review and
vendor governance
• Tailor the contract and review to
your specific concerns

138
 Conclusion
• Read the Exam Essentials
• Review the Chapter
• Perform the Written Labs
• Answer the Review Questions

139
 Chapter 5
Protecting Security of Assets

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

140 Used with permission.
 Identify and Classify Assets
• Defining Sensitive Data
• Defining Classifications
• Determining Data Security Controls
• Understanding Data States
• Handling Information and Assets
• Data Protection Methods
• Determining Ownership
• Data Processors
• Using Security Baselines
141 overview
 Defining Sensitive Data
●
Personally Identifiable Information
(PII)
●
NIST SP 800-122
●
Protected Health Information
(PHI)
●
HIPAA
●
Proprietary Data

142
 Defining Classifications 1/3
●
Government/Military
●
Top Secret
●
Secret
●
Confidential
●
Unclassified
●
For Official Use Only (FOUO)
●
Sensitive but Unclassified (SBU)
●
Non-government
●
Class 3, 2, 1, 0

143
 Defining Classifications 2/3

144
 Defining Classifications 3/3
●
Civilian
●
Confidential or Proprietary
●
Private
●
Sensitive
●
Public
●
Defining Asset Classifications
●
Asset classification should match
system classifications for
use/access

145
 Determining Data Security
Controls
●
Define a policy for all forms and
locations of data
●
Encrypt all the things
●
Consider the value of data
●
Use labels and enforcement
●
Use data loss prevention (DLP)
●
Set requirements for:
●
Communications, Storage, and
Backups

146
 Understanding Data States
●
Data at rest
●
Data in motion
●
Data in use
●
Encryption
●
Authentication
●
Authorization

147
 Handling Information and Assets
1/4
●
Marking Sensitive Data and Assets
●
Physical and logical labeling
●
Assists with DLP and human handling
●
Address downgrading
●
Handling Sensitive Information and
Assets
●
Be aware of common loss of control
situations, such as backups and cloud
storage

148
 Handling Information and Assets
2/4
●
Storing Sensitive Data
●
Use storage encryption
●
Manage the environment
●
Provide quality storage devices for
long term retention
●
Destroying Sensitive Data
●
NIST SP 800-88r1, “Guidelines for
Media Sanitization”

149
 Handling Information and Assets 3/4

●
Eliminating Data Remanence
●
HDD vs. SSD/flash
●
Sanitization
●
Erasing
●
Clearing
●
Purging
●
Degaussing
●
Destruction
●
Declassification

150
 Handling Information and Assets
4/4
●
Ensuring Appropriate Asset
Retention
●
Record retention
●
Media, system retention
●
Employees and NDAs
●
A necessary element of a security
policy

151
 Data Protection Methods
●
Protecting Data with Symmetric
Encryption
●
AES
●
Triple DES
●
Blowfish
●
Protecting Data with Transport
Encryption
●
TLS
●
VPN
●
IPSec
●
SSH

152
 Determining Ownership
1/4
• Data Owners
• Asset Owners/System Owners
• Business/Mission Owners
• Data Processors (next slide)

153
 Determining Ownership 2/4
• Data Processors
• The person or entity that
controls processing of the data
• GDPR
• EU-US Privacy Shield
• Notice; Choice; Accountability for
Onward Transfer; Security; Data
Integrity and Purpose Limitation;
Access; Recourse, Enforcement,
154
and Liability
 Determining Ownership
3/4
• Pseudonymization
• Artificial identifiers
• Anonymization
• Inferencing
• Data masking and
randomization
• Administrators

155
 Determining Ownership 4/4
• Custodians
• Users
• Protecting Privacy
• HIPAA
• California Online Privacy Protection
Act of 2003 (CalOPPA)
• Personal Information Protection
and Electronic Documents Act
(Canada)
• GDPR
156
 Using Security Baselines
• NIST SP 800-53
• Scoping
• Selecting controls that specifically
apply to the protected target
• Tailoring
• Adjust security control baseline to
align with organization mission
• Selecting Standards
• Contractual vs.
regulation/legislation
157
 Conclusion
• Read the Exam Essentials
• Review the Chapter
• Perform the Written Labs
• Answer the Review Questions

158
 Chapter 6
Cryptography and
Symmetric Key Algorithms

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

159 Used with permission.
 Historical Milestones in
Cryptography
• Caesar Cipher
– Substitution
– ROT3
• American Civil War
– Substitution and transposition
– Flag signals
• Ultra vs. Enigma
– Purple Machine

160
 Cryptographic Basics
• Goals of Cryptography
• Cryptography Concepts
• Cryptographic Mathematics
• Ciphers

161 overview
 Goals of Cryptography
• Confidentiality
– Symmetric and asymmetrics
– Data at rest
– Data in motion
– Data in use
• Integrity
• Authentication
• Nonrepudiation

162
 Cryptography Concepts
• Plaintext
• Encrypt/decrypt
• Ciphertext
• Keys, cryptovariable
• Keyspace, bit size
• Kerckhoffs’s Principle
• Cryptography, cryptanalysis, cryptology,
cryptosystem
• FIPS 140-2

163
 Cryptographic Mathematics
• Boolean mathematics/logical
operations
– AND, OR, NOT, XOR
• Modulo function
• One-way functions
• Nonce
• Zero-knowledge proof
• Split knowledge
• Work function

164
 Ciphers 1/2
• Codes vs. ciphers
• Transposition ciphers
• Substitution ciphers
– Ceaser cipher
– ROT3
– Vigenere cipher
• One-time pads
• Running key ciphers
165
 Ciphers 2/2
• Block ciphers
• Stream ciphers
• Confusion and diffusion

166
 Modern Cryptography
• Cryptographic Keys
• Symmetric Key Algorithms
• Asymmetric Key Algorithms
• Hashing Algorithms

167 overview
 Cryptographic Keys
• Security through obscurity
• Algorithms
• Keys
• Longer keys = better security

168
 Symmetric Key Algorithms 1/2

• Shared secret
• Secret key cryptography/
private key cryptography
• Key distribution
• Lack of non-repudiation
• Not scalable
• Keys must be regenerated often
• Fast

169
 Symmetric Key Algorithms 2/2

170
 Asymmetric Key Algorithms 1/3

• Aka public key algorithms

• Key pair sets: public key and private key
• Digital signatures
• Scalable
– # of keys = n(n-1)/2 (sym) vs 2n (asymm)
• Key cancellation
• Regeneration only required at
compromise or expiration

171
 Asymmetric Key Algorithms 2/3

172
 Asymmetric Key Algorithms 3/3

• Supports integrity (via hashing in

digital signatures), authentication,
and nonrepudiation
• Simple key generation
• No preexisting secure
communication link needs to exist
for key exchange
• Slow

173
 Hashing Algorithms
• Message digests
• Deriving original from hash is
difficult or impossible
• Collisions
• Chapter 7 includes hashing
algorithms

174
 Symmetric Cryptography 1/3
• Data Encryption Standard
– 56-bit key, 64-bit blocks, 16 rounds
– Electronic code book
– Cipher block chaining
– Cipher feedback
– Output feedback
– Counter mode
• Triple DES
– 168/112-bit key, 64-bit blocks, 48 rounds
– Modes: -EEE3, EEE2, EDE3, EDE2

175
 Symmetric Cryptography 2/3
• International Data Encryption
Algorithm (IDEA)
– 128-bit key, 64-bit blocks
• Blowfish
– 32 to 448-bit key, 64-bit blocks
• Skipjack
– 80-bit key, 64-bit blocks
• RC5
– 0 to 2040-bit keys, 32/64/128-bit blocks

176
 Symmetric Cryptography 3/3

• Advanced Encryption Standard

– Rijndael block cipher
– 128-bit blocks
– 128-bit key, 10 rounds
– 192-bit key, 12 rounds
– 256-bit key, 14 rounds
• TwoFish
– 1 to 256-bit keys, 128-bit blocks

177
 Symmetric Key Management
• Creation and distribution
– Offline
– Public key encryption
– Diffie-Hellman
• Storage and destruction
• Key escrow and recovery
– Fair Cryptosystem
– Escrowed Encryption Standard

178
 Cryptographic Life Cycle
• Limited life span based on Moore’s
law
• Sufficient to provide sufficient
protection for as long as the data is
valuable
• Governance controls:
– Algorithms
– Key lengths
– Security transaction protocols

179
 Conclusion
• Read the Exam Essentials
• Review the Chapter
• Perform the Written Labs
• Answer the Review Questions

180
 Chapter 7
PKI and Cryptographic Applications

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

181 Used with permission.
 Asymmetric Cryptography
• Public and Private Keys
• RSA
– Based on factoring difficulty
• Merkle-Hellman Knapsack
• El Gamal
– An extension of the math from Diffie-
Hellman
• Elliptic Curve

182
 Hash Functions 1/2
• Message digest
• Detects differences and/or collisions
• Parity, checksum
• Variable-length input
• Fixed-length output
• Hash is easy to compute
• Hash is one-way
• Hash is collision resistant

183
 Hash Functions 2/2
• SHA
– SHA-1 – 160 bit hash output
– SHA-2: SHA-256, -224, -512, -384
– SHA-3: SHA3-256, -224, -512, -384
• MD2 – 128-bit hash output
• MD4 – 128-bit hash output
• MD5 – 128-bit hash output
• Hash of Variable Length (HAVAL)
• Hash Message Authenticating Code
(HMAC)

184
 Digital Signatures
• Integrity, authentication, non-repudiation
• Sender encrypts hash of data with private key
• Recipient verifies with sender’s public key and
hash comparison
• HMAC
– Hashing with symmetric keys used for entropy
• Digital Signature Standard
– DSA – FIPS186-4
– RSA – ANSI X9.31
– ECDSA – ANSI X9.62

185
 Public Key Infrastructure
• Certificates
• Certificate Authorities
• Certificate Generation and
Destruction

186 overview
 Certificates
• X.509 version 3
• Serial number
• Signature algorithm identifier
• Issuer name
• Validity period
• Subject’s name
• Subject’s public key

187
 Certificate Authorities
• Neutral organizations offering
notarization services for digital
certificates
• Public commercial or internal
private
• Registration authorities
• Certificate path validation

