CISSP COURSE - Cloudinary · PDF filereproduction prohibited overview isc2 requirements on...

transcript

Reproduction prohibited

CISSP COURSEPART 1

ENTREPRENEUR | CISO ADVISOR | CYBERFEMINIST | PEERLYST BRAND

AMBASSADOR | TOP 50 CYBER INFLUENCER | @RESPONSIBLE CYBER

MAGDA LILIA CHELLY

OVERVIEW

ISC2 REQUIREMENTS ON INDIVIDUALS

THESE INCLUDE:

• BACKGROUND

• FIVE YEARS EXPERIENCE IN ANY OF THE 10 DOMAINS OR FOUR YEARS EXPERIENCE AND

A COLLEGE DEGREE

• TEST FEE

• APPROVED APPLICATION

• AGREEMENT TO THE ISC2 CODE OF ETHICS

DOMAINS

THE 8 DOMAINS ARE:

1. SECURITY AND RISK MANAGEMENT

2. ASSET SECURITY

3. SECURITY ENGINEERING

4. COMMUNICATION AND NETWORK SECURITY

5. IDENTITY AND ACCESS MANAGEMENT

6. SECURITY ASSESSMENT AND TESTING

7. SECURITY OPERATIONS

8. SOFTWARE DEVELOPMENT SECURITY

Reproduction prohibited4

SECURITY AND RISK MANAGEMENT

SECURITY & RISK MANAGEMENT

• Confidentiality: Ensures that information

is not compromised or shared.

• Integrity: Ensures that data is not

damaged or modified.

• Availability: Ensures that information is

always available when needed.

Availability

Identification

Authentication

Authorization

Auditing

Accounting

Username

Password

Access rights

Review

NONREPUDIATION The subject of an

activity or event is not in measure to deny that the

event happened

DATA HIDING The data is prevented from

access

Data Owner responsible for classifying information

Data Custodian responsible for prescribed protection implementation

DUE CARE Doing the right thing

DUE DILIGENCE Continuing to do the right thing

SECURITY MANAGEMENT Strategic (Long term

plan with goals, mission, and objectives), tactical

(Midterm plan with detailed goals), and operational plans

(Short term plan)

Procedures

Guidelines

Standards

PoliciesSecurity governance practicesdefining, and directing the security efforts

CONTROL OBJECTIVES FOR INFORMATION & RELATED

TECHNOLOGY (COBIT) security concept

infrastructure

The annual costs of safeguards

should not exceed the expected

annual cost of asset loss.

A quantitative risk analysis

calculates the ALE, which is

the annual loss of an

asset if expected threats are

realized.

Delphi Risk Analysis

• Group discussion method

• Opinion

• Comments are written anonymously

• Consent

Property Quantitative Qualitative

Financial costs

Automated

History

Without calculations

Low history required

Smooth communication

Control types are:

• Preventive• Detective• Corrective• Deterrent• Recovery• Directive• Compensative

ols Administrative

Logical

Physical

Employees & hiring process should take in consideration:

• Collusion

• Screening

• Background checks

• Security clearances

• Employment agreements

• Nondisclosure agreements

Separation of duties Critical task division between

several employees

Least Privilege Minimum access

Job Rotation Rotate personnel

Mandatory vacations One or two weeks of vacation

Criminal law Protect basic principles

Civil law Protect transactions between people and

organizations

Administrative law Protect day-to-day operations

Copyrights Authorship protection

Trademarks Names, and logos protection

Patents Invention protection

Trade secret Company’s operation protection

ASSET SECURITY

Personally identifiable information (PII) Data that

can identify an individual

Protected health information (PHI) Health-related

data related to an individual

Top Secret

Secret

Confidential

Sensitive but Unclassified

Unclassified

Confidential / Private

Sensitive

Public

Sanitization represents processes

removing data from a system or from

media.

Data remanence is the data that stays

on a hard drive as residual magnetic

Degaussing is the process of reducing or eliminating an unwanted

magnetic field (or data) stored on tape and disk media.

Erasing media is deleting data.

Clearing, or overwriting, is preparing media for reuse.

Purging is a more intense form of clearing.

To remove data from solid state drives (SSDs), commonly is used

destruction.

ASSET SECURITY

The EU Data Protection law enforce protection of privacy

Safe Harbor principles is a method of ensuring that third

parties are complying with the EU Data Protection law.

The seven principles are notice, choice, onward transfer,

security, data integrity, access, and enforcement.

