Video description

Table of Contents

None

Introduction

Introduction

Domain 1 — Information Security and Risk Management

Information Security and Risk Management

Mainframe Days

Today’s Environment

Security Definitions

Examples of Some Vulnerabilities that Are Not Always Obvious

Risk — What Does It Really Mean?

Relationships

Who Deals with Risk?

AIC Triad

Who Is Watching?

Social Engineering

What Security People Are Really Thinking

Security Concepts

Security?

The Bad Guys Are Motivated

Open Standards

Without Standards

Controls

Holistic Security

Different Types of Law

How Is Liability Determined?

Due Diligence and Due Care

Prudent Person Rule

Risk Management

Planning Stage — Scope

Planning Stage — Analysis Method

Risk Management Tools

Defining Acceptable Levels

Acceptable Risk Level

Collecting and Analyzing Data Methods

What Is a Company Asset?

Data Collection — Identify Assets

Data Collection — Assigning Values

Asset Value

Data Collection — Identify Threats

Data Collection — Calculate Risks

Scenario Based — Qualitative

Risk Approach

Qualitative Analysis Steps

Want Real Answers?

Qualitative Risk Analysis

ARO Values

Can a Purely Quantitative Analysis Be Accomplished?

Risk Types

Losses

Cost/Benefit Analysis

Cost of a Countermeasure

Cost/Benefit Analysis Countermeasure Criteria

Calculating Cost/Benefit

Controls II

Quantitative Analysis

Can You Get Rid of All Risk?

Uncertainty Analysis

Dealing with Risk

Management’s Response to Identified Risks

Risk Acceptance

Risk Analysis Process Summary

Components of Security Program

A Layered Approach

In Security, You Never Want Any Surprises

Building Foundation

Security Roadmap

Functional and Assurance Requirements

Most Organizations

Silo Security Structure

Security Is a Process

Approach to Security Management

Result of Battling Management

Industry Best Practices Standards

Pieces and Parts

Numbering

New ISO Standards

COBIT

Measurements

Information Technology Infrastructure Library

Security Governance

Security Program Components

Policy Framework

Standards

Data Collection for Metrics

Tying Them Together

Entity Relationships

Senior Management’s Role

Security Roles

Information Classification

Data Leakage

Do You Want to End Up In the News?

Types of Classification Levels

Data Protection Levels

Classification Program Steps

Classification Levels

Information Owner Requirements

Clearly Labeled

Testing Classification Program

Employee Management

Employee Position and Management

Hiring and Firing Issues

Unfriendly Termination

Security Awareness and Training

Training Characteristics

Security Enforcement Issues

Answer This Question

Domain 1 Review

Domain 2 — Access Control

Access Control

Agenda 1

Access Control Mechanism Examples

Technical Controls

Access Control Characteristics

Preventive Controls

Control Combinations

Detective — Administrative Control

Detective Examples

Administrating Access Control

Authorization Creep

Accountability and Access Control

Trusted Path

Fake Login Pages Look Convincing

Who Are You?

Identification Issues

Authentication Mechanisms Characteristics

Strong Authentication

Fraud Controls

Internal Control Tool: Separation of Duties

Authentication Mechanisms in Use Today

Verification Steps

What a Person Is

Why Use Biometrics?

Identification or Authentication?

Iris Sampling

Finger Scan

Hand Geometry

Downfalls to Biometric Use

Biometrics Error Types

Crossover Error Rate

Biometric System Types

Passwords

Password Attacks

Attack Steps

Many Tools to Break Your Password

Rainbow Table

Passwords Should NOT Contain…

Countermeasures for Password Cracking

Cognitive Passwords

One-Time Password Authentication

Synchronous Token

One Type of Solution

Administrator Configures

Challenge Response Authentication

Asynchronous Token Device

Challenge Response Authentication

Cryptographic Keys

Passphrase Authentication

Key Protection

Memory Cards

Memory Card Characteristics

Smart Card

Characteristics

Card Types

Smart Card Attacks

Software Attack

Side Channel Attack

Side Channel Data Collection

Microprobing

Identity Management

How Are These Entities Controlled?