188
 Certificate Generation and
Destruction
• Enrollment
• Verification
• Revocation
– Compromise, erroneously issued,
subject’s details changed, or security
association changed
• Certificate revocation list (CRL)
• Online Certificate Status Protocol (OCSP)

189
 Asymmetric Key Management

• Choose encryption scheme wisely

• Random key selection
• Long length
• Keep private keys private
• Retire keys after useful lifetime
• Back up keys for recovery options

190
 Applied Cryptography 1/3
• Portable devices
– TPM
• Email
– PGP
– S/MIME
• Web applications
– SSL / TLS
• Steganography and watermarking

191
 Applied Cryptography 2/3
• Digital Rights Management
– Music DRM
– Movie DRM
– E-book DRM
– Video Game DRM
– Document DRM

192
 Applied Cryptography 3/3
• Networking
– Circuit encryption – link (tunnel mode)
or end-to-end (transport mode)
– Secure Shell (SSH)
– IPSec
• AH, ESP, HMAC, ISAKMP
– Wireless networking
• WEP, WPA, WPA2
• IEEE 802.1x

193
 Cryptographic Attacks 1/2
• Analytic attack
• Implementation attack
• Statistical attack
• Brute force
• Rainbow tables
• Scalable computing hardware
• Salting
• Frequency analysis and ciphertext only
attack

194
 Cryptographic Attacks 2/2
• Known plaintext
• Chosen ciphertext
• Chosen plaintext
• Meet in the middle
• Man in the middle
• Birthday attack
– Collision attack or reverse hash matching
• Replay

195
 Conclusion
• Read the Exam Essentials
• Review the chapter
• Perform the Written Labs
• Answer the Review Questions

196
 Chapter 8
Principles of Security Models, Design, and Capabilities

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

197 Used with permission.
 Implement and Manage Engineering
Processes Using Secure Design Principles

• Objects and Subjects

• Closed and Open Systems
• Techniques for Ensuring
Confidentiality, Integrity, and
Availability
• Controls
• Trust and Assurance
198 overview
 Objects and Subjects
• Subject – often a user
• Object – a resource
• Managing relationship between
subject and object is access control
• Transitive trust

199
 Closed and Open Systems
• Closed system
– Proprietary standards
– Hard to integrate
– Possibly more secure
• Open system
– Open or industry standards
– Easier to integrate
• Open source vs. closed source

200
 Techniques for Ensuring Confidentiality,
Integrity, and Availability

• Confinement
– Sandboxing
• Bounds
• Isolation

201
 Controls
• Discretionary access control
• Mandatory access control
• Rule-based access control

202
 Trust and Assurance
• Integrated before and during design
• Security must be:
– Engineered, implemented, tested, audited,
evaluated, certified, and accredited
• Trusted system
– Security mechanisms work together to provide
a secure computing environment
• Assurance
– Degree of confidence in satisfaction of security
needs

203
 Understand the Fundamental
Concepts of Security Models
• Trusted Computing Base
• State Machine Model
• Information Flow Model
• Noninterference Model
• Take-Grant Model
• Access Control Matrix
• Bell-LaPadula Model
• Biba Model
• Clark-Wilson Model
• Brewer and Nash Model (aka Chinese Wall)
• Goguen-Meseguer Model
• Sutherland Model
• Graham-Denning Model

204 overview
 Trusted Computing Base
• Defined in DoD 5200.28 Orange Book
– Trusted Computer System Evaluation
Criteria (TCSEC)
• Security
perimeter
• Trusted paths
• Reference
Monitor
• Security kernel

205
 State Machine Model
• Always secure no matter what state
it is in
• Finite state machine (FSM)
• State transition
• Secure state machine
• The basis for most other security
models

206
 Information Flow Model
• Based on the state machine model
• Prevent unauthorized, insecure, or
restricted information flow
• Controls flow between security
levels
• Can be used to manage state
transitions

207
 Noninterference Model
• Based on information flow model
• Separates actions of subjects at
different security levels
• Composition theories
– Cascading
– Feedback
– Hookup

208
 Take-Grant Model
• Dictates how rights can be passed
between subjects
• Take rule
• Grant rule
• Create rule
• Remove rule

209
 Access Control Matrix
• A table of subjects, objects, and
access
• Columns are ACLs
• Rows are capability lists
• Can be used in DAC, MAC, or RBAC

210
 Bell-LaPadula Model 1/2
• Based on DoD multilevel security policy
• Focuses only on confidentiality
• Lattice based access control
• Simple security property
– No read up
• * (star) security property
– No write down
• Discretionary security property
– Access control matrix for DAC

211
 Bell-LaPadula Model 2/2

212
 Biba Model 1/2
• Based on the inverse of Bell-LaPadula
• Focuses only on integrity
• Simple integrity property
– No read up
• * (star) integrity property
– No write down
• Prevent modification by unauthorized
subjects
• Prevent unauthorized modifications
• Protect internal and external consistency

213
 Biba Model 2/2

214
 Clark-Wilson Model 1/2
• Focuses on integrity
• Access control triplet
• Controls access through an
intermediary program or restricted
interface
• Well-formed transactions
• Separation of duties

215
 Clark-Wilson Model 2/2
• Constrained data item (CDI)
– Any data item whose integrity is
protected
• Unconstrained data item (UDI)
– Any data item that is not
controlled/protected
• Integrity verification procedure (IVP)
– A procedure that scans data items and
confirms their integrity
• Transformation procedures (TPs)
– The only procedures allowed to modify a
CDI

216
 Brewer and Nash Model
(aka Chinese Wall)
• Prevents conflicts of interest
• Based on dynamic access changes
based on user activity
• Access to conflicting data is
temporarily blocked

217
 Goguen-Meseguer Model
• Focuses on integrity
• The basis of the noninterference
model
• Based on a predetermined set/
domain of objects a subject can
access
• Based on automation theory and
domain separation

218
 Sutherland Model
• Focuses on integrity
• Prevent interference in support of
integrity
• Defines a set of system states, initial
states, and state transitions
• Commonly used to prevent covert
channels from influencing processes

219
 Graham-Denning Model
• Secure management of objects and
subjects
• Securely create object/subject
• Securely delete object/subject
• Securely provide read access right
• Securely provide grant access right
• Securely provide delete access right
• Securely provide transfer access right

220
 Select Controls and Countermeasures
Based on Systems Security Evaluation
Models

• Rainbow Series
• ITSEC Classes and Required
Assurance and Functionality
• Common Criteria
• Industry and International Security
Implementation Guidelines
• Certification and Accreditation
221 overview
 Rainbow Series
• TCSEC – Orange Book
– Confidentiality
– D, C1, C2, B1, B2, B3, A1
• Red Book
– Trusted Network Interpretation of TCSEC
– Confidentiality and Integrity
– None, C1, C2, B2
• Green Book
– Password management guidelines

222
 ITSEC Classes and Required
Assurance and Functionality
• Rates functionality (F) and
assurance (E)
• F-D through F-B3
• E0 through E6
• Confidentiality, integrity, and
availability

223
 Common Criteria
• Designed to replace prior systems
• ISO 15408
• Protection profiles
• Security targets
• Evaluation Assurance Level (EAL)
• Part 1: Introduction and General Model
• Part 2: Security Functional
Requirements
• Part 3: Security Assurance

224
 Industry and International Security
Implementation Guidelines

• Payment Card Industry – Data

Security Standards (PCI-DSS)
• International Organization for
Standardization (ISO)

225
 Certification and Accreditation
• Certification
– Comprehensive evaluation of security
against security requirements
• Accreditation
– Formal designation by DAA that system
meets organizational security needs
• Risk Management Framework (RMF)
• Committee on National Security Systems
Policy (CNSSP)
– Phase 1: Definition, 2: Verification, 3:
Validation, 4: Post Accreditation
226
 Understand Security Capabilities of
Information Systems

• Memory Protection
– Meltdown and Spectre
• Virtualization
• Trusted Platform Module
– Hardware security module (HSM)
• Interfaces
– Constrained or restricted
• Fault Tolerance
227
 Conclusion
• Read the Exam Essentials
• Review the Chapter
• Perform the Written Labs
• Answer the Review Questions

228
 Chapter 9
Security Vulnerabilities, Threats,
and Countermeasures

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

229 Used with permission.
 Assess and Mitigate Security
Vulnerabilities
• Hardware
– Hardware Components
– Protection Mechanisms
– Memory
– Memory Addressing
– Secondary Memory
– Input/Output Devices
• Firmware

230 overview
 Hardware Components
• Processor / central processing unit
(CPU)
• Execution types:
– Multitasking
– Multicore
– Multiprocessing: SMP and MPP
– Multiprogramming
– Multithreading
• Processing types:
– Singles state
– Multistate

231
 Protection Mechanisms 1/3
• Protection rings
– Kernel mode or
privileged mode
– User mode
– Mediated access/
system call

232
 Protection Mechanisms 2/3
• Process states/Operating states
– OS: supervisory or problem
– Processes: Ready, Waiting, Running,
Supervisory, Stopped
– Process scheduler or program
executive

233
 Protection Mechanisms 3/3
• Security Modes
– Requirements:
• MAC
• Physical control over who can access console
• Physical control over who can enter room
– Dedicated
– System high
– Compartmented
– Multilevel

234
 Memory
• Read only memory (ROM)
– Programmable Read-Only Memory (PROM)
– Erasable Programmable Read-Only Memory
(EPROM)
– Electronically Erasable Programmable Read-
Only Memory (EEPROM)
– Flash
• Random access memory (RAM)
– Real
– Cache
– Registers

235
 Memory Addressing
• Register
• Immediate
– Related to a register or as part of an instruction
• Direct
– Actual address of memory location
• Indirect
– An address of memory location which holds the
address of the target data
• Base plus Offset
– Base address stored in a register, offset is relative
location

236
 Secondary Memory 1/2
• Magnetic, optical, or flash media
• Not immediately available to CPU
• Virtual memory
– Paging
• Security issues
– Theft, purging, physical access
• Primary vs. secondary
• Volatile vs. nonvolatile
• Random vs. sequential

237
 Secondary Memory 2/2
• Data remanence
• SSD wear leveling
• Theft – encryption
• Device access control
• Data retention over use lifetime -
availaibility