SECURITY ENGINEERING

Work function, or work factor Strength of a

cryptography system

• Fixed-length output

• One-way

• Functionality

• Collision free

Zero-knowledge proof communication concept with no real data transfer, example digital signature

Split knowledgeMultiple users required to perform the operation

(n*n)-1/2 n

Digital Signature Standard (DSS)

SHA-1 and SHA-2 message digest functions

One encryption algorithms (Digital Signature Algorithm (DSA);Rivest, Shamir, Adleman (RSA); or Elliptic Curve DSA (ECDSA) )

Certification Technical evaluation

Accreditation Process of formal acceptance

CPU classification

• Multitasking: A single processor

• Multiprogramming: A single processor

• Multiprocessing: Multiple processors

Dedicated systems all users have clearance, access

permissions, and need to know for all data

System high mode No need-to-know

Compartmented No need-to-know & no access

permission requirement

Multilevel mode Removes all three requirements

TCSEC Trusted Computer System Evaluation Criteria

(TCSEC), United States Government Department of Defence

ITSEC Information Technology Security Evaluation

Criteria, by the Commission of the European Communities

TCB Trusted computing base (hardware, firmware,

and/or software components)

The Reference Monitor

Part of the TCB

Validates access to resource

Rings of protection work with TCB

Subject

Reference

Monitor

Object

Security Kernel

Ring 0: OS Kernel/Memory

Ring 1: Others OS Components

Ring 2: Drivers, Protocols

Ring 3: User-Level programs

and applications

BRING YOUR OWN DISASTER

NO, NO, NO :p

BRING YOUR OWN DEVICE

A covert channel Method that is used to transfer information but that is not normally used for information.

Buffer overflow, no, no, no not Buffalo Flow …

Size check failure and memory data writing

Time-of-check-to-time-of-use or TOCTTOU

Watch the state of data or resources

Physical Security

A MUSTSite management, personnel controls, awareness training, and emergency response andprocedures

Technical physical controls

Intrusion detection, alarms, CCTV, monitoring, HVAC, power supplies, and fire detection and suppression

The humidity should be between 40% to 60%.

The temperature should be between 10 and 26 Celsius or 50-80 Fahrenheit.

Physical controls

Fencing, lighting, locks, construction materials, mantraps, dogs, andguards

PREVENTATIVE CONTROLSNo internal or external access

DETECTIVE CONTROLSTrack an unauthorized transaction

CORRECTIVE CONTROLSRecover or restore operations

DETERRENT CONTROLSUsed to encourage or increase compliance

COMMUNICATION & NETWORK SECURITY

TCP/IP is similar to the OSI model

• Transfer of bits

Example of equipment:

• Network interface controller

• Repeater

• Ethernet hub

• Modem

• Fiber media converter

PHYSICAL LAYER

• Combines bits into bytes and bytes into frames

• Uses MAC addresses

• Error detection

Sub-Layers:

• Logical link control sublayer

• Media access control sublayer

Example of equipment:

• Bridges

• Layer 2 switches = multi-port bridges DATA LAYER

• Serial Line Internet Protocol (SLIP)

• Point-to-Point Protocol (PPP)

• Address Resolution Protocol (ARP)

• Reverse Address Resolution Protocol (RARP)

• Layer 2 Forwarding (L2F)

• Layer 2 Tunnelling Protocol (L2TP)

• Point-to-Point Tunnelling Protocol (PPTP)

• Integrated Services Digital Network (ISDN)

DATA LAYER

• Logical addressing

NETWORK LAYERExample of equipment:

• Router

• Switches

L2 switch Switching only

It uses MAC addresses to switch the packets from a port to the destination

L3 switch Switching, IP addresses & routing

For intra-VLAN communication, it uses the MAC address table. For extra-

VLAN communication, it uses the IP routing table.

• Internet Control Message Protocol (ICMP)

• Routing Information Protocol (RIP)

• Open Shortest Path First (OSPF)

• Border Gateway Protocol (BGP)

• Internet Group Management Protocol (IGMP)

• Internet Protocol (IP)

• Internet Protocol Security (IPSec)

• Internetwork Packet Exchange (IPX)

• Network Address Translation (NAT)

• Simple Key Management for Internet Protocols (SKIP)

NETWORK LAYER

• Transmission Control Protocol (TCP)

• User Datagram Protocol (UDP)

• Sequenced Packet Exchange (SPX)

• Secure Sockets Layer (SSL)

• Transport Layer Security (TLS)

TRANSPORT LAYER

65Source: https://en.wikipedia.org/wiki/Transport_layer

• Authentication• Authorization• Session restoration

• Network File System (NFS)

• Structured Query Language (SQL)

• Remote Procedure Call (RPC)

SESSION LAYER

• Data Presentation/Translation, example XML, PHP, GIF, and JPEG • Encryption • Compression

PRESENTATION LAYER

‘’For example, HyperText Transfer Protocol (HTTP), usually presented as

an application-layer protocol, uses presentation-layer features to display

data.’’

