CBK REVIEW COURSE WEEK 1 Supplementray Notes

ISC2 CISSP CBK Resource List

This material is an extract from the FY2000 CBK Review Courses. The material is under constant review and revision so some of this information contained herein COULD BECOME STALE-DATED. Users of this information should cross-reference to the CBK review material received during your review course. This will provide added assurance that you are dealing with the appropriate version of this material.

Every attempt has been made to accurately transcribe the information in this list from the source documents for easy review. Any errors or omissions are regretted but this training aid is provided AS IS with no guarantees or warranties of any sort.

ABOUT THE “mock” EXAM

The questions for the CBK Review Course have been prepared ESPECIALLY for this course and are intended to be REPRESENTATIVE of the actual questions and process applicants would encounter in the CISSP Certification Exam. These sample questions are intended to provide guidance as to expectations of the exam process. Applicants should focus attention on the structure and language style of the questions rather than the difficulty of the questions or the quality of the answer options. Getting the right answer is good. Understanding the questioning process while getting the answer right is better. The question will seek the BEST answer as the correct answer. Where possible, there will be references, and a discussion for contentious (close but not quite correct) responses.

10/25/2002

Specific answers to exam oriented questions.

-The examination consists of 250 multiple choice questions with four (4) choices. 25 of these questions are included for research purposes only. The research questions are not identified; therefore, answer all questions to the best of your ability. Examination results will be based only on the 225 scored questions on the examination.

· The pass rates run about 73% to 76% overall and have been remarkably consistent over the past 3 years.

· Please note that no percentage scores are used to calculate overall scores or determine pass/fail status, but rather, the raw scores are converted onto a reporting scale in accordance with the appropriate equating formula for each unique test form. Equating is conducted to ensure that every candidate has the same opportunity to pass, thereby correcting for the fact that the difficulty levels of test forms vary slightly from test to test (because questions are replaced over time). Candidates must score 700 on the scale to pass.

· Those who attend CBK Review seminars score about 3-6 points higher in raw points, which translates into 9-18 points higher on the reporting scale (which runs from 1 - 1000). This fact is significant, since the candidate score distribution aggregates around the passing point, and thus, training seminars clearly help a significant number of candidates get above the passing point.

NOTE:

· The exam is difficult. A significant amount of self-study and review of references is required to pass. The CBK Review course is intended to provide a guideline of areas where this additional self-study should be focused.

Table of Contents

1MODULE 1

1INFOSEC MANAGEMENT PRACTICES

1USEFUL LINKS FOR RISK ANALYSIS AND ASSESSMENT

2Recognised Definitions

11MODULE 2

11SECURITY ARCHITECTURE & MODELS

18MODULE 3

18ACCESS CONTROL SYSTEMS AND METHODOLOGY

28MODULE 4

28APPLICATIONS & SYSTEMS DEVELOPMENT SECURITY

29MODULE 5

29OPERATIONS SECURITY

31MODULE 6

31PHYSICAL SECURITY

35MODULE 7

35CRYPTOGRAPHY

47MODULE 8

47TELECOMMUNICATIONS & INFO SECURITY

56MODULE 9

56BUSINESS CONTINUITY PLANNING & DISASTER RECOVERY PLANNING

57MODULE 10

57LAW, INVESTIGATION & ETHICS

MODULE 1

INFOSEC MANAGEMENT PRACTICES

USEFUL LINKS FOR RISK ANALYSIS AND ASSESSMENT

http://www4.nationalacademies.org/cpsma/cstb.nsf/web/pub_cybersecurity?OpenDocument

http://www.insurancetranslation.com/Language_Perils/current.htm

http://www.joelwuesthoff.com/

Joel Wuesthoff was in my class at NASA in November 2001. He and his legal colleague passed the test and are now working on legal related information gathering for LIE.

He passed on these sites. I think you will find his web site useful.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA): HIPAA requires implementation of privacy and security regulations pertaining to individually identifiable health information. See http://aspe.hhs.gov/admnsimp/Index.htm .

Gramm Leach Bliley (GLB): http://www.senate.gov/ ~banking/conf/

U.S. regulations pertaining to the privacy of financial information.

International Standards Organization: http://www.iso.ch/iso/en/ISOOnline.frontpage

British Standards Institute (BSI):

http://www.bsi-global.com

Toward Standardization of information security

Information Systems Audit and Control Association (ISACA):

http://www.isaca.org

Provides access to their COBIT (Control Objectives for Information and related Technology), Standards for Information Systems Control Professionals ( http:// www.isaca.org/standard/stand3.htm ), and their K-NET repository of information.

Commonly Accepted Security Practices and Recommendations:

http://www.caspr.org

The Platform for Privacy Preferences Project (P3P):

http://www.w3.org/P3P

Developed by the World Wide Web Consortium, is emerging as an industry standard providing a simple, automated way for users to gain more control over the use of personal information on Web sites they visit.

National Institute of Standards and Technology:

http://csrc.nist.gov/csrc/standards.html

EU Data Protection Directive:

http://europa.eu.int/comm/internal_market/en/media/dataprot/law/index.htm

Federal Information Processing Standards (NIST):

http://csrc.nist.gov/publications/fips/index.html

Recognised Definitions

Risk DEFINITION

The potential for realization of unwanted, adverse consequences to human life, health, property, or the environment; estimation of risk is usually based on the expected value of the conditional probability of the event occurring times the consequence of the event given that it has occurred.

Thomas Cool provides an alternative definition of risk in the context of uncertainty.

http://econwpa.wustl.edu/eprints/get/papers/9902/9902002.abs

Risk analysis DEFINITION

A detailed examination including risk assessment, risk evaluation, and risk management alternatives, performed to understand the nature of unwanted, negative consequences to human life, health, property, or the environment; an analytical process to provide information regarding undesirable events; the process of quantification of the probabilities and expected consequences for identified risks.

Risk assessment DEFINITION

The process of establishing information regarding acceptable levels of a risk and/or levels of risk for an individual, group, society, or the environment.

Risk estimation DEFINITION

The scientific determination of the characteristics of risks, usually in as quantitative a way as possible. These include the magnitude, spatial scale, duration and intensity of adverse consequences and their associated probabilities as well as a description of the cause and effect links.

Risk evaluation DEFINITION

A component of risk assessment in which judgments are made about the significance and acceptability of risk.

Risk identification DEFINITION

Recognizing that a hazard exists and trying to define its characteristics. Often risks exist and are even measured for some time before their adverse consequences are recognized. In other cases, risk identification is a deliberate procedure to review, and it is hoped, anticipate possible hazards.

Delphi and Modified Delphi

Delphi Technique.htm

Abstract Harvey (#64).htm

95-16.htm

Policies/Standards & Procedures Hierarchy

The chart in The Policy Overview (Slide 17) shows the hierarchy of various instructional documents relative to Security management. At the top is the general policy that is management’s statement of direction - what is expected to be accomplished to properly secure company information.

Next are the implementing policies that each LOB (Line Of Business) will create and adhere to. Then follows the other documents that are driven out of the various policies.

We are separating standards from procedures to eliminate the confusion when such terms as “standard operating procedures” are used. Standards are now hardware or software mechanisms selected as the organizations method of addressing a security risk. For instance, a specific anti-virus product or password generation token that has been chosen for use throughout the organization. Procedures are statements of step-by-step actions to be performed to accomplish a security requirement. For instance; password-changing procedures would be a step by step process.

Baselines are descriptions of how to implement security packages to ensure that implementations result in a consistent level of security throughout the organization. Different systems (platforms) have different methods of handling security issues. Baselines are created to inform user groups about how to set-up the security for each platform so that the desired level of security is achieved consistently.

Guidelines are the only discretionary element of these controls. They are used to help focus people who need to make judgements in the performance of security actions, such as in user registration.

Security architecture is a “buzz” word that has been around for several years now that refers to the security structure being employed by the organization for all of the systems and networks that make up the information processing operation. We mention it here because, if a comprehensive set of baselines are established, they represent the security architecture of the organization.

A sampling of the topics that could be addressed by procedures are presented in Slide 28. Procedures, like policies, are considered to be mandatory requirements.

COMSEC is a government acronym meaning communications security.

System high mode is a government term meaning a mode of operation wherein each user has all of the following:

•Valid security clearance for all information within the system.

•Formal access approval & signed non-disclosure agreements for all information on the system.

•Valid need-to-know for some of the information contained within the system.