238
 Input/Output Devices
• Monitors
• Printers
• Keyboards and mice
• Modems

239
 Firmware
• Microcode
• Basic Input/Output System (BIOS)
• Unified Extensible Firmware
Interface (UEFI)
• Phlashing
• Device firmware
– EEPROM

240
 Client-Based Systems 1/2
• Applets
– Java and JVM
– ActiveX
• Local Caches 1/2
– ARP
• ARP cache poisoning

241
 Client-Based Systems 2/2
• Local Caches 2/2
– DNS
• DNS cache poisoning:
– HOSTS file
– Authorized DNS
– Caching DNS
– DNS lookup address change
– DNS query spoofing
• Defence: split DNS, IDS
– Internet files
• Temporary Internet files and cache

242
 Server Based Systems
• Data flow control
• Load balancing
• Management between processes,
devices, networks, or communication
channels
• Efficient transmission with minimal
delays or latency
• Reliable throughput using hashing and
confidentiality protection with
encryption

243
 Database Systems Security
• Aggregation
• Inference
• Data Mining and Data Warehousing
– Data dictionary
– Meta data
– Data mart
• Data Analytics
– Big Data
• Large-Scale Parallel Data Systems
– AMP, SMP, MPP

244
 Distributed Systems and
Endpoint Security
• Host/terminal model  Client-server
model
• Distributed architectures
• Endpoint security
– Screening/filtering email
– Download/upload policies
– Robust access controls
– Restricted user-interfaces
– File encryption
– (see list in book)

245
 Cloud-Based Systems and
Cloud Computing 1/3
• Hypervisor, virtual machine monitor
(VMM)
– Type I hypervisor (native or bare-metal
hypervisor)
– Type II hypervisor (hosted hypervisor)
• Cloud storage
• Elasticity
• Cloud computing
– PaaS
– SaaS
– IaaS

246
 Cloud-Based Systems and
Cloud Computing 2/3
• On-premise vs. hosted vs. cloud
• Private, public, hybrid, community
• Issues:
– Privacy concerns
– Regulation compliance difficulties
– Use of open/closed-source solutions
– Adoption of open standards
– Whether or not cloud-based data is
actually secured (or even securable)

247
 Cloud-Based Systems and
Cloud Computing 3/3
• Cloud access security broker (CASB)
• Security as a service (SECaaS)
• Cloud shared responsibility model

248
 Grid and Peer to Peer
• Grid Computing
– Parallel distributed processing
– Members can enter and leave at will
– Work content is potentially exposed publicly
– Work packets are sometimes not returned,
returned late, or returned corrupted
• Peer to Peer
– No central management system
– Services provided are usually real time
– VoIP, file distribution, A/V
streaming/distribution

249
 Internet of Things
• Smart devices
• Automation, remote control, or AI
processing
• Extensions or replacements of existing
devices, equipment, or systems
• Security may not be integrated
– Top concerns: access and encryption
• Consider deploying in isolated subnet

250
 Industrial Control Systems
• Distributed Control Systems (DCS)
– Manage/control industrial processes over a
large-scale deployment from a single location
• Programmable Logic Controllers (PLC)
– Single-purpose or focused-purpose digital
computers
• Supervisory Control and Data Acquisition
(SCADA)
– Stand-alone or internetworked
• Does not always properly address security

251
 Assess and Mitigate Vulnerabilities in
Web-Based Systems 1/2

• eXtensible Markup Language (XML)

• Security Association Markup Language (SAML)
– Web-based authentication
– Singe sign-on
• Open Web Application Security Project (OWASP)
• Secure Sockets Layer (SSL)/
Transport Layer Security (TLS)
• Injections (SQL, LDAP, XML), XML exploitation,
Cross-site scripting (XSS),
Cross-site request forgery (XSRF)

252
 Assess and Mitigate Vulnerabilities in
Web-Based Systems 2/2

• Static vs. dynamic content

• Web applications
– Server side executables, scripts, databases
• Publicly accessed Web servers should be
hosted outside of LAN
– DMZ [or cloud hosting]
• Input validation
– Length, patterns, metacharacters
• Limit account privileges

253
 Assess and Mitigate Vulnerabilities
in Mobile Systems

• Device Security
• Application Security
• BYOD Concerns

254 overview
 Device Security 1/2
• Full device encryption
• Remote wiping
• Lockout
• Screen locks
• GPS
• Application control
• Storage segmentation
• Asset tracking

255
 Device Security 2/2
• Inventory control
• Mobile Device Management (MDM)
• Device access control
• Removable storage
• Disabling unused features

256
 Application Security
• Key management
• Credential management
• Authentication
• Geotagging
• Encryption
• Application whitelisting

257
 BYOD Concerns 1/3
• Bring your own device (BYOD)
• Company owned, personally enabled
(COPE)
• Choose your own device (CYOD)
• Corporate-owned mobile strategy
• Virtual desktop infrastructure (VDI)
virtual mobile infrastructure (VMI)

258
 BYOD Concerns 2/3
• Data ownership
• Support ownership
• Patch management
• Antivirus management
• Forensics
• Privacy
• Onboarding/offboarding
• Adherence to corporate policies

259
 BYOD Concerns 3/3
• User acceptance
• Architecture/infrastructure
considerations
• Legal concerns
• Acceptable use policy
• Onboard camera/video

260
 Assess and Mitigate Vulnerabilities in
Embedded Devices and Cyber-Physical
Systems

• Embedded system
• Stand system, static environment
• Examples of embedded and static
systems
• Methods of securing

261 overview
 Examples of
Embedded and Static Systems
• Network-enabled devices
• Cyber-physical systems
• Internet of Things (IoT)
• Mainframes
• Game consoles
• In-vehicle computing systems

262
 Methods of Securing
• Network segmentation
• Security layers
• Application firewalls
• Manual updates
• Firmware version control
• Wrappers
• Monitoring
• Control redundancy and diversity

263
 Essential
Security Protection Mechanisms

• Technical Mechanisms
• Security Policy and Computer
Architecture
• Policy Mechanisms

264 overview
 Technical Mechanisms
• Layering
• Abstraction
• Data hiding
• Process isolation
• Hardware segmentation

265
 Security Policy and
Computer Architecture
• Informs and guides design,
development, implementation,
testing, and maintenance
• Define rules and practices
• Addresses hardware and software

266
 Policy Mechanisms
• Principle of least privilege
• Separation of privilege
• Accountability

267
 Common Architecture Flaws and
Security Issues 1/2
• Covert Channels
– Covert timing channels
– Covert storage channels
• Attacks Based on Design or Coding
Flaws and Security Issues
– Trusted recovery
– Input and parameter checking
– Maintenance hooks and privileged
programs
– Incremental attacks
• Data diddling, salami (aggregation) attack

268
 Common Architecture Flaws and
Security Issues 2/2
• Programming
– Sanitize input, buffer overflow, exceptions,
testing
• Timing, State Changes, and Communication
Disconnects
– Time of check to time of use (TOCTOU) attacks
• Technology and Process Integration
– Service-oriented architecture (SOA)
• Electromagnetic Radiation
– TEMPEST
– Faraday cage
– Jamming, noise generators, control zones

269
 Conclusion
• Read the Exam Essentials
• Review the Chapter
• Perform the Written Labs
• Answer the Review Questions

270
 Chapter 10
Physical Security Requirements

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

271 Used with permission.
 Apply Secure Principles to
Site and Facility Design
• Secure Facility Plan
• Site Selection
• Visibility
• Natural Disasters
• Facility Design

272 overview
 Secure Facility Plan
• Critical path analysis
• Security for basic requirements
• Technology convergence
• Include security staff in design
considerations

273
 Site Selection
• Cost
• Location
• Size
• Security requirements
• Pre-existing structure or custom
construction
• Proximity to others
• Weather conditions

274
 Visibility
• Surrounding terrain
• Vehicle and foot traffic
• Residential, business, or industrial
area
• Line of sight
• Crime rate
• Emergency services
• Unique local hazards

275
 Natural Disasters
• Common local natural disasters
• Severe weather patterns
• Protection for workers and assets

276
 Facility Design
• Based on level of security needs
• Combustibility, fire rating
• Construction materials
• Load rating
• Intrusion, emergency access, resistance
to entry
• Security architecture
• Crime Prevention through
Environmental Design (CPTED)

277
 Implement Site and Facility
Security Controls
• Design concepts
• Equipment failure
• Wiring closets
• Cable plant management policy
• Server rooms/data centers
• Media storage facilities
• Evidence storage
• Restricted and work area security
• Utilities and HVAC considerations
• Water issues
• Fire prevention, detection, and suppression

278 overview
 Design Concepts
• Administrative physical security
controls
• Technical physical security controls
• Physical controls for physical security
• Corporate vs. personal property
• Deterrence
• Denial
• Detection
• Delay

279
 Equipment Failure
• Failure is inevitible
• Purchase replacement parts as
needed
• Onsite replacement warehousing
• SLA with vendors
• MTTF
• MTTR
• MTBF

280
 Wiring Closets
• Premises wire distribution room
• Intermediate distribution facilities (IDF)
• Prevent physical unauthorized access
• Do not use as general storage
• Do not store flammable materials
• Use video surveillance
• Perform regular physical inspections

281
 Cable Plant Management Policy

• Entrance facility
• Equipment room
• Backbone distribution system
• Telecommunications room
• Horizontal distribution system

282
 Server Rooms/Data Centers
• Need not be human compatible
• Locate in core of building
• One hour minimum fire rating for walls
• Physical access control:
– Smartcards, proximity readers, IDS
• Access abuses:
– Masquerade, piggyback
• Emanation security
– Faraday cages, white noise, and control zones

283
 Media Storage Facilities
• Store blank, reusable, and
installation media
• Data remnants
• Use a locked cabinet
• Have a librarian or custodian
• Check-in/check-out process
• Sanitization, zeroization

284
 Evidence Storage
• Becoming important business task
• Drive images and virtual machine
snapshots
• Distinct from production
• Block Internet access
• Track all activities
• Calculate hashes of all files
• Limit access
• Encrypt stored data

285
 Restricted and Work Area Security

• Operations centers
• Distinct and controlled area access
• Walls or partitions
• Shoulder surfing
• Assign classifications
• Track assets with RFID
• Sensitive Compartmented
Information Facility (SCIF)