Some Current Issues

Management

Typical Chaos

Different Identities

Identity Management Technologies

Directory Component

Enterprise Directory

Directory Responsibilities

Authoritative Sources

Meta Directory

Directory Interactions

Web Access Management

Web Access

Password Management

Legacy Single Sign-On

Account Management Systems

Provisioning Component

Profile Update

Working Together

Enterprise Directory

Identity Management Solution Components

Federated Identity

Identity Theft

Fake Login Tools

Instructional Emails

Knowing What You Are Disposing of Is Important

Other Examples

Another Danger to Be Aware of… Spyware

Is Someone Watching You?

What Does This Have to Do with My Computer?

New Spyware Is Being Identified Every Week

How to Prevent Spyware

Different Technologies

Single Sign-on Technology

Security Domain

Domains of Trust

Thin Clients

Example

Kerberos as a Single Sign-on Technology

Tickets

Why Go Through All of this Trouble?

Issues Pertaining to Kerberos

Kerberos Issues

SESAME as a Single Sign-on Technology

SESAME Steps for Authentication

Combo

Models for Access

Access Control Models

ACL Access

File Permissions

Security Issues

Mandatory Access Control Model

MAC Enforcement Mechanism — Labels

Formal Model

Software and Hardware

Software and Hardware Guards

MAC versus DAC

Role-Based Access Control

RBAC Hierarchy

Rule-Based Access Control

Firewall Example

Access Control Matrix

Temporal Access Control

Access Control Administration

Remote Centralized Administration

RADIUS

RADIUS Characteristics

TACACS+ Characteristics

Diameter Characteristics

Diameter Protocol

Mobile IP

Diameter Architecture

Two Pieces

AVP

Decentralized Access Control Administration

Controlling Access to Sensitive Data

IDS

IDS Steps

Network IDS Sensors

Host IDS

Combination

Types of IDSs

Signature-Based Example

Behavior-Based IDS

Statistical Anomaly

Statistical IDS

Protocol Anomaly

What Is a Protocol Anomaly?

Protocol Anomaly Issues

Traffic Anomaly

IDS Response Mechanisms

Responses to Attacks

IDS Issues

Vulnerable IDS

Domain 2 Review

Domain 3 — Cryptography

Cryptography

Services Provided by Cryptography

Cryptographic Definitions

Cipher

A Few More Definitions

Symmetric Cryptography — Use of Secret Keys

Scytale Cipher

Substitution Ciphers

Simple Substitution Cipher Atbash

Caesar Cipher Example

Simple Substitution Cipher ROT13

Historical Uses

Vigenere Algorithm

Enigma Machine

Historical Uses of Symmetric Cryptography — Running Key and Concealment

Agenda 1

Transposition Ciphers

Key and Algorithm Relationship

Ways of Breaking Cryptosystems — Brute Force

Brute Force Components

Ways of Breaking Cryptosystems — Frequency Analysis

Strength of a Cryptosystem

Developing Cryptographic Solutions In-House

Characteristics of Strong Algorithms

Open or Closed More Secure?

Types of Ciphers Used Today

S-Boxes Used in Block Ciphers

Binary Mathematical Function 1

Type of Symmetric Cipher — Stream Cipher

Symmetric Characteristics

Initialization Vectors

Security Holes

Strength of a Stream Cipher

Out-of-Band Transmission

Symmetric Key Management Issue

Asymmetric Cryptography

Key Functions

Public Key Cryptography Advantages

Asymmetric Algorithm Disadvantages

Confusing Names

Symmetric versus Asymmetric

Questions 1

When to Use Which Key

Encryption Steps

Receiver’s Public Key Is Used to Encrypt the Symmetric Key

Receiver’s Private Key Is Used to Decrypt the Symmetric Key

Digital Envelope

Secret versus Session Keys

Asymmetric Algorithms We Will Dive Into

Diffie-Hellman

Key Agreement Schemes

Asymmetric Algorithm — RSA

Factoring Large Numbers

RSA Operations

RSA Key Size

El Gamal

Asymmetric Mathematics

Asymmetric Security

Mathematics

Block Cipher

Double DES

Evolution of DES

Modes of 3DES

Encryption Modes

Block Cipher Modes — CBC

Different Modes of Block Ciphers — ECB

ECB versus CBC

Block Cipher Modes — CFB and OFB

CFB and OFB Modes

Counter Mode

Modes Summary

Symmetric Ciphers

Data Integrity

Hashing Steps

Protecting the Integrity of Data

Hashing Algorithms

Data Integrity Mechanisms

Hashing Strength

Question 1

Weakness In Using Only Hash Algorithms

More Protection In Data Integrity

MAC

HMAC — Sender

Another Look

What Services

CBC-MAC

MAC Using Block Ciphers

Integrity?