Guidelines and RAINBOW Series documents. There are 28 of these dealing with various components of the Trusted Computer Base (TCB). Go to: http://www.radium.ncsc.mil/tpep/library/rainbow/

Generally accepted security principles are being created as a result of the report of the Secure System Study Committee of the National Academy of Science. The committee was formed to evaluate the status of computer security in the U.S. The findings were reported in the “Computers At Risk” (CAR) book.

The first recommendation was that a list of generally accepted system security principles be established that all reasonably secure computer systems would use to provide protection for the system resources.

They would provide guidelines for vendors to incorporate into their products and users in the selection of products to purchase. The international committee is about half way thru development of a 3 tiered set of principles. The top level, called pervasive principles, have been defined. They are overarching, high level philosophies. The next level, broad functional principles are really the first that address specific security goals. For instance, access control, disaster recovery, etc. These are drafted. The lowest level will be the detailed principles that address and support implementation of the broad principles.

For instance, ids & passwords for access control.

The Rainbow series, after the colors of the covers of the booklets, are National Computer Security Center (an NSA facility) guidelines for the protection of trusted systems. Contains good info for all security functions.

What follows is an interesting presentation to the Senate Committee on Governmental Affairs by Peter G. Neumann, Principal Scientist, Computer Science Laboratory, SRI International, Menlo Park CA 94025-3493

Entitled “Computer-Related Infrastructure Risks for Federal Agencies”

http://www.csl.sri.com/neumann/senate98.html

TCSEC

The purposes of the TCSEC (Orange Book).

Provides the user with a measurement for the evaluation of trust of a system component.

Provides the vendor with guidance for the security to build in to trusted systems.

Provides a basis for specifying system requirements. For instance, ACF2 was evaluated at the C2 level so could be specified for IBM mainframe systems that required discretionary access control.

TCSEC

This lists the basic requirements for a trusted system (secure system in private sector terminology).

Provides confidentiality.

The security policy is the organization’s policy describing the level of protection required.

Objects are passive entities, such as files that subjects (people or programs acting for people) need to access. For mandatory access control, they need to be labeled to indicate their sensitivity level or classification (government terminology).

Subjects need to be identified to enable the access control mechanism to determine if the subject is authorized to access the object.

Audit information must be protected from tampering. Hackers often modify audit records to erase their tracks on the system.

The evaluation by NCSC (American National Computer Security Council)

is to ensure that the performance requirements of the mechanism are met.

The security mechanisms must be protected from tampering so they can be depended upon.

ITSEC

Briefly describes the purpose of ITSEC (Information Technology Security Evaluation Criteria). Previously each country had their own version of the evaluation criteria. ITSEC combined the European versions with the Orange Book and expanded the scope to include integrity & availability as well as confidentiality.

Common Criteria - ISO 15408 - Version 2 (5/98).

This URL http://csrc.nist.gov/cc/ccv20/ccv2list.htm IS FOR: VERSION 2.1 / ISO IS 15408 (last updated: 31 January 2000)

British Standard 7799 - URL for OSI 17799 is http://www.iso-17799.com/ and

http://www.cccure.org/modules.php?op=modload&name=Web_Links&file=index&l_op=viewlink&cid=116

The critical technologies list was originated during the Reagan administration because it was felt that too much high tech info was being obtained and potentially used against the U.S.

SUI (Sensitive but Unclassified Information) is an earlier term - now called SBU (Sensitive But Unclassified).

U.S. Government/NATO information requiring protection against unauthorized disclosure is classified as TOP SECRET, SECRET, CONFIDENTIAL, etc. That is NOT what we are talking about

Lists the objectives for classifying information.

Note that the words “destruction/modification/disclosure” map to our standard “availability/integrity/confidentiality”.

Sensitive Systems Information

This addresses some of the considerations that are involved in deciding what information to mark with its classification. For instance, competitive edge information could be very valuable to the organization as well as to competitors, knowing what the potential risks to the compromise of information are can help determine the need for classification, and the evaluation of protective measures may indicate that they are inadequate to protect the information.

Document labeling refers to the marking of classification on hard copy.

Object labeling refers to the marking of classification on magnetic media (files).

Classifications Schemes

Criteria - some of the reasons for classifying or declassifying information.

Obviously information that is very valuable to the organization or competitors if it is disclosed needs to be classified in order to be afforded appropriate protection.

Age - often the value of nondisclosure decreases with time, so that after a certain age the classification is lowered. Note that in the military some classified documents have the label that they are automatically declassified after so many years.

Useful life - once the information has been superceded, for instance, the original information can often be declassified.

Associations - information associated with individuals that comes under privacy law would need to be classified for protection. Some legal information associated with ongoing cases or business affairs could also be classified so that it wouldn’t be disclosed to unauthorized persons.

Elements - those things that relate to classification of information. Who is authorized to classify or access, who is designated to maintain custody, what are the conditions under which information could be copied, what logging is required to maintain a record of access or custody, what are the marking and labeling requirements, and how will the information be filed so that it is protected.

Limitations - usually the individual that creates the information is the classifier unless a department or function centralizes this task. Different classifiers may not recognize the same need for classification, so ability to classify may be a limitation. The custodian is the keeper of the information files. Obviously, an unethical custodian could allow unauthorized access to classified information. The administrator of the classification system may or may not devote enough attention to the job to ensure that the classification system is working appropriately.

Procedures - the steps in establishing a classification system. Naming the administrator comes first, then the details of how information will be classified and labeled. Most organizations have the info originator do the classification subject to concurrence by the supervisor. Any exceptions to the classification policy need to be documented.

Some of the normal controls that are specified. Avoid “open view” means there should be procedures that specify that classified documents or files must not be left where an unauthorized person can see the classified information, e.g., documents left open on a desk or files left open on a PC.

Termination/transfer procedures refer to procedures for declassifying information or transferring the custody to another person, function or facility.

External distribution - this describes some of the instances where classified information can be allowed out of the organization. When you have an agreement with another organization, e.g., a co-contractor, etc. to maintain the confidentiality of the information.

To comply with a court order, you may have to disclose classified information. Government contractors who sell work in accordance with procurement agreements will disclose classified information related to the project. Finally, a senior executive may authorize classified competitive information to be released to external groups.

Destroying/desensitizing provisions are those that specify how to securely destroy classified information or to reduce its classification when no longer required at the original level.

Some effective procedures for monitoring compliance with classification policy are needed.

Some additional benefits of classification.

Makes users aware that they are using information that the organization is committed to protecting from unauthorized access.

Provides the identification of information that is considered to be critical for the business success.

If integrity is a concern, classification can identify data that must only be modified in authorized ways.

If confidentiality is a concern, classification can ensure that users understand the value of the information to the organization and the need to protect it. How to protect it can also be identified.

Some of the ways that information classification can be compromised.

Data aggregation classification problems occur when unclassified or lower classified data are combined resulting in information that is more sensitive and warranting a higher classification. For instance, information created by individual subcontractors on a project may be unclassified until combined with that of the other subcontractors in a finished project that may then be classified to avoid unauthorized disclosure. The risk of this happening is real and the countermeasures involve being alert to the potential problem and increase the classification accordingly.

Virus - custodians and owners of automated classified information have access to the information as part of their job. An unauthorized person could trick a custodian or owner into running a program that contains a Trojan horse that causes the classified file to be placed in a location where the unauthorized person could get access to it. The control for this vulnerability is to invoke mandatory access control that involves the system being responsible for ensuring that sensitive files would not be written to an insecure location.

Roles & Responsibilities

Organizations can be centralized, decentralized, or somewhere in between.

The location of the IT/IS security function within an organization would be ideally where significant power & authority exists. For instance, under the CIO, Administrative VP, Information Resources VP, etc. NOT under Operations or IT, where an obvious conflict of interest would occur. But, where ever necessary to get the job done.

Organization planning is usually accomplished in terms of long term (Strategic Planning), mid term (Tactical Planning) and near term (Operational Planning). Sometimes these are referred to as the Planning Horizon.

Security architecture: statement of information resource control objectives based on organization security policy. Purpose is to implement a reasonable & consistent level of security across all systems & platforms.

Usual information security function responsibilities include:

• Establish & maintain the security program

- Develop/implement/integrate policies, procedures, baselines & guidelines.

- Maintain resource access controls

- Provide guidance on processing & telecom security issues.

- Conduct security awareness training.

- Provide risk analysis services.

- Investigate incidents

• Provide InfoSec audit coordination.

Roles are usually classified as line or staff. Line being those who are directly responsible for accomplishing the purpose of the organization. Staff being those who support the line personnel. Matrix management is often used to accomplish specific projects, such as, risk analysis or disaster recovery planning. Matrix management is a cross function operation where people are assigned from various functions to form a team to accomplish the project. Members of the team report to the team leader for project performance but remain assigned to their function for administrative purposes.