• American Standard Code for Information Interchange (ASCII)

• Extended Binary-Coded Decimal Interchange Mode (EBCDICM)

• Tagged Image File Format (TIFF)

• Joint Photographic Experts Group (JPEG)

• Moving Picture Experts Group (MPEG)

• Musical Instrument Digital Interface (MIDI)

PRESENTATION LAYER

• User interface for applications

• Hypertext Transfer Protocol (HTTP)

• File Transfer Protocol (FTP)

• Simple Mail Transfer Protocol (SMTP)

• Telnet

• Trivial File Transfer Protocol (TFTP)

• Post Office Protocol version 3 (POP3)

• Internet Message Access Protocol (IMAP)

• Simple Network Management Protocol (SNMP)

Data packetDestination

address

Source

addressType

Frame check

sequence

6 bytes 6 bytes 2 bytes 46–1500 bytes 4 bytes

TCP/IP Model

coaxial, fiber optic, wireless

Networkaccess andlocalnetwork

Internet

Host-to-hostTCP

Process andapplication

Network interface cards

FTP SMTP RIP DNS SNMP

ARP RARP

IP IGMP ICMP

IPv4 (32 bits) vs IPv6 (128 bits)

IPv6 application rules

Initial address: 2008:0cb9:0000:0000:0000:ee00:0052:7329

After removing all leading zeroes:

2008:0cb9:0:0:0:ee00:0052:7329

After omitting consecutive groups of zeroes:

2008:0cb9::ee00:0052:7329

The loopback address, 0000:0000:0000:0000:0000:0000:0000:0001 is equivalent

to ::1

Address Class Range and Class Description

A0.0.0.0 to 126.0.0.0

Mask 255.0.0.0First byte defines network

B128.0.0.0 to 192.255.0.0

Mask 255.255.0.0First two bytes define network

C192.0.0.0 to 223.255.255.0

Mask 255.255.255.0First three bytes define network

D 224.0.0.0 to 239.255.255.255 Multicast traffic

E 240.0.0.0 to 255.255.255 Reserved for future use

IP document (RFC 721)

ICMP Internet Control Messaging Protocol

ARP Address Resolution ProtocolRARP Reverse Address Resolution Protocol

ARP only works between devices in the same IP subnet.

The TCP three-way handshakeURG: Urgent data

ACK: Significant acknowledgement number field

PSH: Need to push buffered data to the application

RST: Reset TCP connection

SYN: Synchronize with the new sequence number value

FIN: Final data

UDP Protocol

Connectionless protocol

No handshake

Service TCP UDP

Reliability

Connection

Congestion Control

20 FTP data

21 FTP control

22 SSH

23 Telnet

25 SMTP

53 DNS

69 TFTP

80 HTTP

110 POP3

119 NNTP

123 NTP

143 IMAP4

443 HTTPS

Well Known ports: 0-1023 for a total of 65535

Example of security practices: Moving SSH off the default

port of 22 will deter some of the non-targeted and script

kiddie type attacks

82Source: http://www.planetoftunes.com

Mesh Topology: All workstations are connected to each-

• Advantage: Dedicated connection for all workstations.

• Disadvantage: The more wires required for each

connection.

Star Topology: All workstations are connected to the

central equipment

• Advantage: Other workstations can connect easily

without affecting rest of the network.

• Disadvantage: Single point of failure (Central hub or

switch)

Bus Topology: All workstations are connected to a

backbone

• Advantage: Requires less cable length.

• Disadvantage: Single Point of Failure (Backbone)

BNCRJ-45

10Base2

10BaseT

Twisting wires helps

reduce the effect of

stray capacitance, noise

and signal loss.

Wireless technologies

Wireless encryption standards:

• Wired Equivalent

Privacy (WEP)

• Wi-Fi Protected Access

• WPA2

Warwalking: Walking around

Wardriving: Driving around

Warflying: Flying around to look

Warchalking: Drawing of symbols in public

places to advertise an open Wi-Fi network

THANK YOU !

PLEASE FEEL FREE TO ASK QUESTIONS OR SHARE YOUR TIPS

CISSP COURSE - Cloudinary · PDF filereproduction prohibited overview isc2 requirements on...

Documents