286
 Utilities and HVAC Considerations
• UPSes
– Double conversion UPS
– Line-interactive UPS
• Surge protectors
• Generators
• Fault, blackout, sag, brownout, spike,
surge, inrush, noise, transient, clean,
ground
• EMI vs. RFI
• Temperature, humidity, static

287
 Water Issues
• Leakage
• Flooding
• Electrocution
• Water detection circuits
• Shutoff values
• Drainage locations

288
 Fire Prevention, Detection, and
Suppression 1/3
• Fire triangle: fire, heat, oxygen,
combustion
• Stages: Incipient, smoke, flame,
heat

289
 Fire Prevention, Detection, and
Suppression 2/3
• Fire extinguisher classes:

Class Type Suppression

Material
A Common Water, soda acid
combustibles
B Liquids CO2, halon*, soda
acid
C Electrical CO2, halon*
D Metal Dry powder

290
 Fire Prevention, Detection, and
Suppression 3/3
• Fire detection systems:
– Fixed temperature, rate-of-rise, flame-
actuated, smoke-actuated
• Water suppression
– Wet pipe, dry pipe, pre-action, deluge
• Gas suppression
– CO2, Halon, FM-200, alternatives
• Damage
– Smoke, heat, suppression media

291
 Implement and
Manage Physical Security
• Perimeter Security Controls
• Internal Security Controls

292 overview
 Perimeter Security Controls
• Fences
• Gates
• Turnstiles
• Mantraps
• Lighting
• Security guards and dogs

293
 Internal Security Controls 1/2
• Keys and combination locks
• Electronic access control (EAC) locks
• Badges
• Motion detectors
– Infrared, heat, wave pattern, capacitance,
photoelectric, passive audio
• Intrusion alarms
– Deterrent alarms, repellant alarms,
notification alarms
– Local alarm, central station, auxiliary station

294
 Internal Security Controls 2/2

• Secondary verification mechanisms

• Environment and life safety
• Privacy responsibilities and legal
requirements
• Regulatory requirements

295
 Conclusion
• Read the Exam Essentials
• Review the Chapter
• Perform the Written Labs
• Answer the Review Questions

296
 Chapter 11
Secure Network Architecture and
Securing Network Components

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

297 Used with permission.
 OSI Model
• History of the OSI Model
• OSI Functionality
• Encapsulation/Deencapsulation
• OSI Layers

298 overview
 History of the OSI Model
• Developed after TCP/IP was created
• Abstract framework
• Theoretical model
• Common reference point

299
 OSI Functionality
• Seven layers
• Manages information
flow
• Layers communicate
with layers directly
above and below
• Supports peer-layer
communication

300
 Encapsulation/ Deencapsulation

• Flow of information up or down

protocol stack
• Adding of headers and footers
• Removing of headers and footers
• Calculations of
checksums

301
 OSI Layers
1 – Physical
2 – Data link
3 – Network
4 – Transport
5 – Session
6 – Presentation
7 – Application

302 Layer summaries

 Network Facts
• Bits, frame, packet, segment,
datagram, protocol data unit (PDU)
• MAC, OUI, EUI
• Hub, switch, router
• Routing
– Distance vector, link state
• Simplex, half-duplex, full-duplex

303
 TCP/IP Model
• DoD or DARPA
model
• 4 layers
– Application/
Process
– Transport/Host-to-
host
– Internet/
Internetworking
– Link

304
 TCP/IP Protocol Suite Overview 1/2

305
 TCP/IP Protocol Suite Overview 2/2

• TCP and UDP

– Ports: 65,536 or 0 to 65,535
• Well-known, registered, ephemeral
– TCP header flags: SYN, ACK, FIN, RST
• IPv4 vs IPv6
• ICMP
• IGMP
• ARP

306
 Common Application Protocols 1/2

• Telnet
• File Transfer Protocol (FTP)
• Trivial File Transfer Protocol (TFTP)
• Simple Mail Transfer Protocol (SMTP)
• Post Office Protocol (POP3)
• Internet Message Access Protocol
(IMAP)
• Dynamic Host Configuration Protocol
(DHCP)

307
 Common Application Protocols 2/2

• Hypertext Transfer Protocol (HTTP)

• Secure Sockets Layer (SSL)/ Transport
Layer Security (TLS)
• Line Print Daemon (LPD)
• X Windows
• Network File System (NFS)
• Simple Network Management Protocol
(SNMP)

308
 Implications of
Multilayer Protocols
• Encapsulation
– [ Ethernet [ IP [ TCP [ HTTP ] ]
– [ Ethernet [ IP [ TCP [ SSL [ HTTP ] ]
– [ Ethernet [ IPSec [ IP [ TCP [ SSL [ HTTP ] ]
– [ Ethernet [ IP [ TCP [ HTTP [ FTP ] ]
– [ Ethernet [ IP [ ICMP [ TCP [ HTTP ] ]
• Double encapsulation, VLAN hopping
• Encryption, flexibility, resiliency
• Covert channels, filter bypass,
segmentation violations

309
 Domain Name System 1/2
• Top-level domain (TLD)
• Registered domain name
• Subdomain or hostname
• Country codes
• HOSTS
• Primary and secondary
authoritative
• Zone file

310
 Domain Name System 2/2
• Resource records
– A and AAAA
– PTR
– CNAME
– MX
– NS
– SOA
• Domain Name System Security
Extensions (DNSSEC)

311
 DNS Poisoning
• Falsifying DNS
• Rogue DNS server, DNS spoofing, DNS
pharming
• Query ID (QID)
• Altering HOSTS file
• Corrupt IP configuration
• Proxy falsification
• Defense: filter TCP/UDP 53, NIDS,
DNSSEC

312
 Domain Hijacking
• Domain theft
• Credential theft
• Registration of expired domain

313
 Converged Protocols
• Merging of specialty or proprietary
protocols with standard protocols
• Fibre Channel over Ethernet (FCoE)
• MPLS (Multiprotocol Label Switching)
• Internet Small Computer System Interface
(iSCSI)
• Voice over IP (VoIP)
• Software-Defined Networking (SDN)
• Content Distribution Networks

314
 Wireless Networks
• Securing Wireless Access Points
• Securing the SSID
• Conducting a Site Survey
• Using Secure Encryption Protocols
• Determining Antenna Placement
• Antenna Types
• Adjusting Power Level Controls
• Using Captive Portals
• General Wi-Fi Security Procedure
• Wireless Attacks
315 overview
 Securing Wireless Access Points

• 802.11, 11a, 11b, 11g, 11n, 11ac

• 802.1x
• Infrastructure vs. ad hoc mode
• Service set identifier (SSID)
– Independent SSID (ISSID)
• Stand-alone
• Wired extension
• Bridge

316
 Securing the SSID
• Basic SSID (BSSID)
• Extended SSID (ESSID)
• Disable SSID broadcast
• Beacon frame

317
 Conducting a Site Survey
• Signal strength measurements
• Used to optimize deployment of
base stations
• Minimize external access

318
 Using Secure Encryption Protocols
1/2
• Open system authentication (OSA) and
shared key authentication (SKA)
• Wired Equivalent Privacy (WEP)
• Wi-Fi Protected Access (WPA)
– Temporal Key Integrity Protocol (TKIP)
• W i-Fi Protected Access 2 (WPA2) or
802.11i
– Counter Mode Cipher Block Chaining Message
Authentication Code Protocol (CCMP)
– KRACK (Key Reinstallation AttaCKs)

319
 Using Secure Encryption Protocols
2/2
• 802.1x/EAP
– Extensible Authentication Protocol
(EAP)
• Protected Extensible Authentication
Protocol (PEAP)
• Lightweight Extensible
Authentication Protocol (LEAP)
• MAC filter

320
 Determining Antenna Placement

• Based on site survey

• Centrally located
• Avoid emanation obstructions
• Avoid emanation reflective surfaces

321
 Antenna Types
• Omnidirectional
• Unidirectional
• Yagi
• Cantenna
• Panel
• Parabolic

322
 Adjusting Power Level Controls

• Set by manufacturer
• May be adjustable in software
• Based on site survey results
• Maintain reliable connections
internally
• Minimize connections externally

323
 WPS
• Wi-Fi Protected Setup (WPS)
• Base station button or 8-digit PIN
• Enabled by default
• Brute-force guessing possible in
under 6 hours

324
 Using Captive Portals
• Authorization system
• Forced interaction with control
page
• May require payment, logon
credentials, or access code
• Displays use policies
• Often found on public access
wireless networks

325
 General Wi-Fi Security Procedure

• Change default password

• Disable SSID broadcast
• Change SSID
• Enable MAC filtering
• Consider using static IP addresses
• Use WPA2
• Use 802.1x
• Use a firewall, VPN, IDS

326
 Wireless Attacks
• War driving
• War chalking
• Replay
• IV
• Rogue access points
• Evil twin

327
 Secure Network Components

• Intranets, extranets
• Network segmentation
• Boost performance
• Reduce communication issues
• Provide security
• VLANs, routers, firewalls
• DMZ

328
 Network Access Control
• Prevent/reduce zero day attacks
• Enforce security policy
• Use identities to perform access
control
• Preadmission vs. postadmission

329
 Firewalls
• Filtering between network segments
• Static packet filtering
• Application-level gateway
• Circuit-level gateway
• Stateful inspection
• Deep packet inspection firewalls
• Next-gen firewalls
• Multihomed
• Deployment architectures

330
 Firewall Deployment Architectures
1/2

331
 Firewall Deployment Architectures
2/2

332
 Endpoint Security
• Local security on each device
• Reduce network weaknesses
• Use appropriate security measures
on every system

333
 Secure Operation of Hardware

• Collisions vs. broadcasts

• Repeaters, concentrators, amplifiers
• Hubs
• Modems
• Bridges, switches
• Routers, brouters
• Gateways
• Proxies
• LAN extenders

334
 Cabling, Wireless, Topology, and
Communications Technology

• Transmission media
• Network topologies
• Wireless communications and
security
• LAN technologies

335 overview
 Transmission Media
• LAN vs. WAN
• Coax
• Baseband and broadband cables
• Twisted pair
– STP, UTP, categories
• Fiber optic
• Conductors
• 5-4-3 rule