Another term often used is that of Custodian. The custodian is responsible for operating the system for the owner and is responsible for ensuring that the information processing resources, including data, are protected in accordance with policy and the owner’s instructions.

Point out that every employee has a security responsibility that should be spelled out in their job description.

Separation of duties is used to force collusion to manipulate a system for own purposes. Incompatibles: Origination, approval, receipt of purchases; production system programming & use; audit & info. Security.

Penetration test execution: To demonstrate the capability, rapidity & depth of penetration. To determine the organization’s ability to protect itself (from being altered, made unavailable for use, being disclosed). Provide management report that includes: identification of security flaws (demonstrated effect of flaws), verification of levels of existing infiltration resistance, appropriate recommendations.

Military-oriented war: Examples - virus attacks on enemy systems, intercepting transmissions & implanting code to dump enemy database, attaching worm to enemy radar signal to destroy computer network, modify content of intercepted TV & radio signals to provide disinformation, saturate enemy computers, hack enemy networks, modify maintenance & logistics system info.

Economic espionage: government-oriented activity to provide competition-enhancing information to favored businesses. Vulnerabilities: proprietary info not identified or adequately protected, transmission system inadequately protected, unaware employees, etc.

Techno-terrorists: Use force against persons/property to coerce government, are politically motivated, use intense fear. Potential tactics: destruction of information, interference with electronic circuits, disabling computer systems with high-energy beam (i.e., radio wave, microwave), penetrate systems & corrupt data (hospital records, government check processing, tax returns, train routing, etc.

Types of Incidents

Virus: self propagating, unauthorized computer instruction or data, spreads on contact, parasitic. Apparently started by Fred Cohen experiments (10/84). Original types: Boot infectors (move/overwrite original boot sector), System infectors (memory resident), General .com or .exe infectors (infects any .com or .exe file).

Virus examples: Stealth virus (hides from detection programs), Multipartite virus (infects in more than one place), Self-garbling virus (hides from detection programs by garbling most virus code. Garble can change each time spread. Header program degarbles virus body when run.), Polymorphic virus (self garbling, header changes each time spread)

Worm: propagates working version to other computer, unauthorized instructions, spreads per instructions, self contained program. Example - Morris worm. (see URL for details)

http://www.goldinc.com/html/maloy/SECURITY/morris_worm.html

Macro virus: macros are included in data files (i.e., auto-open in document template file). Macro languages allow programmers to edit, delete. & copy files. Virus infects macro & adds infected macros to existing documents (Winword.concept was first macro virus discovered in wild in 1995). Microsoft Word, Excel & Amipro originally most affected.

Trojan horse/logic bomb: intentionally hidden code/text/circuitry, attacks when triggered.

MODULE 2

SECURITY ARCHITECTURE & MODELS

Multi-state describes a capability of a system to have a process in suspension which can be accessed (usually by an interrupt) all of the processes variables and boundaries are kept active and the system can effectively switch between states almost instantaneously.

(MULTICS actually had seven rings). For more, go here:

http://www.mit.edu:8001/afs/net/user/srz/www/multics.html

Ring 1 the Operating system security kernel

Ring 2 the other OS functions - peripheral control

Ring 3 System utilities: sort, database functions etc.

Ring 4 Application space

Outer rings access inner functions through system calls

System design issues can reduce data confidentiality weakness.

Strong Typing – used in AS/400 and Sidewinder firewall (Secure Computing)

TOCTOU is a special class of issues related to system timing.

Consider the case where system access is only checked at log-in, then a user is deleted while already logged-on.

Bell-LaPadula Model for CONFIDENTIALITY

The authors are David Bell and Leonard LaPadula.

CTCPEC

TCSEC

TNI

TDI

CSSI

ITSEC

Common

Criteria

’98

’93

’91

Later ’80s

1985

France

Germany

UK

Netherlands

CTCPEC

CTCPEC

TCSEC

TCSEC

TNI

TNI

TDI

TDI

CSSI

CSSI

ITSEC

ITSEC

Common

Criteria

’98

’93

’91

Later ’80s

1985

France

Germany

UK

Netherlands

Master Disaster Recovery Plan

Dept

Plans

End

-

User

Plans

Communication

Voice & Data

Tech. Platforms

-

Mainframes,

LANs, Distributed

Processing

Network

Security

Framework

Document

Security

Framework

Document

Detect

and React

Overview

Common Criteria

Protection Profiles

PKI/KMI

Overview

Protect

WAN

Overview

Protect

Boundary

Overview

Protect

Inside

Enclave

Overview

Technology Specific Security

Specifications/Requirements

Mandatory AC

B LEVEL CONTROL

CONFIDENTIALITY

This is a diagram to help explain the Bell-LaPadula model. Let’s assume there are 3 layers of secrecy or sensitivity regarding our data - the layer our data resides in, a layer of higher secrecy, and a layer of lower secrecy.

1. The Simple Security Property says that if you have Read capability, you can read data at your level of secrecy, you can read data at a lower layer of secrecy, but you must not read data at a higher layer of secrecy. Otherwise, you would be reading someone else’s secrets you are not entitled to.

2. The Star Property says that if you have Write capability, you can write data at your level of secrecy, you can write your secret data to a higher layer of secrecy without compromising its value, but you must not write your secret data to a lower layer of secrecy. Otherwise, you would be divulging your secrets to others who are not entitled to see it.

3. The Strong Star Property says that if you have both Read and Write capabilities, you can read and write your data to your level of secrecy, but you cannot read and write to levels of higher secrecy or lower secrecy. Otherwise, you would have the problems experienced by the previous 2 properties.

To help you remember this model, call it the “Read Down - Write Up” model.

BIBA

BIBA

This is a diagram to help explain the Biba model. Let’s assume there are 3 layers of accuracy or integrity regarding our data - the layer our data resides in, a layer of higher accuracy, and a layer of lower accuracy.

1. The Simple Integrity Property says that if you have Read capability, you can read in data at your level of accuracy, you can read in data from a higher layer of accuracy, but you must not read in data from a lower layer of accuracy. Otherwise, you would risk contaminating the accuracy of your data.

2. The Integrity Star Property says that if you have Write capability, you can write data at your level of accuracy, you can write your accurate data to a lower layer of accuracy without compromising the accuracy at that layer, but you must not write your accurate data to a higher layer of accuracy. Otherwise, you would risk contaminating the data at that higher layer.

You’ll notice that this diagram is almost the exact opposite of the Bell-LaPadula model. To help you remember this model, call it the “Read Up - Write Down” model.

Fo more, go here:

http://www.faqs.org/rfcs/rfc1457.html

[5] Biba, Kenneth. J. "Integrity Considerations for Secure Computer Systems", MTR-3153, The Mitre Corporation, April 1977.

[6] Bell, David. E.; LaPadula, Leonard. J. "Secure Computer System: Unified Exposition and Multics Interpretation", MTR-2997, The MITRE Corporation, March 1976.

This diagram shows how each criterion is built on those that went before.

TCSEC - Trusted Computer System Evaluation Criteria

TNI - Trusted Network Interpretation

TDI - Trusted Database Interpretation

CSSI - Computer Sub-System Interpretation

CTCPEC - Canadian Trusted Computer Product Evaluation Criteria

ITSEC - Information Technology Security Evaluation Criteria

Common Criteria

H/W F/W = HardWare/FirmWare

Trusted Computer System Evaluation Criteria (TCSEC): Implementation of the Bell & LaPadula secrecy model

Trusted systems - TCSEC classes

Div. D: minimal protection

Div. C: discretionary protection

Class (C1): discretionary security protection

Class (C2): controlled access protection

Div. B: mandatory protection

Class (B1): labeled security protection

Class (B2): structured protection

Class (B3): security domains

Div. A: verified protection

Class (A1): verified design

Again, because ITSEC ratings come in pairs, you can have, for example, F-IN, E4 or F-AV, E2, and so on.

ITSEC Functionality Classes

Corresponding to

ITSECTCSEC

D

F-C1, E1 = C1

F-C2, E2 = C2

F-B1, E3 = B1

F-B2, E4 = B2

F-B3, E5 = B3

F-B3, E6 = A1

F= Functionality rating; E= Assurance Evaluation rating

For more, go here: http://www.boran.com/security/itsec.htm

CHANGE CONTROL

Downloading - consider backup before changes:

1. •Protects integrity and availability.

2. •Reduces re-downloading if downloaded data is lost or destroyed.

3. •Software should perform automatic backup.