What Services?

Question 2

Digital Signatures

U.S. Government Standard

What Is…

Not Giving Up the Farm

Zero Knowledge Proof

Message Integrity Controls

Security Issues In Hashing

Example of a Birthday Attack

Birthday Attack Issues

Key Management

Key Usage

M-of-N

Key Types

Why Do We Need a PKI?

PKI and Its Components

RA Roles

CA

Digital Certificates

Certificate

Signing the Certificate

Verifying the Certificate

Trusted CA’s

Non-Trusted CA

What Do You Do with a Certificate?

Components of PKI, Repository, and CRLs

Revoked?

CRL Process

Different Uses for Certificates

Cross Certification

PKI and Trust

Historical Uses of Symmetric Cryptography

Binary Mathematical Function 2

One-Time Pad in Action

One-Time Pad Characteristics

Steganography

Digital Watermarking

Link versus End-to-End Encryption

End-to-End Encryption

Encryption Location

Email Standards

You Decide

Non-Hierarchical

Secure Protocols

SSL Connection Setup

Example — SSL

Validating Certificate

Secure Protocols (Cont.)

SSL and the OSI Model

E-Commerce

How Are You Doing?

Secure Email Standard

Network Layer Protection

IPSec Key Management

IPSec Handshaking Process

VPN Establishment

SAs In Use

Key Issues within IPSec

Configuration of SA Parameters

IPSec Configuration Options

IPSec Is a Suite of Protocols

AH and ESP Modes

IPSec Modes of Operation

VPN Establishment (Cont.)

Review

Questions 2

Attack Types

Attacks on Cryptosystems

Known-Plaintext Attack

Chosen-Plaintext Attack

Chosen-Ciphertext Attack

Adaptive Attacks

Side Channel Attacks

Domain 3 Review

Domain 4 — Physical Security

Physical Security

Different Types of Threats

Wake Up Call

Legal Issues

Physical Security Program Goals

Planning Process

Deterrence

Delay

Layered Defense Model

Weak Link In the Chain

Threat Categories

Crime Prevention Through Environmental Design

Construction Materials

Security Zones

Entrance Protection

Perimeter Security — Security Guards

Types of Physical Intrusion Detection Systems

Alarm Systems

Electrical Power

Fire Prevention

Domain 4 Review

Domain 5 — Security Architecture and Design

Security Architecture and Design

Central Processing Unit (CPU)

Registers

Trust Levels and Processes

Interrupts

Bussses

Multiprocessing and Multitasking

Memory Types

CPU and OS

Trusted Computing Base

Security Levels

Enterprise Architecture

Access Control Models

Bell-LaPadula

Clark-Wilson Model

Non-Interference Model

Access Control Matrix Model

Trusted Computer System Evaluation Criteria (TCSEC)

Domain 5 Review

Domain 6 — Law, Investigation and Ethics

Law, Investigation and Ethics

Examples of Computer Crimes

Who Perpetrates These Crimes?