336
 Network Topologies
• Ring
• Bus
• Star
• Mesh

337
 Wireless Communications and
Security
• Radio wave based communications
– Frequency, Hertz (Hz)
• FHSS, DSSS, OFDM
• Cell phones
• Bluetooth (IEEE 802.15)
• Radio Frequency Identification (RFID)
• Near-field communication (NFC)
• Cordless phones
• Mobile devices

338
 LAN Technologies
• Ethernet
• Token Ring
• Fiber Distributed Data Interface (FDDI)
• Analog vs. Digital
• Synchronous vs. Asynchronous
• Baseband vs. Broadband
• Broadcast, Multicast, Unicast
• LAN Media Access
– CSMA, CSMA/CD, CSMA/CA, Token passing,
Polling

339
 Conclusion
• Read the Exam Essentials
• Review the chapter
• Perform the Written Labs
• Answer the Review Questions

340
 Chapter 12
Secure Communications and Network Attacks

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

341 Used with permission.
 Network and Protocol Security
Mechanisms
• Secure Communications Protocols
• Authentication Protocols

342 overview
 Secure Communications Protocols

• IPSec
• Kerberos
• Secure Shell (SSH)
• Signal Protocol
• Secure Remote Procedure Call (S-
RPC)
• Secure Sockets Layer (SSL)
• Transport Layer Security (TLS)

343
 Authentication Protocols
• Challenge Handshake
Authentication Protocol (CHAP)
• Password Authentication Protocol
(PAP)
• Extensible Authentication Protocol
(EAP)

344
 Secure Voice Communications
• Voice over Internet Protocol (VoIP)
– Weaknesses and attacks
– Secure Real-Time Transport Protocol (SRTP)
• Social Engineering
– In person, over the phone, e-mail, IM, social
networks
• PBX Fraud and Abuse
– Direct Inward System Access (DISA)
– Phreakers
– Black box, Red box, Blue box, White box
(DTMF)

345
 Multimedia Collaboration
• Remote Meeting
• Instant Messaging

346
 Manage Email Security
• Email Security Goals
• Understand Email Security Issues
• Email Security Solutions

347 overview
 Email Security Goals
• SMTP, POP, IMAP
• Open relay, closed relay,
authenticated relay
• Nonrepudiation
• Restrict access
• Integrity
• Verify delivery
• Confidentiality

348
 Understand Email Security Issues

• Lack of encryption
• Delivery vehicle for malware
• Lack of source verification
• Flooding
• Attachments

349
 Email Security Solutions
• Secure Multipurpose Internet Mail
Extensions (S/MIME)
• MIME Object Security Services (MOSS)
• Privacy Enhanced Mail (PEM)
• DomainKeys Identified Mail (DKIM)
• Pretty Good Privacy (PGP)
• Opportunistic TLS for SMTP Gateways
• Sender Policy Framework (SPF)
• Reputation filtering

350
 Remote Access Security
Management
• Remote Access and Telecommuting
Techniques
• Plan Remote Access Security
• Dial-Up Protocols
• Centralized Remote Authentication
Services

351 overview
 Remote Access and
Telecommuting Techniques
• Service specific
• Remote control
• Screen scraper/scraping
• Remote node operation

352
 Plan Remote Access Security
• POTS/PSTN, VoIP, VPN
• Authentication, remote access
justification, encrypted for
confidentiality
• Monitor for abuses
• Remote connectivity technology
• Transmission protection
• Authentication protection
• Remote user assistance

353
 Dial-Up Protocols
• Point-to-Point Protocol (PPP)
• Serial Line Internet Protocol (SLIP)

354
 Centralized Remote
Authentication Services
• Remote Authentication Dial-In User
Service (RADIUS)
• Terminal Access Controller Access-
Control System (TACACS+)
– TACACS, XTACACS

355
 Virtual Private Network
• Tunneling
• How VPNs Work
• Common VPN Protocols
– PPTP, L2F, L2TP, IPSec
– SSH, TLS

• Virtual LAN

356
 Virtualization
• Hypervisors
– VM escaping
• Virtual Software
– Virtual applications
– Virtual desktop
• Virtual Networking
– Software Defined Network (SDN)
– Network virtualization
– Virtual SAN

357
 Network Address Translation
• Private IP Addresses (RFC 1918)
– 10.0.0.0 – 10.255.255.255 (a full Class A range)
– 172.16.0.0–172.31.255.255 (16 Class B ranges)
– 192.168.0.0–192.168.255.255 (256 Class C ranges)
• Stateful NAT
• Port Address Translation (PAT)
• Static and Dynamic NAT
• Automatic Private IP Addressing (APIPA)
– 169.254.x.y
• Loopback Address

358
 Switching Technologies
Circuit Switching Packet Switching
Constant traffic Bursty traffic
Fixed known delays Variable delays
Connection oriented Connectionless
Sensitive to Sensitive to
connection loss data loss
Used primarily for voice Used for any type
of traffic
• Virtual Circuits
– PVCs and SVCs

359
 WAN Technologies 1/2
• WAN Connection Technologies 1/2
– Dedicated vs. Nondedicated
– DS-0, DS-1, DS-3, T1, T3
– ISDN
• BRI vs. PRI
– Channel Service Unit/Data Service Unit
(CSU/DSU)
– Data Terminal Equipment/Data Circuit-
Terminating Equipment (DTE/DCE)
– X.25

360
 WAN Technologies 2/2
• WAN Connection Technologies 2/2
– Frame Relay
• Committed Information Rate (CIR)
– ATM
– Switched Multimegabit Data Service
(SMDS)
– Synchronous Digital Hierarchy (SDH)
– Synchronous Optical Network (SONET)
– SDLC, HDLC

361
 Miscellaneous Security Control
Characteristics
• Transparency
• Verify Integrity
• Transmission Mechanisms
– Logging
– Error correction

362
 Security Boundaries
• Areas of different security
requirements
• Classifications
• Physical vs. logical
• Should be clearly defined

363
 Prevent or Mitigate Network
Attacks
• DoS and DDoS
• Eavesdropping
• Impersonation/masquerading
• Replay attacks
• Modification attacks
• Address resolution protocol spoofing
• DNS poisoning, spoofing, and hijacking
• Hyperlink spoofing

364
 Conclusion
• Read the Exam Essentials
• Review the chapter
• Perform the Written Labs
• Answer the Review Questions

365
 Chapter 13
Managing Identity and Authentication

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

366 Used with permission.
 Controlling Access to Assets
• Assets:
– Information, systems, devices, facilities,
personnel
• Comparing Subjects and Objects
• The CIA Triad
• Types of Access Control
– Preventative Detective
– Corrective Deterrent
– Recovery Directive
– Compensating
– Administrative, logical/technical, physical

367
 Comparing Identification and
Authentication 1/5
• Identification and Authentication
• Registration and Proofing of Identity
• Authorization and Accountability
• Authentication Factors
– Type 1: Something you know
– Type 2: Something you have
– Type 3: Something you are
– Somewhere you are
– Context-aware authentication

368
 Comparing Identification and
Authentication 2/5
• Passwords
– Strong passwords
• Age, complexity, length, history
– Passphrases
– Cognitive
• Smartcards
– Common Access Card (CAC)
– Personal Identity Verification (PIV)
card

369
 Comparing Identification and
Authentication 3/5
• Tokens
– One-time passwords
– Synchronous Dynamic Password Tokens
– Asynchronous Dynamic Password Tokens
• Two-step authentication
– Hash message authentication code (HMAC)
– Time-based One-Time Password (TOTP)
– Email or SMS PIN challenge

370
 Comparing Identification and
Authentication 4/5
• Biometrics
– Fingerprints, face, retina, iris, palm, hand
geometry, heart/pulse, voice, signature,
keystroke
– Errors:
• Type 1: False Rejection Rate (FRR)
• Type 2: False Acceptance Rate (FAR)
• Crossover error rate (CER)
• Enrollment
• Reference profile/template
• Throughput rate

371
 Comparing Identification and
Authentication 5/5

• Multifactor Authentication
• Device Authentication
– Device fingerprinting
– 802.1x
• Service Authentication
– Application accounts

372
 Implementing Identity
Management 1/2
• Centralized vs. decentralized
• Single Sign-On
– LDAP and PKI
– Kerberos
• KDC, TGT, ST
– Federated Identity Management
• Security Assertion Markup Language (SAML),
Service Provisioning Markup Language (SPML),
Extensible Access Control Markup Language
(XACML)
• OAuth 2.0, OpenID, OpenID Connect
– Scripted access

373
 Implementing Identity
Management 2/2
• Credential Management Systems
• Integrating Identity Services
– Identity and access as a service (IDaaS)
• Managing Sessions
• AAA Protocols
– Remote Authentication Dial-in User Service
(RADIUS)
– Terminal Access Controller Access-Control
System (TACACS)
– Diameter

374
 Managing the Identity and
Access Provisioning Lifecycle
• Provisioning
• Account Review
– Excessive privilege
– Privilege creep
• Account Revocation

375
 Conclusion
• Read the Exam Essentials
• Review the chapter
• Perform the Written Labs
• Answer the Review Questions

376
 Chapter 14
Controlling and Monitoring Access

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

377 Used with permission.
 Comparing Access Control Models
• Comparing Permissions, Rights, and
Privileges
• Understanding Authorization
Mechanisms
• Defining Requirements with a Security
Policy
• Implementing Defense in Depth
• Summarizing Access Control Models
• Discretionary Access Controls
• Nondiscretionary Access Controls

378 overview
 Comparing Permissions, Rights,
and Privileges
• Permissions
– Access granted for an object
• Rights
– Ability to take action on an object
• Privileges
– Combination of rights and permissions

379
 Understanding Authorization
Mechanisms
• Implicit deny
• Access control matrix
• Capability tables
• Constrained interface
• Content-dependent control
• Context-dependent control
• Need to know
• Least privilege
• Separation of duties and
responsibilities

380
 Defining Requirements with a
Security Policy
• Clarifies requirements
• Shows senior leadership support
• Sets guidelines and parameters

381
 Implementing Defense in Depth

• Protects against single-focused

attacks
• Document in security policy
• Personnel are key
• Uses combined
solution
approach