•Backup system selection considerations:

1. •Size of application

2. •Size of uploaded or downloaded files

3. •Subsequent processing of data

4. •Frequency of uploading and downloading

Program change controls

· •Applications centrally developed

· •Security review change control procedures during system audit

· •Production program change procedure

•Programmer changes source code on test version

•Program tested with test data

•Program reviewed & approved by program manager

•Test code copied to production source library

•No programmer access & change without following procedure

Unique names are necessary to avoid confusion and misrouting and can be a problem because different locations may be responsible for registering users or nodes.

Some clients & servers actually examine each others content or code to ensure they’re talking to the intended process. Others employ some mechanism (e.g., pair-wise authentication) to be confident they know that they are talking to the expected instance of each other. Pair-wise authentication techniques are resistant to spoofing and playbacks. For example, www browsers & servers can use crypto protocols like secure socket layer (SSL) or secureIP. SSL always authenticates the server to the client but, optionally, it may authenticate the client to the server.

Communication protocols are the formal languages that clients & servers use to talk to each other. TCP/IP is most widely used. Application Programming Interfaces (APIs) are how clients & servers appear to each others‘s programs & programmers. APIs permit clients to use servers that implement a service without having to know anything else about the service (e,g,. SQL - clients don’t have to know anything about the database server or vice versa.

Database servers control access to such database abstractions as tables, views, rows, and columns.

Identification & authentication - each process has some expectation of behavior of the other & will not work if that behavior is not exhibited.

Some servers will refresh the client code with trusted code to ensure the client can be trusted.

In addition to logs & journals, a complete audit trail will include source documents, statements, confirmations, reconciliation reports, and application journals. These must refer to the external environment (who, what, where, & when) and to each other.

Alarms - We’re talking intrusion detection. Whole servers may be dedicated to sophisticated intrusion detection. These servers monitor the traffic visible to them on the NW looking for patterns that are typical of attacks in general, which are specific to known attacks, or which are simply unexpected. These include such products as NetRanger, Session Wall, & Network Flight Recorder.

Isolation - Clients & servers implemented on separate hardware platforms provide very reliable process-to-process isolation. The client can’t make any persistent change to the programs or procedures of the server. The server allows the client to change client data on the server but this can be limited & controlled. This form of isolation is more reliable than that on a single multi-user platform. Clients may execute code downloaded from servers but this is a violation of process-to-process isolation and makes them vulnerable to a Trojan Horse attack. Therefore, clients must be careful to deal with trusted servers, prefer signed code, & take steps to protect their files from arbitrary acts by imported code.

Cooperation - It’s unlikely that either could accomplish all objectives by itself. This includes control objectives such as error detection & correction.

MODULE 3

ACCESS CONTROL SYSTEMS AND METHODOLOGY

Layers of Control

Some personnel controls include:

1. Employee signs Information Security Agreement upon hiring. Employee understands organization’s Security Policy and consequences of violations of that Policy.

2. Require employee to take vacations

3. Employee departure issues--

If hostile, have employee leave immediately

Availability (encryption keys used by employee)

Review of non-disclosure agreement

Last bullet- An example of separation of work areas and duties is to keep programmers out of the computer room.

Access to Network

Built-in Security Controls , Issues- different administrative domains

- need to authenticate accessing individual

- enforcement of security policies among domains

- handling of multi-level security policies

Network Control Center - provides hardware and software to support data base with information on routers, communications software, hosts and information exchange among network resources

Network Interface Unit (Network Interface Card) - connects hosts and workstations to the network (LAN); usually implemented at Layer 2 (Data Link) of the ISO OSI model

Routers - can implement packet filtering (based on packet source and destination addresses and rules), routing according to policy requirements regarding security. A router is machine and OS independent; transfers data between networks of different technologies

Access to applications, files, records, fields

Authorization tables - define privileges subject has to an object (read/write etc.).

An example is IPSec which provides authenticity and confidentiality services through the Authentication Header (AH) and Encapsulated Security Payload (ESP.). AH authenticates the TCP/IP connection and the ESP provides confidentiality and integrity services for TCP/IP packets

Files can be encrypted with DES or other encryption algorithms

Passwords can be encrypted. (One way encryption for storage using a hash function)

Deterrence

Ensure that personnel realize that “bad” things can happen to them if the organization’s security policy is violated. Serious violations can involve law enforcement and possible arrest.

Another deterrent is to emphasize that even if it is possible to break into the network, data are protected to the degree that nothing of value can be accessed.

Note that biometrics are used for Identification in Physical Controls and Authentication in Technical (Logical) Controls.

Definitions

Some historical definitions that are relevant here and in other modules:

1. Monitor - Mechanism that monitors all access operations. (Graham & Denning, 1972, Protection Principles and Practices, Proceedings of the 1972 Spring Joint Computer Conference, 417-429, Montvale, NJ, AFIPS Press)

2. Reference Monitor - General mechanism that ensures that each access is authorized by the access matrix (Anderson, 1972, Computer Security Technology Planning Study, Report ESD-TR-73-51, Vol.. I AD 758206, Bedford, MA; U.S. Air Force Electronic Systems Division)

Good slide presentation (although it is NT based) at: http://cs.gmu.edu/~dsaridak/osbook/nt/sld034.html

Technical (Logical Controls) should be self protecting.

Dial up access control systems utilize passwords and PIN numbers to authenticate the user.

In call back systems, the user dials in to the computer system, provides an ID and password and then hangs up. The system then looks up an authorized telephone number corresponding to the ID in a table and calls back utilizing that number. The user usually has to enter another password upon answering.

Disadvantages of call back include:

1. Password may be compromised since it is available in the clear

2. Circumventing by call forwarding to another number

3. User must be at a fixed location corresponding to the number in the table

Audit trails must be protected from compromise or erasure

Violation reports identify activities that may portend a breach or attempted breach of the system access controls. An example is numerous attempts at logging in trying different passwords.

“Clipping levels” are implemented that report only suspected violations that rise above a “normal” threshold of events that occur in the regular order of business.

Intrusion detection systems automatically acquire data on user activity and attempt to identify and detect incidents of misuse. Statistical and artificial intelligence techniques are utilized to flag deviations from patterns of “normal” usage or to compare suspect attacks against a data base of known attack signatures. Intrusion detection systems monitor misuse or attempted misuse from internal as well as external sources.

To be used in Court, these methods should be reviewed regularly in the normal order of business.

Clipping levels should be set to reduce the volume of date to be evaluated.

Keystroke monitoring is performed on a specific sequence such as a password or can be conducted during a session.

Keystroke monitoring should be based on an organizational information security policy, should be well communicated and must apply to all in the organization. These actions legitimize its use.

Time is needed to review the audit information.

Review and analysis of audit data can be expedited by setting clipping levels and by automated tools.

It is possible to record data selectively based on user or object attributes(Class B1 Systems)

Exception reports note suspicious events (failed logins)

Preventive audit - accumulating events that may portend misuse

Initiate real- time alarms when thresholds passed (Class B3)

Non-repudiation is the inability of a sender to deny sending a message and of a receiver, who admits receiving a particular message, to declare that a different message was received.

The audit trail data should be protected at the most sensitive system level.

Definitions

Well Formed Transaction (Clark-Wilson Model)

* Data objects whose integrity is to be maintained are constrained data items (CDI)

* CDI’s are transformed only through transformation procedures (TP’s)

* IVP - Integrity Verification Procedure - which assures that all CDI’s are in a valid state; checks for internal and external consistency

* Only TP’s can operate on CDI’s

* Authorship must be logged

Brute force - try all possible methods

Dictionary - try all possible passwords

Spoofing - one person or process pretends to be a person or process with more privileges

Denial of Service - preventing authorized users from having access to the system by “hogging” all services.

Definitions:

Social engineering: - utilizing social skills to deceive people and trick them into revealing secrets.

Covert channel: - a channel that violates the organization’s security policy through an unintended communications path. Covert channels have the potential for occurring when two or more subjects or objects share a common resource. This type of unintended communication can be used to violate the *- property of the Bell LaPadula model.

Timing channel: - using timing of occurrences of an activity to transfer information in an unintended manner. Saturating or not saturating a communications path in a timed fashion can transfer information to a receiver observing the communication path in synchronism with the sender.

Storage channel: - utilizes changes in stored data to transfer information in an unintended manner. Filling or clearing a memory area by a sender can indicate a 1 or 0 to a receiver reading the same memory area.

Malicious code: - code that can gain access to a system and, in executing, violates security policy. Examples include viruses, Trojan horses and worms.