A Few Attack Types

Privacy of Sensitive Data

Different Types of Laws

Computer Crime and Its Barriers

Preparing for a Crime Before It Happens

Domain 6 Review

Domain 7 — Telecommunications and Networking

Telecommunications and Networking

OSI Model

Networking Communications

Application Layer

Presentation Layer

OSI — Session Layer

Transport Layer

Network Layer

Data Link Layer

Physical Layer

Layers Working Together

Network Topologies

LAN Media Access Technologies

Media Access Technologies

Cabling Types-Coaxial

Cabling Types — Twisted Pair

Types of Cabling — Fiber

Signal and Cable Issues

Transmission Types

Network Technologies

Networking Devices

Virtual LANs

Sniffers

Networking Devices — Router

Hops

Routers

Bridges Compared to Routers

Port and Protocol Relationship

TCP/IP Suite

UDP versus TCP

TCP Segment

SYN Flood

Teardrop Attack

Source Routing

Source Routing Types

IP Address Ranges

IPv6

Protocols

Protocols — ARP

IP to MAC Mapping

How ARP Works

ARP Poisoning

ICMP Packets

A Way Hackers Use ICMP

Ping Steps

Protocols — SNMP

SNMP In Action

SNMP

SNMP Output

POP3 and SMTP

Mail Relay

Protocols — FTP, TFTP, Telnet

Protocols — RARP and BootP

DHCP — Dynamic Host Configuration Protocol

Networking Device — Bastion Host

Network Devices — Firewalls

Rule Set Example

Firewall Types — Proxy Firewalls

Firewall Types — Circuit-Level Proxy Firewall

Circuit-Level Proxy

Dedicated Proxy Servers

Dial-Up Protocols and Authentication Protocols

Authentication Protocols

Virtual Private Network Technologies

SDLC and HDLC

Quality of Service (QoS)

Autonomous Systems

Routing Protocols

Routing Protocol Attacks

Network Service — NAT

WAN Technologies Are Circuit or Packet Switched

PSTN

Multiplexing

Types of Multiplexing

Packet Switching

WAN Technologies — Packet Switched

WAN Technologies — X.25

X.25

WAN Technologies — Frame Relay

WAN Example

Frame Relay

WAN Technologies — ATM

Cell Switching

Wide Area Network Technologies

WAN Technologies — Cable Modem

Cable Modems and Satellites

Network Perimeter Security

Complexity Only Increases

Agenda 9

PSTN (Cont.)

Private Branch Exchange

PBX Vulnerabilities

PBX Best Practices

IP Telephony

Mobile Phone Security

Mobile Device Security

Cell Phone

Wireless Technologies

OFDM

802.11n

Wireless Technologies — Access Point (Cont.)

Architectures

Wireless Technologies — Service Set ID

Authenticating to an AP

802.11 Authentication

Wireless Technologies — WEP Woes

802.11 Security Solutions

Types of 802.11 Security

Wireless EAP

Wireless Technologies — WAP and WTLS

Instant Messaging

Domain 7 Review

Domain 8 — Business Continuity

Business Continuity

Needs for BCP

9/11 Changed Mentalities About BCP

Do We Have a Plan?

What Is the Purpose of a BCP?

More Reasons to Have Plans in Place

BCP Is a Core Component of Every Security Program

Steps of BCP Process

Different BCP Model

Documentation

BCP Policy Outlines

Who Is In Charge and Who Can We Blame?

What’s Needed In a Team?

BCP Development Team

Project Sizing

Properly Determining Scope Is Important

BCP Risk Analysis Steps

BIA Steps

Information from Different Sources

Analysis

How to Identify the Most Critical Company Functions

Interdependencies

Well, Of Course an Organization Knows How It Works!

Business Silos

Maximum Tolerable Downtime

Range of Threats to Consider

Thinking Outside of the Box What If…

Biological Threats

BIA Steps (Cont.)

Potential Disasters

Risk Approach

What Have We Completed Up to Now?

Recovery Strategies

Alternate Business Process Procedures

Business Process Reconstruction

Recovery Strategies

Facility Backups

Compatibility Issues with Offsite Facility

Tertiary Sites

Subscription Costs

Multiple Processing Centers

Choosing Site Location

Other Offsite Approaches

Security Does Not Stop

More Options

Rolling Hot Site

Recovery Strategies (Cont.)

Supply and Technology Recovery

VoIP

Equipment Replacement

What Items Need to Be Considered?

Priorities

Executive Succession Planning

Recovery Strategies (Cont.)

Co-Location

Data Recovery

Backup Redundancy

Recovering Data

Automated Backup Technologies

Tape Vaulting

Clustering for Fault Tolerance

Disk or Database Shadowing

Cost and Recovery Times

Recovery Solutions

Preventative Measures

Reviewing Insurance

Results from the BIA

Basic Structure of BCP

External Groups

Activation Phase

Reconstitution Phase

Who Goes First?

Disaster Hit — Now What?

Termination of BCP

Life Cycle

Types of Tests to Choose From

Test Objectives

Training Requirements

What Is Success?

Out of Date?

