Friday, November 1, 2013

CISSP start


OK,
Got this request from management.
CISSP.
Not really a useful cert, it is all theory and no hands on.
So it should last for a while and is a good basic to have.

The Exam has ten domains.
You can go online to
https://www.isc2.org/cissp-domains/default.aspx
and download the CISSP domains, you just have to fill in some details.

there are three books you can use.
1. Shon Harris  CISSP all in one   6th edition.
2. Official ISC2 guide to CISSP
3. CISSP: Certified Information Systems Security Professional Study Guide  James
4. CISSP study guide by Eric and some other people.

The rest seem to be duds based on the amazon reviews.

Let's do it.
I'll start with the CISSP by James Stewart.

Chapter 1
The first domain here is ACCESS CONTROL

What is Access control.
Any measure you put in place, the measure can be hardware, software or a managerial policy.
That measure identifies the user, determines if he is authorized, grants or restricts, then logs this.
SUBJECT    - active entity
OBJECT -   passive entity.
A subject will use an object 
A user will access a file
A process will write to a file 

A USER {subject}  will access an object.
The OWNER  is the owner of the object and determines the use of it.
A CUSTODIAN takes care of the object for the owner and makes it available for the users.

The goal of the security it to provide the CIA  of IAC
Confidentiality - that it has not been read
Integrity -  that it has not been changed.
Availability - that it is available online  

Policies
A security policy is made by Senior leadership and is used as the guiding IDEA of security that is needed.
It states rough goals and ideas, it does not state how to achieve this.

User rights to do something applies to a user
The file permissions     applies to an object 
Privilege is the combination of both 

Access control types
Prevent  - something from happening                      fence
Detect    -  it when it happens                              smoke alarm
Correct -  it fix it                                                put out the fire
- Deterrent -   scare someone                            place a big shiny light to scare thieves
- Recovery  -   replace the burnt servers           
- Directive  -  use a Direction like a sign
- compensation -   looks to compensate for a problem
- Administrative control -     hiring practices
- Logical controls   - software + Hardware              like passwords
-  physical control -  Fence, wall, door

The Goal is to layer the above in circles or layers.
Physical to stop you going in,  
logical in case you got in you can't use it 
Administrative like requiring a manager to type in his password to get cash out.

Access control security elements
Identify the user  -  username  or name
Authenticate the user -   ID  or a password
Authorize -   check to see if he is allowed in  or use Access lists.
Accountability - Write his name down, so you know he came in or in IT log it in the syslog or audit log.

Authentication has 3 types
Type 1 - what you know   like a password
Type 2 - what you have    like a security HID card
Type 3 - something you are        like your finger print.
Two factor authentication will use two of the above.
*** you can also use somewhere you are, for example dial back or the pc location [type2]

Type 1 password
Weak, users re-use the password and it can be guessed.
Users sometimes write them down if they are complex.
They can be hacked using brute force or other attacks.
They usually use a HASH to compare the passwords so they don't send them on the network.
Selection -  
length - the longer they are the more difficult to crack with a brute force
complexity- the more complex the more difficult 
history - prevents users from re-using their passwords.

To avoid dictionary - don't use words
to avoid brute - use numbers and capitalization
to avoid guessing - don't use personal details.

Passphrase -    I@mstudying4CISSP     =Easier to remember. Increases the length to counter brute.
Cognitive password -Number of questions like 1.dog name   2. mother maiden -used for password recover

Type 2 - what you have
Smartcard    -- static token
CAC common access card
PIV  personal identification verification    
Token - generates a password.
Token synchronous    -    both the token and the server must be time synchronized
Token  Asynchronous    -   the server will send a challenge, you type the challenge in and get a password.

Type 3 - what you are.
A photo on an ID    - you are the photo.
Fingerprint 
Face shape scan
Retina can show diabetes or sick 
IRIS - color area 
Hand geometry
Voice pattern recognition 
Signature or keyboard typing dynamics
Errors on this are - Type 1 error   false negative   FRR  false rejection -   it does not recognize me.
Errors on this are -  Type 2 error  false positive    FAR  acceptance rate -   it allowed the thief in .
CER crossover rate is when you change the sensitivity of the device and they match.
Low CER is more accurate.
A false rejection is considered much more preferable. That way the admin can double check the identity.


registration is done using enrollment - your enroll, fill the paper work, get a measurement and the DB will
register you and create a record  or a reference profile 

Access control techniques
Need to know -An example is, if you are not serving in Iraq you don't need to see that regions top secret
even if you have a top secret clearance.
Least privilege -  gives you the minimum permissions so you can do your job.
Separation of duty - split the task so that two people or more are required for it.