Mobile code: - code that is transferred from one resource to another for execution. An example is Java applets written in the Java programming language that are transferred from a server to a client for execution. Java code executed inside a Web Browser can reveal information that is on the local hard drive. Also, a HTTP Header will report information that Web Browsers will provide, such as last addressed IP address, machine IP address, username, password and Browser type.

The object reuse/remanence issue is one that continues to be controversial. The issue centers on whether overwriting is the best method (supported by private industry because of the relative difference in cost between degaussing and overwriting, and the availability of effective degaussing machines), or degaussing (which is supported by certain sensitive sectors in the U.S. Government). Some concerns are:

* Failure of overwrite program

-Errors during operation

-Inability to overwrite unusable sectors

* Inadequate degaussing

-Operator error

-Degausser failure

Test periodically - at least at 6 month intervals.

Definitions

TEMPEST one definition is (Transient Electromagnetic Pulse Emanation Standard)

Masking by software - device driver that develops a cancellation signal that cancels emanating characters.

Programmers brought into an organization to implement Y2K “fixes” had access to sensitive and critical areas of code and therefore had the potential of inserting malicious code.

Definitions

Review of terms in Biometrics

False reject rate - percentage of authorized individuals who are erroneously rejected by the biometric system

False accept rate - percentage of unauthorized individuals who are erroneously accepted by the biometric system

Crossover error rate - rate at which false accept rate = false reject rate

(The smaller the value of CER, the better is the system)

Passphrase - a phrase you can remember; take a letter from each word of a passphrase and use the result as a password. (It Was A Dark And Stormy Night)…..password is IWADASN

Suspend ID.

“x” (time interval) is an organization selected number, usually between 3 and 10. This is an important control to prevent hackers from a brute force attack (trying all combinations of ID and password). Rather than suspending the ID, some organizations make users wait a period of time before trying to logon again (5 minutes the first time, 15 the second, 60 the third, etc.).

Definitions

Polonius pad is based on challenge-response scheme where sender and receiver know a common secret key and use it only one time.

Memory Card

1. Stores user’s ID, issuer’s identity and expiration date

2. Needs special card-reading equipment

3. Used with 4 - digit PIN (ATM cards)

Definitions

Smart Card

1. Has computer on-board

2. Used with PIN or password

3. Used in telephone calls and retail transactions

4. Verifies user’s PIN or password

5. Assembles data stream of user’s name, date, time and password

6. Enciphers message using secret key known to Application System (AS) and transmits to AS

7. Successful if AS can decode message

8. Also used for access control to workstations or PC’s

9. Can utilize public key cryptography

Sometimes called micro-controller cards.

Two factor - what you have and what you know.

A major advantage is that the logon process (ID & PW) is done at the reader instead of at the host. Therefore, the ID & PW aren’t exposed to hackers while in transit to the host.

Windows 2000 uses Kerberos model

Alternative to Kerberos is SESAME

Uses two tickets

Uses public/private key technology

Has a trusted authentication server at each host (simplifies key management)

1. Can have more than one domain on a server

2. A subject’s domain is the set of objects to which it has access

3. In the diagram, two distinct and separate security domains exist on the Server and only those individuals or subjects authorized can have access to the information on a particular domain.

Definitions

Relational model defines 5 primitive operations:

1. Select- defines a new relation made up of tuples that satisfy a formula. For example, all the tuples of employees whose employment status is part-time

”Common uses for the tuple as a data type are (1) for passing a string of parameters from one program to another, and (2) representing a set of value attributes in a relational database”.

2. Project - defines a new relation by including a subset of attributes and removing duplicate tuples. For example, employees could be projected onto name and address to form a mailing list.

3. Union - If we have two relations, S and T, with compatible schemas, the minus defines a new relation comprised of tuples that are in S but not in T.

4. Minus - If we have two relations, S and T, with compatible schemas, the union defines a new relation comprised of each tuple that is either in S, T or in both S and T

5. Times - If we have two relations, S and T, with compatible schemas, times defines a new relation that is the Cartesian product of S and T.( Each tuple of T is appended to each tuple of S.)

6. Join (Equijoin) - selects tuples that have equal values for some attributes from the Cartesian product of S and T. For example, employees and department staffs can be joined by social security number

7. View - new relations that are defined using basic operations of select, project and join. Views can hide attributes or implement content-dependent access restrictions. Views support least privilege..

Cartesian product n. A set of all pairs of elements (x, y) that can be constructed from given sets, X and Y, such that x belongs to X and y to Y.

Bind can be compared to a compiler and the Plan is the equivalent of the code generated by the compiler.

Definitions

Explicit

Access given by View--granting individual to a resource.(Put someone on the ACL)

Implicit

Grant to a role, then role can access.

Both implicit and explicit are discretionary. (Do not have labels applied to objects)

Data owner of data base can confer Grant capabilities to another user, USER1.

USER1 then can confer Grant capabilities to USER2.

However, if data owner does not wish USER1 to have the ability to confer GRANT capabilities to USER2, data owner can confer Select option to USER1.

A problem may arise with the latter item. In some instances, USER1 may be able to circumvent the intent of the data owner by making a copy of the data.

Then, USER1 is the owner of the copy and can confer Grant privileges to USER2.

Labels may be applied to fields, rows, columns, views, etc. (Re Orange Book)

Since labels affect performance, they are rarely used for elements more granular than views.

Definitions

Entity integrity

Tuple cannot have null value in primary key

Guarantees tuple uniquely identified by primary key value

Referential integrity

For any foreign key value, the referenced relation must have a tuple with the same value for its primary key

Prevents tuples from assignment to nonexistent attributes.

The Row defines the capabilities that a subject has with respect to all objects in the Table.

For example, Process A (subject) has read access to File X and Read/Write capability to File Y.

The Column is a control list and defines the subjects and their corresponding capabilities relative to a specific object. In the example chart, File X can be read by Process A and written to by Joe.

Supports integrity and confidentiality by limiting capabilities to write and/or read files.

Context- dependent

Uses knowledge of the context in which the decision is to be made, e.g., location, time of day, etc.

Run Confidential data in the morning and run Secret data in the afternoon

Configuration items include software, documentation, editors, compilers, firmware and configuration management tools.

Each configuration item has a unique identifier.

A specific configuration is built from the library of items.

Baseline is the set of configuration items at some identified point in the life cycle. This Baseline is the reference against which all changes must be approved.

Intrusion Detection (IDS) system looks for insider misuse as well as external intrusions.

IDS can be network-based or host-based.

Network-based IDS monitors network events in real-time and, thus, provides accurate data. It is passive and does not consume resources of the host network. Network-based IDS will not detect an attack against a specific host from the host’s console.

Host-based IDS will detect at attack on the host, directly and will provide the ability to respond more effectively to an attack. The data available in the host are usually not sufficient to perform extensive intrusion detection. Host-based IDS consumes some of host’s resources.

Assumes misuse pattern is unusual for the party being monitored

To generate the “normal” profile, statistical samples of the system are taken over a period of normal operation and use. These data are used to create metrics of certain system operations such as memory usage, CPU utilization and network packet traffic.

An advantage of this approach is that the IDS can detect new types of attacks.

A disadvantage is that the IDS will not detect an attack if it does not significantly affect the metrics being compiled.

Expert system is made up of:

1. Inference engine - processes knowledge available to the expert system using methods of searching for problem solutions

2. Knowledge base - typically IF -THEN rules that express expert knowledge

3. Reasoning methods are separate from knowledge base

MODULE 4

APPLICATIONS & SYSTEMS DEVELOPMENT SECURITY

References

PMI – Project Management Institute

http://www.pmi.org/

CASE

http://www.qucis.queensu.ca/Software-Engineering/tools.html

Ahh, The Old Windows Without Microsoft Trick:

http://search.knowledgestor.com/info/com.g2news_csn_286_03.html

STRUCTURED DESIGN METHODOLOGIES: The “firehose technique” =(

NOTE: Please respect the disclaimer!

http://www.ul.ie/~cscw/shug/cs4417/

ODBC

http://ourworld.compuserve.com/homepages/VBrant/

Facts and Myths

http://ourworld.compuserve.com/homepages/Ken_North/odbcmyth.htm

MODULE 5

OPERATIONS SECURITY

Physical access to both data center and restricted environments within areas such as the tape library. Are there technical controls as well and when they fail can you fall back on the physical?

Who’s watching the operator/system administrator?

Compensating controls are a combination of controls such as physical and technical or technical and administrative or all three.

Examples - Super User password under lock and key requiring two signatures to unlock.

Banks where it takes 2 keys to open vault.

Card access to data center with in and out log.

True fault tolerant systems are designed to have redundancy and will automatically fail over.

Fail over - when one system/application fails, operations will automatically switch to the backup system. Designed to be transparent to the users.