382
 Summarizing
Access Control Models
• Discretionary Access Control (DAC)
• Role Based Access Control (RBAC)
• Rule-based access control (rule BAC)
• Attribute Based Access Control
(ABAC)
• Mandatory Access Control (MAC)

383
 Discretionary Access Controls

• Owner, create, custodian define

access
• Based on identity
• Uses ACLs on each object
• Not centrally managed
• Supports change

384
 Nondiscretionary Access Controls

• Centrally administered
• Changes affect entire environment
• Not based on identity, instead uses
rules
• Less flexible

385
 Role Based Access Control
• Based on subject’s role or assigned
tasks
• Enforces principle of least privilege
• Related to job descriptions and work
functions
• Useful in dynamic environments
• Often implemented using groups (via
DAC)
• Task based access control (TBAC)

386
 Rule-Based Access Controls
• Rules, restrictions, filters
• Global rules apply to all subjects
• Firewall and router rules/filters

387
 Attribute Based Access Controls

• Characteristics are used to

determine rule applications
• Can relate to users, groups,
network, or devices

388
 Mandatory Access Control
• Based on classifications
• Top Secret, Secret, Confidential
• Confidential/Proprietary, Private,
Sensitive, Public
• Need to know
• Prohibitive rather than permissive
• Hierarchical
• Compartmentalization
• Hybrid

389
 Understanding Access Control
Attacks
• Risk Elements
• Identifying Assets
• Identifying Threats
• Threat Modeling Approaches
• Identifying Vulnerabilities
• Common Access Control Attacks
• Summary of Protection Methods

390 overview
 Risk Elements
• Risk
• Assets
• Threat
• Vulnerability
• Risk Management

391
 Identifying Assets
• Asset valuation
• Tangible value
• Intangible value
• Cost-benefit analysis

392
 Identifying Threats
• Threat modeling
• Secure by Design, Secure by Default,
Secure in Deployment and
Communication (SD3+C)
• Goals:
– Reduce number of defects
– Reduce severity of remaining defects
• Advanced Persistent Threat (APT)

393
 Threat Modeling Approaches
• Focused on assets
• Focused on attackers
• Focused on software

394
 Identifying Vulnerabilities
• Vulnerability analysis
• Weakness to threat
• Technical and administrative
• Vulnerability scans

395
 Common Access Control
Attacks 1/2
• Impersonation
• Access aggregation
• Password
– Dictionary
– Brute force
– Birthday
– Rainbow table
• Sniffer

396
 Common Access Control
Attacks 2/2
• Spoofing
• Social engineering
– Phishing
• Drive-by download
– Spear phishing
– Whaling
– Vishing
• Smartcard
– Side-channel attack

397
 Summary of Protection Methods

• Control physical access and electronic

access
• Create a strong password policy
• Hash and salt passwords
• Use password masking
• Deploy multifactor authentication
• Use account lockout controls
• Use last logon notification
• Educate users about security

398
 Conclusion
• Read the Exam Essentials
• Review the chapter
• Perform the Written Labs
• Answer the Review Questions

399
 Chapter 15
Security Assessment and Testing

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

400 Used with permission.
 Building a Security Assessment and
Testing Program

• Security Testing
– Verify controls are functioning
properly
• Security Assessments
– Comprehensive review of security
infrastructure
• Security Audits
– Independent assessment of security
by third party

401
 Review Security Controls 1/2
• Availability of security testing resources
• Criticality of the systems and applications
protected by the tested controls
• Sensitivity of information contained on
tested systems and applications
• Likelihood of a technical failure of the
mechanism implementing the control
• Likelihood of a misconfiguration of the
control that would jeopardize security

402
 Review Security Controls 2/2
• Risk that the system will come under
attack
• Rate of change of the control
configuration
• Other changes in the technical
environment that may affect the
control performance
• Difficulty and time required to perform
a control test
• Impact of the test on normal business
operations

403
 Security Audits 1/2
• Internal audits
• External audits
• Third-party audits
– American Institute of Certified Public
Accountants (AICPA): Statement on
Standards for Attestation Engagements
document 16 ( SSAE 16 ), “Reporting on
Controls”
• Type I reports provide a description of
the controls
• Type II reports address effectiveness of
controls

404
 Security Audits 2/2
• Auditing Standards
– Control Objectives for Information and
related Technologies (COBIT)
– International Organization for
Standardization (ISO) ISO 27001

405
 Performing Vulnerability
Assessments 1/3
• Describing Vulnerabilities: Security
Content Automation Protocol (SCAP)
– Common Vulnerabilities and Exposures (CVE)
– Common Vulnerability Scoring System (CVSS)
– Common Configuration Enumeration (CCE)
– Common Platform Enumeration (CPE)
– Extensible Configuration Checklist Description
Format (XCCDF)
– Open Vulnerability and Assessment Language
(OVAL)

406
 Performing Vulnerability
Assessments 2/3
• Vulnerability Scans
– Network discovery scans
• TCP SYN, TCP Connect, TCP ACK, XMAS
– Network vulnerability scans
• False positive vs. false negative
– Web application vulnerability scans
– Database vulnerability scanning
– Vulnerability Management Workflow
• Detection, validation, remediation

407
 Performing Vulnerability
Assessments 3/3
• Penetration Testing
– Phases:
• Planning, information gathering and
discovery, vulnerability scanning,
exploitation, reporting
– Forms:
• White box
• Gray box
• Black box

408
 Testing Your Software
• Code Review and Testing
• Interface Testing
• Misuse Case Testing
• Test Coverage Analysis
• Website Monitoring

409 overview
 Code Review and Testing
• Code review
• Peer review
• Fagan inspections
– When code flaws may have catastrophic
impact
– Planning, overview, preparation,
inspection, rework, follow-up
• Static testing vs. dynamic testing
• Fuzz testing
– Mutation, generational, bit flipping

410
 Interface Testing
• Needed with complex software
• Application programming interfaces
(APIs)
• User interfaces
• Physical interfaces
• Design flexible interfaces without
introducing more security risks

411
 Misuse Case Testing
• User activity prediction
• Abuse case testing
• Known misuses
• Manual and automated misuse
attacks

412
 Test Coverage Analysis
• Impossible to completely test software
• Too many ways to malfunction or
undergo attack
• Estimate the degree of testing
conducted
• Test coverage analysis:

– Branch, condition, function, loop,

statement

413
 Website Monitoring
• Performance management,
troubleshooting, identification of
potential security issues
• Passive monitoring
– Real user monitoring (RUM)
– Detect issues after occurrence
• Synthetic monitoring (active
monitoring)
– Detect issues before occurrence

414
 Implementing
Security Management Processes

• Log Reviews
– Security information and event management
(SIEM)
• Account Management
– Review/audit of accounts and privileges
• Backup Verification
• Key Performance and Risk Indicators
– Open vulnerabilities, time to resolve,
reoccurrence, number of compromised
accounts, number of flaws, repeated
findings, visits of malicious sites

415
 Conclusion
• Read the Exam Essentials
• Review the chapter
• Perform the Written Labs
• Answer the Review Questions

416
 Chapter 16
Managing Security Operations

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

417 Used with permission.
 Applying Security Operations
Concepts
• Need to Know and Least Privilege
• Separation of Duties and
Responsibilities
• Job Rotation
• Mandatory Vacations
• Privileged Account Management
• Managing the Information Life Cycle
• Service-Level Agreements
• Addressing Personnel Safety and
Security

418 overview
 Need to Know and Least Privilege

• Need to Know
– Work task related access
– Often related to clearance
• The Principle of Least Privilege
• Entitlement
• Aggregation
• Transitive Trust

419
 Separation of Duties and
Responsibilities
• No single person with total control
• Separation of privilege
– Applications and processes
• Segregation of duties
– Avoids conflicts of interest
– See Figure 16.1
• Two-person control

420
 Job Rotation
• Related to privilege management
• Rotation of duties
• Peer review
• Reduce fraud
• Cross-training

421
 Mandatory Vacations
• One or two week increments
• No local or remote access
• Peer review
• Detect fraud
• Deterrent and detection

422
 Privileged Account Management

• Special access or elevated rights

• Administrative and sensitive job
tasks
• Privileged entities
• Monitoring is essential
• Trusted employees

423
 Managing the
Information Lifecycle
• Creation or capture
• Classification
• Storage
• Usage
• Archive
• Destruction or purging

424
 Service-Level Agreements
• SLAs
• Memorandum of understanding
(MOU)
• Interconnection Security
Agreement (ISA)
• NIST SP 800-47
– “Security Guide for Interconnecting
Information Technology Systems”

425
 Addressing Personnel
Safety and Security
• Exit doors
– Fail-safe vs. fail-secure doors
• Duress systems and code phrases
• Travel safety
– Sensitive data
– Malware and monitoring devices
– Free WiFi and VPNs
• Emergency management
• Security training and awareness

426
 Securely Provisioning Resources

• Managing Hardware and Software

Assets
• Protecting Physical Assets
• Managing Virtual Assets
• Managing Cloud-Based Assets
• Media Management

427 overview
 Managing Hardware and
Software Assets
• Hardware inventories
• RFID tracking
• Sanitize before disposal
• Portable media management
• Software licensing

428
 Protecting Physical Assets
• Includes building and contents
• Fences
• Barricades
• Locked doors
• Guards
• Security cameras / CCTV
• Building design and layout

429
 Managing Virtual Assets
• Virtualization
• Software-defined assets
• Virtual machines (VMs)
• Virtual desktop infrastructure (VDI)
• Software-defined networks (SDN)
• Virtual storage area networks
(VSAN)
• Hypervisor

430
 Managing Cloud-based Assets
• Resources are located outside of direct
control
• DoD Cloud Computing Security
Requirements Guide
• Cloud service provider (CSP)
• Software as a service (SaaS)
• Platform as a service (PaaS)
• Infrastructure as a service (IaaS)
• Public, private, hybrid, community

431
 Media Management
• Protect media itself and data stored on
media
• Tape media
• USB flash drives
• Mobile devices
– Choose your own device (CYOD)
– Bring your own device (BYOD)
– Mobile device management (MDM)
• Media life cycle
– Mean time to failure (MTTF)

432
 Managing Configuration
• Baselining
• Using Images for Baselining

433
 Managing Change
• Change management helps reduce
unanticipated outages caused by
unauthorized changes
• Security impact analysis
– Request, review, approve/reject, test,
schedule/implement, document
– Security assurance requirements (SAR)
• Versioning
• Configuration documentation