Keeping It Current

Change Control

Resulting Plan Should Contain…

Phases of the BCP

Domain 8 Review

Domain 9 — Application Security

Application Security

How Did We Get Here?

Why Are We Not Improving at a Higher Rate?

Usual Trend of Dealing with Security

Software Development Tools

Security Issues

Language Types

Turn Into Machine Code

New and Old

Object-Oriented Programming

Classes and Objects

Functions and Messages

Object-Oriented Programming Characteristic

Polymorphism

Module Characteristics

Low Cohesion

Coupling

Agenda 2

Distributed Computing

Distributed Computing — ORBs

Common Object Request Broker Architecture

COM Architecture

Enterprise Java Beans

J2EE Platform Example

Linking Through COM

Mobile Code with Active Content

Java and Applets

Database Systems

Database Model

Object-Oriented Database

Benefits of OO Database Model

Database Models — Relational Components

Database Integrity

Different Modeling Approaches

Database Access Methods

Database Connectivity

Database Security Mechanisms

Rollback Control

Checkpoint Control

Checkpoint Protection

Lock Controls

Deadlock Example

Two-Phase Commit

Lock Controls Help to Provide ACID

Inference Attack

Database View Control

Common Components

Data Warehousing

Using a Data Warehouse

Metadata

Database Component

Data Mart

Potential Malicious Traffic Tunneling Through Port 80

OLTP

Knowledge Management

Knowledge Components

HR Example

Knowledge Discovery In Databases

Expert Systems

Software Development Models

Project Development — Phases I through V

Project Development — Phases VI and VII

Testing Types

Data Contamination Controls

Best Practices for Testing

Test for Specific Threats

Verification versus Validation

Evaluating the Resulting Product

Controlling How Changes Take Place

Administrative Controls

Common Information Flow

Tier Approach and Communication Components

Tiered Network Architectures

Sensitive Data Availability

Cookies

Find Out Where You Have Been

Pulling Data

Provide the Hackers with Tools

Common Web Server Flaws

Improper Data Validation

Uniform Resource Locator (URL)

Directory Traversal

Buffer Overflow

Cross-Site Scripting Attack

Common SQL Injection Attack

Attacking Mis-configurations

CGI Information

Authentication

Protecting Traffic

Rolling ‘em Out

Virus

More Malware

Trojans

A Back Orifice Attack!

NetBus and Hoaxes

Malware Protection Types

Signature Scanning

Monitoring Activities

Monitoring for Changes

More Bad Stuff

Disclosing Data In an Unauthorized Manner

Covert Timing Channel

Circumventing Access Controls

Attacks

Attack Type — Race Condition

How a Buffer Overflow Works

Watching Network Traffic

Traffic Analysis

Functionally Two Different Types of Rootkits

Examples of Trojaned Files

Domain 9 Review

More Bad Stuff

Disclosing Data In an Unauthorized Manner

Covert Timing Channel

Circumventing Access Controls

Attacks

Attack Type — Race Condition

How a Buffer Overflow Works

Watching Network Traffic

Traffic Analysis

Functionally Two Different Types of Rootkits

Examples of Trojaned Files

Domain 9 Review

Domain 10 — Operations Security

Operations Security

Computer Operations

Problem Management Procedures for Processing Problems

Higher Level Look

Administrative Controls Personnel Controls

Resource Protection

Media Labels and Controls

Software Escrow

Media Reuse

Why Not Just Delete the Files?

Backups

Backup Types

Incremental Backup

Incremental

Differential Backup

Mean Time Between Failure

Mean Time to Repair

Redundant and Fault Tolerance

Mirroring Data

Direct Access Storage Device

Serial Advanced Technology Architecture

SAN

Fault Tolerance

Redundancy Mechanism

Some Threats to Computer Operations

Trusted Recovery of Software

After System Crash

Security Concerns

Contingency Planning

Remote Access Security

Before Carrying Out Vulnerability Testing

Testing for Vulnerabilities

Security Testing Issues

Vulnerability Scanning

Data Leakage — Keystroke Logging

Password Cracking

War Dialing

War Driving

Penetration Testing

Post-Testing and Assessment Steps

Penetration Testing Variations

Types of Testing

Protection Mechanism — Honeypot

Log Reviews

Domain 10 Review

Course Closure