Fault resilient systems are designed without redundancy and in the event of failure result in slightly longer downtime. The differences in percent uptime and downtime are slightly higher than fault tolerant.

Common Criteria language includes:

Degraded Fault Tolerance - specifies which capabilities the TOE will still provide after a failure of the system. Examples of general failures are flooding of the computer room, short term power interruption, breakdown of a CPU or host, software failure, or buffer overflow. Only functions specified must be available.

Limited Fault Tolerance - specifies against what type of failures the TOE must be resistant. Examples of general failures are flooding of the computer room, short-term power interruption, breakdown of a CPU or host, software failure, or overflow of buffer. Requires all functions to be available if specified failure occurs.

Continuity of operations includes continuity of controls across states.

Operating software refers to both the configuration and inventory.

Audit trail of who checked out media tapes and when.

Common Criteria for audit requirements for distributed environments - audit requirements for networks and other large systems may differ significantly from those needed for stand-alone systems.

· larger, more complex and active systems require more thought concerning which audit data to collect and how this should be managed, due to lowered feasibility of interpreting (or even storing) what gets collected.

· traditional notion of a time-sorted list or “trail” of audited events may not be applicable in a global asynchronous network having (arbitrarily) many events occurring at once.

· multi-object audit repository, portions of which are accessible by a potentially wide variety of authorised users, may be required if audit repositories are to serve a useful function in distributed systems.

· misuse of authority by authorised users should be addressed by systematically avoiding local storage of audit data pertaining to administrator actions.

Rainbow series guidelines - Orange Book

Detailed discussion in Architecture domain. Referring to levels of trust.

Common Criteria - security management roles - reduces the likelihood of damage resulting from users abusing their authority by taking actions outside their assigned functional responsibilities. It also addresses the threat that inadequate mechanisms have been provided to securely administer the TSF (TOE security functions). Requires that information be maintained to identify whether a user is authorised to use a particular security-relevant administrative function. Some management actions can be performed by users; others only by designated people within the organisation. Allows the definition of different roles, such as owner, auditor, administrator, daily-management. The roles as used in this family are security related roles. Each role can encompass an extensive set of capabilities (e.g. root in UNIX), or can be a single right (e.g. right to read a single object such as the help-file). Some type of roles might be mutually exclusive. For example the daily-management might be able to define and activate users, but might not be able to remove users (which is reserved for the administrator (role)). This class will allow policies such as two-person control to be specified.

Security roles: roles that are recognised by the system. These are the roles that users could occupy with respect to security. Examples are: owner, auditor and administrator.

Restrictions on security roles: conditions that govern role assignment. Examples of these conditions are: “an account cannot have both the auditor and administrator role” or “a user with the assistant role must also have the owner role”.

Assuming roles - roles that require an explicit request to be assumed. Examples are: auditor and administrator.

Ensuring that the integrity of the system is restored.

Trusted Recovery: Ensure that the TSF can determine that the TOE (system, application) is started up without protection compromise and can recover without protection compromise after discontinuity of operations. This is important because the start-up state of the TSF determines the protection of subsequent states.

Manual recovery: allows a TOE to only provide mechanisms that involve human intervention to return to a secure state.

Automated recovery: provides, for at least one type of service discontinuity, recovery to a secure state without human intervention; recovery for other discontinuities may require human intervention. (hierarchical to manual recovery).

Automated recovery without undue loss: also provides for automated recovery, but strengthens the requirements by disallowing undue loss of protected objects.(hierarchical to automated recovery).

Function recovery: provides for recovery at the level of particular SFs (security functions), ensuring either successful completion or rollback of TSF data to a secure state.

References

(ISC)2

http://www.isc2.org

Common Criteria

http://csrc.nist.gov/cc/

Rainbow Series

http://csrc.nist.gov/secpubs/rainbow/

Glossary of InfoSec and InfoSec Related Terms

http://security.isu.edu/infosec_glossary.html

MODULE 6

PHYSICAL SECURITY

RESOURCES:

Practical UNIX Guide to Internet Security – Stafford & Garfunkle

http://www.rcmp-grc.gc.ca/tsb/pubs/index.htm

Note: Excess volts, as charted below, can harm the electrical equipment. Excess amperes can cause serious harm to humans.

Static Charge Effect on Microcomputers

Charge (Volts)

Possible Damage

40

Logic Circuits, sensitive transisters

1,000Touching Cathode Ray Tube may clear screen, crash buffer

1,500Touching Disk drive may attract contaminants to surface and cause data loss or head crash - For example, Smoke particles average .00025in.or .0006125 centimeters In diameter, which is 2-5 times greater than disk head clearance.

2,000

System shutdown

4,000

Touching printer may cause jam

17,000

May shock system out of parity

Control over contaminate levels in a computer room is an extremely important consideration. Normal operating activities can cause a buildup of conductive particles on circuit boards, microswitches and other components which can cause equipment failure and perhaps result in spontaneous combustion within computer equipment. Damage caused by smoke/gas is also a serious concern. Be especially sensitive to the danger from a fire in another part of a facility that could project smoke particles & toxic /corrosive gas through the air or ventilating systems. The following are concerns:

• Smoke & gas travel much faster. Farther & easier than heat or flame.

• The diameter of a typical smoke particle averages .00025 inch (.00636 millimeter) which is 2-5 times larger than a disk/head clearance.

• Smoke damages secondary storage devices whereas corrosive gasses damage every device.

Embedded Wire is the most secure from tampering/compromise. It is also called “Wiegand”.

http://www.zdnet.com/eweek/news/0112/12bio.html

Hand Geometry is not Hand Topology (the side view elevations of parts of the hand) which is not discriminating enough to be effective. Hand Geometry includes many characteristics of the hand, including thickness, width, length, etc. The palm print like the fingerprint is OK.

Retina pattern measures the blood vessels of the eye - is relatively intrusive.

Iris Scan is accomplished by using a camera, perhaps located on the wall, that recognizes an individuals eye(s) as s/he passes by. Not intrusive

Facial recognition matches an individual’s facial patterns with the patterns held in the database.

Fresnel lens - a thin optical lens of many concentric rings having the properties of a much thicker & heavier lens: used in cameras, lighthouse beacons, etc. For more, go here:

http://lighthousegetaway.com/lights/fresnel.html

In a really secure facility with high walls/fencing and guard towers a search light might be appropriate at the guard towers (e.g., prison yard, nuclear facility).

Critical areas around buildings - install lighting at least 8 feet (2.4 meters) high & with illumination of 2 foot candles (lumens). (NIST specification)

Photoelectric - Active Infrared beam(s) that trigger an alarm when the beam is broken

Ultrasonic - Ultrasound energy bounced of the floors, walls, objects. The receiver detects “foreign” signal change caused by intruder and sounds the alarm

Microwave - Receiver diode picks up transmitted and “bounced” energy waves in an enclosure. Intruder disrupts the waves and activates the alarm

Passive infrared - where objects radiate IR with the heat of their bodies. Detector notes change and triggers an alarm

It is important that all electrical power installation meet national and local code. Additionally, most large commercial buildings will be supplied with three-phased power by the utility and power company, which provides electric currents in phases based on the customer’s need. Most data centers have both three-phased and single phased equipment Consequently, electric system design must provide for all anomalies that can affect operations. This part will be describing the significant ones.

There are also some considerations related to selecting an alternate power source for data center operations. These include:

Benefits/costs of alternatives

Required maintenance/testingResulting hazards Fuel supply Electrical fire Hydrogen gas from batteries

http://www.powerware.com/

Voltage Fluctuations:

Micros operate within 10 % of 110 volts;

ANSI standards permit 8 % drop between source & meter and 3.5 % between meter & computer;

Brownouts may lose 10 %;

Surges & sags may cause micro damage;

Protect by surge suppressor

EMI - Common-mode noise occurs between hot & ground wires. Traverse-mode noise occurs between hot & neutral wires.

RFI - can damage data, CPU, peripheral components

Protect against EMI/RFI by shielding

Portable extinguishers can enable people to suppress a fire before the automatic systems actuate & cause additional damage.

Some organizations recommend that tile removal tools (tile lifters) be located at each extinguisher station so that when a fire is detected under the raised floor the cause can be quickly determined and the fire suppressed by using a portable extinguisher (Halon 1211, FM200, water, soda).

Portable extinguishers can be a first line of defense to prevent a small fire from escalating to a disaster.

Both Halon 1211 and FM200 gasses meet the safety requirements of less that 10% concentration. However, FM-200 does not release ozone depleting substances into the atmosphere.