434
 Managing Patches and
Reducing Vulnerabilities
• Systems to Manage
– End devices, servers, network devices,
embedded devices, IoT
• Patch Management
– Evaluate, Test, Approve, Deploy, Verify
• Vulnerability Management
– Scanners and assessments
– Vulnerability assessments
• Common Vulnerabilities and Exposures
(CVE)

435
 Conclusion
• Read the Exam Essentials
• Review the chapter
• Perform the Written Labs
• Answer the Review Questions

436
 Chapter 17
Preventing and Responding to Incidents

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

437 Used with permission.
 Managing Incident Response
• Defining an Incident
• Incident Response Steps

438 overview
 Defining an Incident 1/2
• Any negative effect on CIA
• Unplanned interruption to IT
• Computer security incident
• RFC 2350 “Expectations for Computer
Security Incident Response”
– “Any adverse event which compromises
some aspect of computer or network
security.”
• NIST SP 800-61
– Computer Security Incident Handling
Guide

439
 Defining an Incident 2/2
• Any attempted network intrusion
• Any attempted denial-of-service
attack
• Any detection of malicious software
• Any unauthorized access of data
• Any violation of security policies

440
 Incident Response Steps
• Detection
• Response
• Mitigation
• Reporting
• Recovery
• Remediation
• Lessons Learned

441 overview
 IR Step: Detection
• Detecting actual or potential
incidents
• IDSes, AV, audits, automated tools,
end users
• First responders

442
 IR Step: Response
• Based on severity of incident
• Computer incident response team
(CIRT)/computer security incident
response team (CSIRT)
• Faster response limits damage

443
 IR Step: Mitigation
• Contain the incident
• Limit the effect or scope
• May involve disconnecting from the
network
• Actions in this step may be noticed
by an attacker

444
 IR Step: Reporting
• Internal and external notification
• May be mandated by regulation
• PII violations are of critical concern
in many jurisdictions
• Relevant training is need to
properly recognize and report
incidents

445
 IR Step: Recovery
• Evidence collection should be
completed before recovery efforts
• Recovery is to return the
environment to a normal state or
condition
• Security should be restored to an
equal or greater level than before
the incident

446
 IR Step: Remediation
• Analyze the incident to determine
the cause
• Implement countermeasures to
prevent a recurrence
• Root-cause analysis

447
 IR Step: Lessons Learned
• Determine what can be learned from
the incident and the response
• Focus on improving future reponse
• May highlight need for additional
training
• May require adjustment of security
infrastructure
• CIRT submits analysis and
recommendations report to
management

448
 Implementing Detective and
Preventive Measures
• Basic Preventive Measures
• Understanding Attacks
• Intrusion Detection and Prevention
Systems
• Specific Preventive Measures

449 overview
 Basic Preventive Measures
• Keep systems and applications up-to-date
• Remove or disable unneeded services and
protocols
• Use intrusion detection and prevention
systems
• Use up-to-date anti-malware software
• Use firewalls
• Implement configuration and system
management processes

450
 Understanding Attacks 1/2
• Botnets
• Denial of service
– Distributed denial-of-service (DDoS)
– Distributed reflective denial-of-service
(DRDoS)
• SYN flood attack
• Smurf and Fraggle attacks
• Ping flood
• Ping of Death
• Teardrop

451
 Understanding Attacks 2/2
• LAND attack
• Zero-day exploit
• Malicious code
– Drive-by download
– Malvertising
• Man-in-the-middle
• War dialing
• Sabotage
• Espionage

452
 Intrusion Detection and
Prevention Systems
• IDS, IPS, IDPS
• NIST SP 800-94 Guide to Intrusion
Detection and Prevention Systems
• Knowledge and behavior-based
detection
• SIEM systems
• IDS response
– Active vs. passive
• Host and network IDS
• Intrusion prevention systems

453
 Specific Preventive Measures
• Honeypots/honeynets
• Pseudo flaw
• Padded cell
• Warning banners
• Anti-malware
• Whitelisting and blacklisting
• Firewalls
• Sandboxing

454
 Third-Party Security Services
• Payment Card Industry Data
Security Standard (PCI DSS)
• SaaS cloud security
• Penetration testing
– Risks
– Obtaining permission
– Black box, white box, gray box
– Reports
– Ethical hacking

455
 Logging, Monitoring, and Auditing

• Logging and Monitoring

• Monitoring Techniques
• Egress Monitoring
• Auditing to Assess Effectiveness
• Security Audits and Reviews
• Reporting Audit Results

456 overview
 Logging and Monitoring
• Security logs, system logs, application logs,
firewall logs, proxy logs, change logs
• Protecting log data
• FIPS 200, audit log security requirements
• Audit trails
• Monitoring and accountability
• Monitoring and investigations
• Monitoring and problem identification

457
 Monitoring Techniques
• Log analysis
• Security Information and Event
Management (SIEM)
• Security Event Management (SEM)
• Security Information Management
(SIM)
• Sampling or data extration
• Clipping levels
• Keystroke monitoring
• Traffic and trend analysis

458
 Egress Monitoring
• Data loss prevention (DLP)
– Network-based DLP
– Endpoint-based DLP
• Steganography
• Watermarking

459
 Auditing to Assess Effectiveness

• Auditing, auditors
• Methodical examination
• Compliance
• Inspection audits
• Access review audits
• User entitlement audits
• Audits of privileged groups
– High-level administrators
– Dual administrator accounts

460
 Security Audits and Reviews
• Patch management
• Vulnerability management
• Configuration management
• Change management

461
 Reporting Audit Results
• Purpose, scope, results
• Problems, events, and conditions
• Standards, criteria, and baselines
• Causes, reasons, impact, and effect
• Recommended solutions and
safeguards
• Protecting audit results
• Distributing audit reports
• Using external auditors

462
 Conclusion
• Read the Exam Essentials
• Review the chapter
• Perform the Written Labs
• Answer the Review Questions

463
 Chapter 18
Disaster Recovery Planning

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

464 Used with permission.
 The Nature of Disaster
• Natural Disasters
– Earthquakes
– Floods, storms, fires
– Regional events
• Man-Made Disasters
– Fires
– Acts of terrorism
– Bombings/explosions
– Power outages
– Network/utility/infrastructure failures
– Hardware/software failures
– Strikes/picketing
– Theft/vandalism

465
 Understand System Resilience and
Fault Tolerance
• Fault Tolerance and System Resilience
• Protecting Hard Drives
• Protecting Servers
• Protecting Power Sources
• Trusted Recovery
• Quality of Service

466 overview
 Fault Tolerance and
System Resilience
• Single point of failure (SPOF)
• Fault tolerance
• System resilience

467
 Protecting Hard Drives
• RAID-0
• RAID-1
• RAID-5
• RAID-10
• Hardware vs. software
• Hot swapping vs. cold swapping

468
 Protecting Servers
• Failover clusters
• Load balancing
• Scalability
• Replication between members

469
 Protecting Power Sources
• UPS
• Spike, sag, surge, brownout
• Transient
• Generators

470
 Trusted Recovery
• Assurance after failure or crash
• Fail-secure, fail-open
• Preparation
• System recovery
– Reboot into non-privileged state, restore all
affected files to pre-failure settings/values
• Manual recovery, automated recovery
• Automated recovery without undue loss
• Function recovery

471
 Quality of Service
• Bandwidth
• Latency
• Jitter
• Packet loss
• Interference
• Prioritization

472
 Recovery Strategy
• Business Unit and Functional
Priorities
• Crisis Management
• Emergency Communications
• Workgroup Recovery
• Alternate Processing Sites
• Mutual Assistance Agreements
• Database Recovery

473 overview
 Business Unit and
Functional Priorities
• Prioritization
• Mission critical business functions/units
• Detailed ordered list of business processes
• Priority based on:
– Risk
– Cost assessment
– Mean time to recovery (MTTR)
– Maximum tolerable outage (MTO)
– Recovery objectives

474
 Crisis Management
• Mitigate with disaster recovery plan
• Training on disaster recovery
procedures
• Train and document to counter
panic
• Crisis training

475
 Emergency Communications
• Internal and external
• Keep outside informed of recovery
process
• Support recovery through internal
communications
• Alternatives in the event of
infrastructure collapse during major
disasters

476
 Workgroup Recovery
• Each department needs to be
recovered
• Restore worker’s ability to perform
work tasks
• DRP is not IT only
• May require numerous strategies
• Independent recovery of work
divisions

477
 Alternate Processing Sites
• Cold site
• Hot site
• Warm site
• Mobile site
• Service bureaus
• Cloud computing

478
 Mutual Assistance Agreements

• Reciprocal agreements
• Difficult to enforce
• Requires close proximity
• Confidentiality concerns

479
 Database Recovery
• Electronic vaulting
• Remote journaling
• Remote mirroring

480
 Recovery Plan Development
• Emergency response
• Personnel and communications
• Assessment
• Backups and offsite storage (see next slide)
• Software escrow arrangements
• External communications
• Utilities
• Logistics and supplies
• Recovery vs. restoration
• Training, awareness, and documentation

481
 Backups and Offsite Storage
• Full, incremental, differential
• Onsite and offsite
• Media rotation schemes
• Backup tape formats
• Disk to disk backup
• Best practices
• Tape rotation

482
 Testing and Maintenance
• Read-through test
• Structured walk-through
• Simulation test
• Parallel test
• Full-interruption test
• Maintenance

483
 Conclusion
• Read the Exam Essentials
• Review the chapter
• Perform the Written Labs
• Answer the Review Questions

484
 Chapter 19
Investigations and Ethics

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

485 Used with permission.
 Investigations
• Investigation Types
• Evidence
• Investigation Process

486 overview
 Investigation Types 1/2
• Administrative
– Operational
– Root-cause analysis
• Criminal
– Beyond a reasonable doubt
• Civil
– Preponderance of the evidence
• Regulatory

487
 Investigation Types 2/2
• Electronic discovery
– Information governance
– Identification
– Preservation
– Collection
– Processing
– Review
– Analysis
– Production
– Presentation

488
 Evidence 1/3
• Admissible
• Real
• Documentary
– Best evidence rule, parol evidence
rule
• Chain of evidence/chain of custody
• Testimonial