Discretionary access control - DAC =
The owner of the object can define the access level of the subjects to it.










Each object has an ACL









Non-discretionary.
This is centrally controlled.
Rule - based access control    an example is a firewall. It has rules and the owners get no say.

Role Based Access Control - RBAC,  the explanations in the book are shit so let's do it this way.
Let's say we make a role - new_client_creator.
The role can create a new client.
The actions are  open a a folder for them permission + add a line in the DB + change the address lines 
Now, instead of you having permissions to each item with your user. We give those permissions to that
role  and we assign you that role.
So in RBAC you package the role to equate a work task   and then you assign the work task/role
just to make sure.
This is not you assigning accounting group to the accountant.
You need to create a work task, called add_new_provider   and assign him a task
Thanks to Greg Shields for doing a better job than the rest of the authors.

MAC mandatory access control - {tip they have labels}
The first question to ask is
What is your security level - you can access items at your current security level and lower.

The second question is 
Do you need to know this to do your job 

So in real life.
Let's say I work in Iraq and I do security for oil shipments.
My role is shipping oil
So the oil trucks will be marked     need to know- shipping oil  secret
The route maps in Iraq will be marked    need to know shipping oil  secret
The oil dollar value in iraq  will be marked      need to know shipping oil  top secret 
The list of Iraqi collaborators will be marked    TOP secret             but the need to know will be CIA
The route maps in Afghanistan will be marked      need to know  Afghanistan

So let's see.
I have top secret   but I can't see what routes they use in Afghanistan as it is not my theater of operations.

I can't see the list of Iraqi collaborators because I don't have a need to know, it is not relevant to my role
even though I have administrator account or as we call it here top secret.

So as you can see I can do my job.
I can see the oil trucks.
I can see the routes
and I can make accounting dollar cost oil reports.

Now if I have a subordinate I can give him secret,
and then he can only
see oil trucks
see truck routes
so he can just do his job which would be to ship the trucks around Iraq.

So hierarchical MAC  uses only the secret and top secret
compartmentalized MAC   uses compartments only  like   CIA/shipping oil/ Afghanistan
Hybrid is a mix of the two 

centralized access control - means one administrator location  kind of like a dictator.
Distributed access control - means you let every "location" or dept be in charge  kind of the states in the USA making their own laws.

Single sign on-
This is like the USA passport, it works in all the states and countries.

Kerberos.
Uses a KDC Key distribution center -    This is the Ministry of Interior    it gives you a key or passport.TGT
                                                            we can call this passport  TGT ticket granting ticket.

Now when i want to access a resource, I present my TGT  to  the LDAP server or security guard
and he let's me have access to the resource.

In kerberos the timing must be synchronized to within 5 minute difference for it to work.

Federated Identity.
Another way to move identity credentials between separate security domains.
For example you give your ID card  to the university so you can access their systems is to use
an  intermediary .
XML has tags     <user> Saar </user>   <password> test123 </password>
SAML security Assertion Markup Language   uses XML for SSO.
SPML   service provision markup  uses   DSML
                                                               DSML   takes LDAP and uses XML to represent this.

Extensible Access Control Markup Language (XACML)  used for federated Role Base.

Other
You can use manual scripts, when you log in. The system will log you in to other systems too.

RADIUS -  dial in user, this was based on autheticating dial up users.  The user connects to a device.
The device will forward the request to the Radius server.
Radius can provide AAA,
authentication and authorization at the same time of the user
Accounting of all of this.

Tacacs - is old                                                             UDP49
xtacacs -  was made by Cisco only                              UDP49

Tacacs+    is open,   the key here is it encrypts all of the authentication information.       TCP49
It also logs all the commands and checks them against your authorization.
So better for an administrator.

Diameter
Supports more products.
TCP 3868  or SCTP  3868
more reliable and uses IPSEC  and TLS.