Other replacement alternatives include:

PFC-410 or CEA-410

PFC-218 or CEA-308

NAF S-III

FE 13

Argon

Argonite

Inergen

MODULE 7

CRYPTOGRAPHY

TEMPEST: Stands for Transient Electromagnetic Pulse Emission Standard. It is the standard by which the government measures electromagnetic computer emissions and details what is safe (allowed to leak) from monitoring. The standards are detailed in NACSIM 5100A, a document which has been classified by the National Security Agency.

Devices which conform to this standard are called TEMPEST certified.

In 1985, a Dutch scientist Wim van Eck published a paper which was written about in the prestigious "Computers & Security" journal, "Electromagnetic Radiation from Video Display Units: An Eavesdropping Risk?" Vol 4 (4) pp 269-286. The paper caused a panic in certain government circles and was immediately classified as is just about all TEMPEST information.

Wim van Eck's work proved that Video Display Units (CRT's) emitted electromagnetic radiation similar to radio waves and that they could be intercepted, reconstructed and viewed from a remote location. This of course compromises security of data being worked on and viewed by the computer's user. Over the years TEMPEST monitoring has also been called van Eck monitoring or van Eck eavesdropping.

A scary story: http://www.thecodex.com/c_tempest.html

More information on DNSSEC: http://www.ietf.org/ids.by.wg/dnssec.html

RFC 2065 & RFC 2035

More information on SSL: http://home.netscape.com/products/security/ssl/protocol.html

More information on SHTTP:

S-HTTP (ref; http://www.webopaedia.com ) keyword search = SHTTP

An extension to the HTTP protocol to support sending data securely over the World Wide Web. Not all Web browsers and servers support S-HTTP.

Another technology for transmitting secure communications over the World Wide Web -- Secure Sockets Layer (SSL) -- is more prevalent. However, SSL and S-HTTP have very different designs and goals so it is possible to use the two protocols together. Whereas SSL is designed to establish a secure connection between two computers, S-HTTP is designed to send individual messages securely. Both protocols have been submitted to the Internet Engineering Task Force (IETF) for approval as a standard.

S-HTTP was developed by Enterprise Integration Technologies (EIT), which was acquired by Verifone, Inc. in 1995.

MORE S-HTTP reading; http://www.terisa.com/shttp/current.txt

From Duke University: http://www.duke.edu/~wgrobin/ethics/netshop/s-http.htm

In 1994, EIT developed (S-HTTP) Secure Hypertext Transfer Protocol. It is a security-enhanced version of HTTP. S-HTTP provides transaction security services for electronic commerce. It adds encryption elements to standard browser applications. By adding public-key security methods from RSA Data Security it enhances traditional HTTP transactions.

S-HTTP has been implemented commercially by Terisa Systems, which was co-founded by EIT and RSA Data Security in 1994. Terisa produces a security toolkit software product that allows software developers to integrate S-HTTP into their World Wide Web clients and servers.

More information on GSS-API: http://gits-sec.treas.gov/cryptosec/sld001.htm This is a 32 slide PPT presentation.

GSS-API is specified in [RFC 1508], and [RFC 1509]

http://www.faqs.org/rfcs/rfc1508.html Generic Security Service Application Program Interface

http://www.faqs.org/rfcs/rfc1509.html Generic Security Service API : C-bindings

More information on https: (Ref; Netguru)

HTTPS

HTTPS (Secure Hypertext Transfer Protocol) is a Web protocol developed by Netscape and built into its browser that encrypts and decrypts user page requests as well as the pages that are returned by the Web server. HTTPS is really just the use of Netscape's Secure Socket Layer (SSL) as a sub-layer under its regular HTTP application layer. (HTTPS uses port 443 instead of HTTP port 80 in its interactions with the lower layer, TCP/IP.) SSL uses a 40-bit key size for the RC4 stream encryption algorithm, which is considered an adequate degree of encryption for commercial exchange.

Suppose you use a Netscape browser to visit a Web site such as NetPlaza ( http://www.netplaza.com ) and view their catalog. When you're ready to order, you will be given a Web page order form with a URL that starts with https://. When you click "Send," to send the page back to the catalog retailer, your browser's HTTPS layer will encrypt it. The acknowledgement you receive from the server will also travel in encrypted form, arrive with an https:// URL, and be decrypted for you by your browser's HTTPS sub-layer.

HTTPS and SSL support the use of X.509 digital certificates from the server so that, if necessary, a user can authenticate the sender. SSL is an open, nonproprietary protocol that Netscape has proposed as a standard to the World Wide Consortium (W3C). HTTPS is not to be confused with SHTTP, a security-enhanced version of HTTP developed and proposed as a standard by EIT.

S/MIME is a specification for secure electronic messaging. In 1995, several software vendors got together and created S/MIME to solve a very real problem - interception and forgery of e-mail. Protecting sensitive data is a real concern, especially in a world that is becoming increasingly more wired. The goal of S/MIME is to make it easy to secure messages from prying eyes. Since its creation, S/MIME has come a long way. S/MIME is short for Secure Multipurpose Internet Mail Extensions. The specification was designed to be easily integrated into e-mail and messaging products. S/MIME builds security on top of the industry standard MIME protocol according to an equally important set of cryptographic standards, the Public Key Cryptography Standards (PKCS). The fact that S/MIME was created using other standards is important for something that is likely to be widely implemented. Users will benefit from the widespread adoption of S/MIME. Privacy, Data Integrity, and Authentication will be available to anyone with an e-mail package that implements S/MIME.

The Message Security Protocol is a very recent protocol developed to address the problems related to e-mail security. MSP provides writer-to-reader security services. These security services include confidentiality, integrity, data origin authentication, access control, non-repudiation with proof of origin, and non-repudiation with proof of delivery.

http://www.imc.org/workshop

The PKCS family of standards addresses the following need: an agreed-upon standard format for transferred data based on public-key cryptography. PKCS covers several aspects of public-key cryptography, including RSA encryption, Diffie-Hellman key agreement, password-based encryption, extended-certificate syntax, cryptographic-enhancement syntax, and private-key information syntax. PKCS evolved from three broad design goals: to maintain compatibility with Privacy-Enhanced Mail, to extend beyond PEM, and to be suitable for incorporation in future OSI standards.

SSH is a protocol for secure remote login and other secure network services over an insecure network. The SSH protocol consists of three major components: Transport layer protocol provides server authentication, confidentiality, and integrity with perfect forward secrecy. User authentication protocol authenticates the client to the server. Connection protocol multiplexes the encrypted tunnel into several logical channels.

Van Dyke Technologies (CRT) SSH products; http://www.vandyke.com/

Fsecure SSH2 ‘Client” http://www.f-secure.com/products/ssh/

LUC – Short form for the LUCAS combinations that use the analog of some of the values of other crypto techniques. LUC is a public-key crypto system developed by a group of researchers in Australia & New Zealand. The cipher implements the analogs of El Gamal, Diffie-Hellman & RSA over Lucas sequences. It uses Lucas functions instead of exponentiation. It's inventor Peter Smith has since then implemented four other algorithms with Lucas functions: LUCDIF, a key negotiation method like Diffie-Hellman; LUCELG PK, equivalent to El Gamal public-key encryption; LUCELG DS, equivalent to El Gamal digital signature; and LUCDSA, equivalent to the US Digital Signature Standard. LUC Encryption Technology Ltd has obtained patents for cryptographic use of Lucas functions in United States and New Zealand.

Although there are several implementations of public key crypto currently in use, the RSA algorithm is the most popular. It is in use worldwide.

Basically, you can’t decrypt with the same key used to encrypt. The 2 keys are the one kept secret by the owner & the one made public. The operation of this technology will be discussed later.

Key distribution is not a problem with public key technology because the public key doesn’t need to be kept confidential, however, ensuring that a specific public key belongs to a specific person is a problem addressed by certification to be described later.

For now, discuss the use of private key (symmetric) crypto for encrypting large messages because of its speed but the use of public key (asymmetric) crypto to distribute the symmetric key to the recipient for use in decrypting the message.

FOR MORE see: http://www.ssh.fi/tech/crypto/algorithms.html#asymmetric

Lucifer was an earlier crypto system developed by IBM.

Non-linear - an S-Box is used which is a nonlinear function which substitutes four output bits for six input bits within a DES device to make the DES algorithm a nonlinear process. A linear process is one in which the output is directly proportional to the input - not a desirable condition for encryption.

How DES works: http://www.zolatimes.com/V2.28/DES.htm

Recertification: http://csrc.nist.gov/fips/dfips46-3.pdf

Taken from the publication:

With this modification of the FIPS 46-2 standard:

1. Triple DES (using TDEA- triple data encrypting algorithm), as specified in ANSI X9.52 will be recognized as a FIPS approved algorithm.