489
 Evidence 2/3
• Evidence collection
– International Organization on Computer
Evidence (IOCE)
• Follow general forensic and procedural principles
• Actions taken should not change that evidence
• Only trained personnel
• All activity must be fully documented, preserved,
and available for review
• Individual is responsible for digital evidence while
in their possession
• The agency is responsible for compliance with
these principles

490
 Evidence 3/3
• Forensic procedures
– Media analysis
– Network analysis
– Software analysis
– Hardware/embedded device analysis

491
 Investigation Process 1/3
• Rules of engagement
• Gathering evidence
– Voluntary surrender
– Subpoena
– Search warrant
• Calling in law enforcement

492
 Investigation Process 2/3
• Conducting the investigation
– Don’t use compromised systems
– Don’t hack back
– Call in the experts for assistance
• Interviewing individuals
– Interview vs. interrogation
– Trained investigators

493
 Investigation Process 3/3
• Data Integrity and Retention
– Maintain integrity of all evidence
– Archiving policy
– Log file sanitization/destruction
– Remote logging
– Digital signatures
• Reporting and Documenting Investigations
– When to report and to whom to report
– Escalation and legal action may require
reporting
– Documentation of all incidents

494
 Major Categories of Computer
Crime
• Military and intelligence attacks
• Advanced Persistent Threat (APT)
• Business attacks
– Corporate espionage or industrial espionage
• Financial attacks
• Terrorist attacks
• Grudge attacks
• Insider threats
• Thrill attacks – script kiddies, hacktivists

495
 Ethics
• (ISC)2 Code of Ethics
• Ethics and the Internet

496 overview
 (ISC)2 Code of Ethics
• Protect society, the common good,
necessary public trust and confidence,
and the infrastructure.
• Act honorably, honestly, justly,
responsibly, and legally.
• Provide diligent and competent
service to principals.
• Advance and protect the profession.

497
 Ethics and the Internet
• RFC 1087: Activity is unacceptable and
unethical that
– Seeks to gain unauthorized access to the
resources of the Internet
– Disrupts the intended use of the Internet
– Wastes resources (people, capacity,
computer) through such actions
– Destroys the integrity of computer-based
information
– Compromises the privacy of users

498
 Conclusion
• Read the Exam Essentials
• Review the chapter
• Perform the Written Labs
• Answer the Review Questions

499
 Chapter 20
Software Development Security

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

500 Used with permission.
 Introducing Systems Development
Controls
• Software Development
• Systems Development Lifecycle
• Lifecycle Models
• Gantt Charts and PERT
• Change and Configuration Management
• The DevOps Approach
• Application Programming Interfaces
• Software Testing
• Code Repositories
• Service-Level Agreements
• Software Acquisition

501 overview
 Software Development 1/2
• Programming languages
• Machine language
• Compiled code and Interpreted code
– Compiler, decompiler
• Object-oriented programming
– Message, method, behavior, class, instance,
inheritance, delegation, polymorphism,
cohesion, coupling
• Assurance

502
 Software Development 2/2
• Avoiding and mitigating system
failure
– Input validation
• Limit check
– Authentication and session
Management
– Error handling
– Logging
– Fail-secure and fail-open

503
 Systems Development Life Cycle
• Conceptual definition
• Functional requirements determination
– Inputs, behavior, outputs
• Control specifications development
• Design review
• Code review walk-through
• User acceptance testing
• Maintenance and change management

504
 Life Cycle Models 1/3
• Waterfall model (view next slide)
– Feedback loop characteristic
• Spiral model
– Metamodel
– Prototyping

505
 Waterfall Lifecycle Model

506
 Life Cycle Models 2/3
• Agile software development
– Agile Manifesto defines 12 principles
– Individuals and interactions over
processes and tools
– Working software over comprehensive
documentation
– Customer collaboration over contract
negotiation
– Responding to change over following a
plan

507
 Life Cycle Models 3/3
• Software capability maturity model
(SCMM)
– Initial
– Repeatable
– Defined
– Managed
– Optimized
• IDEAL model
– Initiating
– Diagnosing
– Establishing
– Acting
– Learning

508
 Gantt Charts and PERT 1/2
• Scheduling of projects
• Gantt relates project elements and
time schedules

509
 Gantt Charts and PERT 2/2
• Program Evaluation Review
Technique (PERT)
– Focuses on software size
– Goal: more efficient software

510
 Change and Configuration
Management
• Request control
• Change control
• Release control

• Configuration identification
• Configuration control
• Configuration status accounting
• Configuration audit

511
 The DevOps Approach
• Development and operations
• Combines: software development,
quality assurance, and technology
operations
• Aligned with Agile

512
 Application Programming
Interfaces
• Balance opportunities with security
• Authentication requirements
– Public vs. limited use
• Tested for security flaws

513
 Software Testing
• Reasonableness check
• Handling of types, values, bounds,
and conditions
• Separation of duties
• White-box, black-box, gray-box
• Static testing
• Dynamic testing

514
 Code Repositories
• Collaboration
• Large-scale software projects
• Central storage point
• Version control
• Bug tracking
• Hosting
• Release management
• Communications functions

515
 Service-Level Agreements
• Defines service requirements between
provider and customer
• Necessary for all critical outsourced
tasks/processes
• Should address:
– Uptime, downtime, peak load, average
load, diagnostics, failover/redundancy
– Financial and contractual remedies for
noncompliance

516
 Software Acquisition
• On-premises deployment or cloud
• SaaS, PaaS, IaaS
• Security is top concern

517
 Establishing Databases and
Data Warehousing
• Database Management System
Architecture
• Database Transactions
• Security for Multilevel Databases
• Open Database Connectivity
(ODBC)
• NoSQL

518 overview
 Database Management System
Architecture
• Hierarchical
• Distributed
• Relational
– Fields, attributes, cells
– Tuple, row
– Cardinality and degree
– Domain, range of values
– Candidate keys, primary key, foreign keys
– Schema, DDL, DML

519
 Database Transactions
• Atomicity
• Consistency
• Isolation
• Durability

520
 Security for Multilevel Databases
• Database contamination
• Restricting access with views
• Concurrency
• Time stamps
• Granular access control, content-
dependent
• Cell suppression
• Database partitioning
• Polyinstantiation
• Noise and perturbation

521
 Open Database Connectivity
• Open Database Connectivity
(ODBC)
• Proxy between database and
application
• Freedom from direct DBMS
programming

522
 NoSQL
• Nonrelational databases
• Key/value stores
• Graph databases
• Document stores
– Extensible Markup Language (XML)
and JavaScript Object Notation (JSON)

523
 Storing Data and Information

• Types of Storage
• Storage Threats

524 overview
 Types of Storage
• Primary/real
• Secondary
• Virtual memory
• Virtual storage
• Random access storage
• Sequential access storage
• Volatile storage
• Nonvolatile storage

525
 Storage Threats
• Illegitimate access
– Access controls
– Prevent OS control bypass
– Encryption
– Prevent cross-level exploitation
• Covert channel attacks

526
 Understanding
Knowledge-Based Systems 1/2
• Expert Systems
– “If/then” statement knowledge base,
inference engine, fuzzy logic
• Machine Learning
– Supervised learning
– Unsupervised learning
• Neural Networks
– Deep learning or cognitive systems
– Delta rule, learning rule

527
 Understanding
Knowledge-Based Systems 2/2
• Security Applications
– Capability to rapidly make consistent
decisions
– Thoroughly analyze massive amounts
of data

528
 Conclusion
• Read the Exam Essentials
• Review the chapter
• Perform the Written Labs
• Answer the Review Questions

529
 Chapter 21
Malicious Code and
Application Attacks

Copyright © 2018 by John Wiley & Sons, Inc., Indianapolis, Indiana.

530 Used with permission.
 Malicious Code
• Sources of Malicious Code
• Viruses
• Logic Bombs
• Trojan Horses
• Worms
• Spyware and Adware
• Zero-Day Attacks

531 overview
 Sources of Malicious Code
• Skilled malicious software
developers
• Script kiddies
• Amateur code developers
• Advanced persistent threat (APT)

532
 Viruses 1/2
• Propagation techniques
– Master boot record
– File infector
– Macro virus
– Service injection virus
• Platforms vulnerable to viruses
– Mostly Windows
– All OSs have some malware

533
 Viruses 2/2
• Antivirus mechanisms
– Signature, heuristic/behavior
• Virus technologies
– Multipartite viruses
– Stealth viruses
– Polymorphic viruses
– Encrypted viruses
• Hoax

534
 Logic Bombs
• Lie dormant
• Wait for triggering event
– Time, program launch, website
logon, . . .

535
 Trojan Horses
• Benign host delivers malicious
payload
• Rogue antivirus software
• Ransomware
– Cryptolocker
• Botnet

536
 Worms
• Self-propagation
• Code Red
• Stuxnet

537
 Spyware and Adware
• Spyware
– Monitors your actions
– Transmits details to remote system
– May include keystroke logging
• Adware
– Displays advertising
– Pop-up ads
– Monitor shopping, redirects to
competitor sites

538
 Zero-Day Attacks
• Security flaws discovered by
hackers that have not been
thoroughly addressed by the
security community
• Window of vulnerability
• Defense-in-depth approach
– Overlapping security controls

539
 Password Attacks
• Password Guessing
• Dictionary Attacks
– Rainbow table
– Brute force
• Social Engineering
– Spear phishing, whaling, vishing
– Dumpster diving
• Countermeasures
– Longer, more complex

540
 Application Attacks
• Buffer overflows
• Time of check to time of use
(TOCTOU or TOC/TOU)
• Back doors
• Escalation of privilege and rootkits

541
 Web Application Security
• Cross-site scripting (XSS)
– Input validation
• Cross-site request forgery (XSRF/
CSRF)
• SQL Injection
– Dynamic Web applications
– Use prepared statements
– Perform input validation
– Limit account privileges

542
 Reconnaissance Attacks
• IP probes
– IP sweeps, ping sweeps
• Port scans
• Vulnerability scans

543
 Masquerading Attacks
• IP spoofing
• Session hijacking

544
 Conclusion
• Read the Exam Essentials
• Review the chapter
• Perform the Written Labs
• Answer the Review Questions

545