Mechanisms.
Implicit deny on all items  unless it is allowed  -  usually a firewall has this at the end deny all
ACL -  an ACL is applied on each object
Capability table-    this is a different view it is applied on the subject.

ACL

Capability table.

Constrained view.

So, I can remove the RUN button.


So I have constrained the users view and he CAN"T see the the RUN.
It is still there if you know how to get to it, but he can't see it in the start menu.

Content view - means I limit the number of fields you can see but the admin can see the whole table. This is similar to a view.


Context-view In this case you use a context, for example the time of day.
So from 12-6 am in the morning, when you log in to the corporate web, you can't do any work actions
only read.

Identity and access lifecycle

Provision the user  -  Hire, make him sign agreements, add him to groups etc.
Review -   every so often review the account, make sure he did not get more permissions than he needs. In IT we used to have a script that would remove all 'local" administrators on windows and replace
them with the group called "helpdesk administrators" this helped return PCs back to normal.
Revocation -  when someone leaves, you need to disable and remove the account.
As a best practice, this should be immediate.....

Provision
review
revoke

PRR!!!!






Chapter 2
Access control Attacks and how to monitor this.
One of the goals of the Access Control is to prevent unauthorized access to objects
Disclosure = C
Alteration = I
Availability = A

Crackers = malicious intent
Hacker = non malicious intent
attacker = someone who wants to exploit the vulnerability

RISK is the likelihood that a  Threat Agent --> Threat  -->  takes advantage of a vulnerability --> of an asset.

Asset valuation.
Risk management is the service of providing that risk evaluation.
Server can be $20000 in hardware but if you are an ecommerce it can generate
that much every day. So losing the server to fire would cost you.
7 days * $20000 = $140,000 in losses  + the server hardware.

The above also helps in evaluating whether the cost of the countermeasure is worth
the investment.

Threat Modeling
Each of these assets can be attacked.
The attacks are also called threats
The threats can be done by attackers  or threat agents
or they can be done by natural disaster, user fault etc.
Your goal is to reduce the number of threats
and reduce the severity of the threats.

You can look at it from the
Threat agent               - this is the hacker in Russia, what can he reach.
or the asset view -  ie this is my asset  and this is the attacks that can be done on it
Software view -      if you are developing software.

APT - advanced persistent threat : group of hackers targeting your network.


Vulnerability
The potential of the threat to exploit a weakness.
Vulnerability scans are a full time job for some companies.


Attacks
Access aggregation.
Collect many pieces of non-sensitive info to build a picture.

Password attacks -   hack the administrator password, since very few organizations change it also it won't get disabled even after repeated failures.
to counter that, you turn on logging and alerts, Microsoft also recommends you rename it so it is not so obvious.  you can leave the "administrator" as a honey pot.

If two separate passwords create the same hash that is called a collision.
The birthday attack focuses on collisions. There is a high chance of collisions.
If you have a word that makes the same hash it is as good as the original password.

So let's go back and explain the hacking.
In the good old days PAP would send your password in clear text.
If you use a Sniffer, you capture the traffic on the wires and find out the password .

So they came up with verifying your password by sending a hash back and forth and not the original
password.
So when you try to guess a password like.
On my XP, I will type  password2013.
The XP will create a HASH and send over the HASH.
The   Server that is authenticating you will compare your HASH to his HASH(server)
If they match he will assume the password is correct.

So as we explained, a collision is when another word creates the same HASH.
In this case the server can't tell the difference and let's you in.

Now, if your password is a word  or even an upped-word  which is a word + 1 number.
A dictionary attack can easily figure it out. This is because there are only 500,000 words.
I'd guess this is the equivalent of 6 letter password. So it would be pretty quick to decipher.

Now, if you have made it too short and not very complex eventually a brute force attack will get it.
Now, if they have an offline copy of the DB like a SAM file that stores the windows passwords
from a laptop HD they stole, it would be quicker as they can run more runs per second.

Some people, create a rainbow table that has a long list of passwords that have already had their hash calculated. So this saves you the CPU cycles of each  plaintext to hash conversion.
rainbow tables usually go for the more predictable items.

To protect against the Rainbow table you add a hash, now the rainbow table needs to be recalculated against the hash   and you can also salt each password which renders the table useless.



Spoofing
Spoof the Email
Spoof the phone number.

Social engineering
Simply asking the user for his password while pretending to be someone in the organization.

Phishing
Getting you to click on links.

Spear phishing
Targeting specific people

Whale phishing
targeting people high up.

Vishing
is Phishing using VOIP to get details.

Smart card attack, or side-channel
You listen in  proximity, when the card sends an RF you copy it.

DOS or DDos  allow you to attack the availability.

Prevention
Control access to the systems  that way they can't get an offline copy, put keyloggers etc
Control electronic access to the password file
encrypt the password files
Strong passwords
mask passwords **** to prevent over the back snoopers.
Use multifactor authentication
use lockout mechanism
user alerts
Use last logon notification so the user can tell if there have been any other attempts.
Educate the users on passwords and security
Audit the access
Scan for vulnerabilities by yourself and not wait - ie be proactive.

Use logs
protect the logs
monitor and analyze the data from the files. SIEM security information event management
Use Audit trails and let users know about them.
clipping level also called a threshold, don't let me know about 1 failed attempt only if 3 happen.

Keystroke monitoring- can be used by management
Traffic analysis - analyze the traffic and the patterns  IPS
network data loss prevent - scan for key words or SS social security numbers going out.

Audit
the Access
the process
entitlements of users to prevent growth of privileges or creeping.
or you can also use external audits.

This one is nice, Dual administrator.
So one account is  SaarHarel  the other one is networkadmin  that way when I go surfing to bad sites, I use the regular one   and when I do maintenance I use the "networkadmin" one.

Protect the results of audits, so they can't be used to target you.

Monday, October 7, 2013

Security governance

Top down approach
Management comes up with a policy.
We then implement the policy.

Strategic is a long term, you alin it with the goals missions usually 5 years
Tactical plan, 1 year
Operational plans 

Global
Standards, baselines, guideline and procedure

Security governance a combination of security and management.
Managed by a committee

Senior manager
Professional
Data owner
Custodian
Auditor

Layers defense in depth
Abstract them
Data hiding - lower can't access
Encryption hiding it from unintended users

Privacy requirements compliance.
Individual rights
organization rights.
HIPAA
SOX
PCI DSS

Planning to plan
COBIT and ITIL
DUE cARE is using care
Due dilligence is performing those actions that are in the CARE

CIA
Identity of the user
Authenticating the user
Authorizing him to access items
Auditing his access usage
Accountability to hold him accountable.
Non repudiation so he can't deny it.


Security polocy
Regulatory for the industry
Advisory advises what to do
Informative about a subject

Acceptable use policy


Standard
Baseline - minimum
Guidelines of how to use.

Procedures
Change only the affected part.

Change control in an orderly manor.
Parallel run of a system at the same time.


Top secret
Secret
Confidential
Sensitive but unclassified
Unclassified

Risk and people.
Third party running gvernance they give you the right to operate.

Asset
Asset value $
Vulnerability to attack
Exposure   a vulnerability
Risk  the risk of the  item
Safeguard  - countermeasure
Attack
Breach an attach that worked.


Value
Qualitative  or quantitative
Quantity
Asset Value
EF     chance of something happening in %
SLE    AV*EF
ARO   how many times SLE in a year
ALE    ARO * SLE

Safeguard

Safeguard cost


Qualitative.
Relies on people judgement.
Delphi is a anonymous

Handle the risk
Mitigate
Assign to sombeody
Accept it
Reject


Separate duty
Separate responsibility
Rotation

Background check
Control third party vendor
Terminate employee

Train people by making them aware.
Educate by giving more knowledge.


Tuesday, August 20, 2013

Network and securing it.


the above should be memorized.
I use  A per Saar tutto non dificcile.
You can create your own.
All planes spend time near detroit.
Basically take the first letter and create a word  then join those to a sentence that is easy to memorize.


t
This is also good to memorize for CISSP and CCNA.
The way I memorize it is
SPFB  the last letter then down to the lowest letter.
The datagram is the odd one out,
I just use the gram as an analogy to weight, ie UDP just sends things in bulk and doesn't care about reliability.

At layer 1 we get  -  hubs, nics and repeaters
at Layer 2 - switches, bridges
At layer 3 - routers
At layer 4 - firewalls   {ports}
At layer 5-7 load balancers - applications.

Ports -  IANA recommends
0-1023                    well known ports
1024-49151            registered
49152-65535          dynamic

R1    SYN   hello, I am R1  ----->
                                                         <-------------   ACK nice to meet R1-{SYN  Hello I am R2} R2
R1    ACK nice to meet R2 ---->


Transmission window - this window states how many  packets you can send before needing an ACK.
The bigger the window, the less the overhead of waiting for ACKs becomes.
Sliding Window  -   this refers to the change in the transmission windows, less reliable =smaller
more reliable = bigger windows.

FLAGs - you can mark flags in a TCP packet  Layer 4.
ACK - acknowledge
SYN - synchronize                            - respond  with ack
FIN -  final packet                            - respond with ack
RST - reset the connection noew

TCP label of protocol in Layer 3 is 6


ICMP
The following are the ICMP type fields.
0   reply
3    unreachable
5     redirect
8  echo   request    
9   router advertise
10   router solicitation
11    time exceeded

IGMP - used for multicasting.

ARP   IP to MAC
RARP   MAC to IP


Internet public              -   this is the public internet.
Intranet -   internal  internet for the company.          -  this is like the internal site for company users
Extranet  -    an internet for a partner company     - this is like the volvo portal for dealers

According to the book, you need to memorize.
FTP port 21
Telnet port 23
SMTP  25      
DHCP  67 68
TFTP    69
HTTP  80
POP3  110
IMAP  143
SNMP 161

NAC - network access control.
Instead of looking at someone trying to guess the password on the server as 192.168.0.252 IP
The NAC will be able to associate that to a user, this allows for excellent correlation and improves response time.
Enforcement point to enforce policy on end users -  for example, you can't log in without an AntiVirus.

Pre-admission - prevents you access to the network
post-admission -  allows you access but limits what you can do.
an example of a NAC is the
juniper  MAG appliance.



When you plug in to the network, the switch will forward the data to the NAC and the NAC to the AAA{radius}
The AAA can decide if yes no and give you a vlan or similar. The NAC will send it to the switch
and the switch will assign it to you.
e voila you can surf.


Firewall-
Static - layer 3        "access-list 101 deny ip any host 171.16.23.1 "
Static  ACLs   using Layer 4  aka ports          " access-list 101 permit tcp any host 171.16.23.1 eq 80"

Stateful -
the firewall maintains a state of the connection.
For example I contact www.cnn.com. So now when the packet comes back from CNN the firewall
recognizes I asked for it.
This is like going out of a Disco and telling the guard you'll be back, that way he let's you in.

Proxy Firewall-
Copies each item and sends it as if he is the originator.
This is very costly in CPU cycles and some applications don't like it and will break.

Multi-Homed Firewall
Goes to 2 or more WANs

Tiers
Single = 1 firewall
Two-Tier =   2 firewalls or 2 zones
Three-tier =  3 firewalls  or 2 firewalls with 3 zones.

Endpoint security
AV, anti spam etc what ever you deploy on the final node.

Other

The rest of the network I know, so it might be beneficial for the user to quickly do network + or CCNA here.
Synchronous is using a timing of sorts.
Baseband = 1 channel
Broadband = many channels.

CSMA/CD
Transmit and listen if there was a collision ,,, if so then try again.

CSMA/CA  collision avoid.
Transmit  then wait for an ack   if none arrives try again

Last thing is a
TCP wrapper, originally for linux/unix this basically creates static ACLs
Also WAP is for phones  
WPA is authentication for WiFi.

Network attacks and secure communication
Secure data when it is standing
Secure data when it is in transit.

Chapter 4
Securing the communication itself

SKIP was replaced by IKE  - both are ways to exchange the secret.
SWIPE  was a layer 3 IP protocol that encapsulates the package. Replaced by IPSEC
S-RPC  uses RPC  but sets up a security first.   RPC is used to send command to a remote place
Remote Procedure  CALL {command}

SSL - used to secure FTP, http     replaced by TLS.

TLS - in layer3 is open VPN.
         can be used to encrypt SIP and UDP.

SET - secure electronic transaction , used by the PCI card industry or at least supported by them.

IPSEC - uses IKE to set up the phase 1 , then encrypts on phase 2.


Authenticating the user 
PAP - password authentication uses  clear text and no encryption.
CHAP -  encrypts the password and username.  Uses a Challenge Response, so it can't be replayed.
EAP - extensible authentication protocol.
LEAP -  EAP by Cisco ,     you can crack it using asLEAP
PEAP -  protected EAP,  this authenticates the connection in a TLS tunnel  {the best}

Tunnel
Virtual Private Network is a point-to-point network from A to B.
The VPN can be encrypted ESP   or not  AH only.      C and I   of the CIA
A VPN does not guarantee the Availability of CIA.

Layer 2
L2F
L2TP -  any protocol

Layer 3
PPTP
IPSEC          - does not do dial up   but has native encrypt.

VLAN
Virtual lans can be used to segment traffic within a VLAN. broadcast

RAS - remote access Server
This is for road warriors, people who work from home etc.
They can dial up using a modem  (so 1990's)
They can use a VPN
They can use a Thin client   which will use  a VPN probably to secure that communication too.

So,
only people who need the remote access should be granted access.
users must be very well authenticated before being granted access.
protect the network communications by encrypting it

VOIP
caller ID can be faked.
VISHING - phishing for information using calls.
SPIT -  spam over the internet telephony.
DDoS on call managers

Multimedia collaboration.

IM
Packet sniffing
no native security
malicious code using the file transfers in them which are not secure.

Restricting remote access.
Callback to a number
Caller ID can be spoofed

PPP using pap and chap
SLIP older used for IP - no compression

Radius  - uer pass
TACACS
Xtacacs
tacacs+  two factor

NAT
HIdes IP scheme
NAT is one to one
PAT is port address translation.

NAT maintains a state
it can be static or dynamic

APIPA gives you an IP
169.254.0.1   169.254.255.254   255.255.0.0
This means you have not reached a DHCP


Switching
Circuit gives you the whole circuit  -     this is similar to a phone line
Packet - does it per packet    -  this is like VOIP, it routes every packet differently.
Virtual Circuit is a """sub""" circuit      -   this is similar to each phone getting a channel on a T1

PVC - will set it up for good
SVC - switched Virtual Circuit  will set it up for the conversation.

The usual
DS0 =  a phone line 64Kbps
DS1  = T1   1.544Mbps
DS3 = T3   44.736

BRI = 2 B +D
PRI = 23B + D

CSU/DSU channel - data service unit.
DTE terminal          -client
DCE   circuity       - ISP

Frame relay sets up many PVC over the same medium.
Also uses CIR to guarantee bandwidth for clients.

ATM uses a cell that is 53 bytes long.

SDLC used for SNA
HDLC higher level
HSSI  used for serial layer 1

Dial up is encapsulated in PPP

Hash verification
A website will publish the Hash, that way you can verify you got the correct file.

Record sequence checking
can be used to see all the parts have arrived.

Transmission logging
Helps in order to troubleshoot
Transmission error correction
Helps in order to set up a re-request of the missing packets.

EMAIL security
Non-repudiation = can't say that you did not send this
Access to recipient =  confidential - can't open
Integrity =  can't change the message en route
Auth and verify the source =   helps for repudiation
Verify delivery =  message arrived
Classify sensitive content =   in the messages.

Use policy
management
backup and retention
Access control of Emails
Privacy of them.

Securing Email
S/MIME  uses PKI to verify the source  CIA
Moss  Mime  uses  MD2,5  and RSA to give you encryption and authentication.
PEM privacy enhanced  RSA DES and PKI
PGP - pretty good privacy. -  PKI

Block certain types of attachments.
Scan attachments for viruses

FAX
disable auto print as it sits in the tray
send them to electronic format.

ENCRYPT VOIP
Social engineering


PBX
log everything
set up codes for remote dialing
block remote calling and then dialing out
current updates from the vendors.

Phreaking
Black box steal line
red  make coin noise
blue  2600 Hz
White


Network Attacks.
DDoS
Eavesdrop using sniffers  - add physical and  use encryption
Impersonate users - better authentication
replay the data  - one time or sequence
Modification -  avoid using hash and digital signatures
ARP spoofing  - use DHCP to run DAI dynamic arp inspection
DNS poison - secure DNS  or add DNSSEC
hyperlink spoof -  looks like a valid link.