2. Triple DES will be the FIPS approved symmetric encryption algorithm of choice.

3. Single DES (using DEA) will be permitted for legacy systems only. New procurements to support legacy systems should, where, feasible, use Triple DES products running in the single DES configuration.

4. Government organizations with legacy DES systems are encouraged to transition to Triple DES based on a prudent strategy that matches the strength of the protective measures against the associated risk.

In 1997 a US programmer was able, through use of the Internet, to crack a 56-bit DES key in 4 months by writing a program to try all keys. At the start of the attack, 20 PC users were running the program, when it finished there were about 14,000 PC users working on it.

Almost a year later in January, 1998, Challenge II used 22,000 participants with a total of 50,000 CPUs (at a peak rate of 26 trillion keys per second) to crack a 56-bit DES key in 39 days.

Recently in July, 1998, the Electronic Fund Foundation cracked the 56-bit DES key in 3 days using equipment that costs less than $250,000.

January 19, 1999 distributed.net and EFF solve the DES-III challenge in a record 22 hours, 15 minutes, 4 seconds.

These accomplishments were attacks against the key length not the algorithm and involved a brute force attack - trying all keys, so it would be equally successful against other crypto systems.

The solution for protecting very sensitive data is to pick an algorithm with a longer key, as many are doing who have shifted to triple DES (to be addressed later).

http://www.distributed.net/history.html

It is anticipated that triple DES and the Advanced Encryption Standard (AES) will coexist as FIPS approved algorithms allowing for a gradual transition to AES. (The AES is a new symmetric-based encryption standard under development by NIST. AES is intended to provide strong cryptographic security for the protection of sensitive information well into the 21st century.).

http://csrc.nist.gov/encryption/

August 9, 1999

NIST’s Information Technology Laboratory chose the following five contenders as finalists for the AES:

MARS developed by International Business Machines Corp. of Armonk, N.Y.;

RC6 developed by RSA Laboratories of Bedford, Mass.;

Rijndael developed by Joan Daemen and Vincent Rijmen of Belgium;

Serpent developed by Ross Anderson, Eli Biham and Lars Knudsen of theUnited Kingdom, Israel and Norway respectively; and;

Twofish developed by Bruce Schneier, John Kelsey, Doug Whiting, David Wagner, Chris Hall and Niels Ferguson.

(Many members of this latter group are associated with Counterpane Systems of Minneapolis). No significant security vulnerabilities were found for the five finalists during the initial analysis of the algorithms, and each candidate offers technology that is potentially superior for the protection of sensitive information well into the 21st century.

NIST requested proposals for the AES on Sept. 12, 1997. Each of the candidate algorithms supports cryptographic key sizes of 128, 192 and 256 bits. At a 128 bit key size, there are approximately 340,000,000,000,000,000,000,000,000,000,000,000,000 (340 followed by 36 zeroes) possible keys.

RECENT WINNER ANNOUNCED WAS Rijndael (pronounced RHINE-DOLL) developed by Joan Daemen and Vincent Rijmen of Belgium; The cipher has a variable block length and key length.

http://www.esat.kuleuven.ac.be/~rijmen/rijndael/

AES: http://csrc.nist.gov/encryption/aes/aes_home.htm

This is the description of Clipper which has met with great resistance to implementation by the private sector as well as internationally. The problem, of course, is the escrow provision which would enable government (law enforcement) to obtain the escrowed key & thereby read the encrypted message regardless of what session key was used. Being pushed by law enforcement to enable them to monitor crooks/drug traffickers who might use DES to hide data (a somewhat unbelievable case). Also, at one time scheduled for use in cellular phones to maintain the confidentiality of calls. Used in this context would seem to involve a difficult key distribution problem if the person at the other end, and only the one intended, needed to decrypt the call.

Escrow - put in the care of a third party until certain conditions are met (e.g., court order authorizing law enforcement access to the key).

Clipper chip information: http://www.epic.org/crypto/clipper/

ECC on Smart Cards

http://www.logica.com/globe/globe07/smartcard.html

Discussion about Processor power.. http://www.snf.unsw.edu.au/~snf/quant2.html

The IEEE PKI resource pages…

http://grouper.ieee.org/groups/1363/index.html

http://www.pgp.com/ & http://www.pgp.com/products/dtop-security-data/default.asp

PGP Freeware

PGP MIT Freeware Downloads.

PGP is the world's defacto standard for email encryption and authentication, with over 6 million users. PGP 6.5.1 MIT freeware supports RSA, PGP email and secure client-to-client connections using PGP certificates. It is available for non-commercial use only.

The commercial PGP VPN Client is available from Network Associates and is fully IPSec compliant with support for X.509 certificates from industry leaders such as VeriSign, Entrust and Net Tools, and VPN gateway support to create encrypted network

connections to your company for secure remote access. The commercial client also includes PGPdisk for lightning fast disk, file and directory encryption and authentication in addition to technical support!

PGP FAQ: http://www-ipg.umds.ac.uk/d.hill/FAQs/cryptography-faq/mini-overview/faq.html

PGP TELEPHONE: See: http://web.mit.edu/network/pgpfone/

MIT has been distributing PGPfone beta test version 1.0b2 for Windows '95 and Windows NT since July 11, 1996

MIT has been distributing PGPfone beta test version 1.0b7 for the Macintosh since July 11, 1996.

Version 1.0b2 DOES NOT TALK to earlier versions.

Version 1.0b7 for the Macintosh works with 1.0b2 for Windows '95

PGPfone (Pretty Good Privacy Phone) is a software package that turns your desktop or notebook computer into a secure telephone. It uses speech compression and strong cryptography protocols to give you the ability to have a real-time secure telephone conversation via a modem-to-modem connection. It also works across the Internet!

S/MIME is a specification for secure electronic mail. S/MIME stands for Secure/Multipurpose Internet Mail Extensions and was designed to add security to e-mail messages in MIME format. The security services offered are authentication (using digital signatures) and privacy (using encryption).

S/MIME (Secure/ Multipurpose Internet Mail Extensions) is a protocol that adds digital signatures and encryption to Internet MIME (Multipurpose Internet Mail Extensions) messages described in RFC 1521. MIME is the official proposed standard format for extended Internet electronic mail. Internet e-mail messages consist of two parts, the header and the body. The header forms a collection of field/value pairs structured to provide information essential for the transmission of the message. The structure of these headers can be found in RFC 822. The body is normally unstructured unless the e-mail is in MIME format. MIME defines how the body of an e-mail message is structured. The MIME format permits e-mail to include enhanced text, graphics, audio, and more in a standardized manner via MIME-compliant mail systems. However, MIME itself does not provide any security services. The purpose of S/MIME is to define such services, following the syntax given in PKCS #7 for digital signatures and encryption. The MIME body section carries a PKCS #7 message, which itself is the result of cryptographic processing on other MIME body sections.

S/MIME has been endorsed by a number of leading networking and messaging vendors, including ConnectSoft, Frontier, FTP Software, Qualcomm, Microsoft, Lotus, Wollongong, Banyan, NCD, SecureWare, VeriSign, Netscape, and Novell. For more information on S/MIME, check http://www.rsa.com/smime/.

PKCS (Public-Key Cryptography Standards) is a set of standards for implementation of public-key cryptography. It has been issued by RSA Data Security, Inc. in cooperation with a computer industry consortium, including Apple, Microsoft, DEC, Lotus, Sun, and MIT. PKCS #7 is a flexible and extensible message format for representing the results of cryptographic operations on some data. PKCS #10 is a message syntax for certification requests. Both have been submitted as Internet Drafts: PKCS #7: Cryptographic Message Syntax and PKCS #10: Certification Request Syntax.

S/MIME does use digital certificates. The X.509 format is used due to its wide acceptance as the standard for digital certificates. VeriSign has set up a certificate hierarchy specifically to support the S/MIME effort. Contact VeriSign at 650-961-7500 for more information on the S/MIME hierarchy, or visit their web site at http://www.verisign.com . The S/MIME Class 1 Certificate CSR submit available at https://digitalid.verisign.com/client/smimeStep1.htm provides a mechanism for users of S/MIME user agents to obtain X.509v3 certificates signed under the VeriSign Class 1 Individual Subscriber CA. This document describes the format of the enrollment messages required to request a certificate, and details on how the signed certificate is packaged and returned. http://www.verisign.com/smime/index.html

The security services provided by this protocol include:

Connectionless Confidentiality, Data Origin Authentication, Connectionless Integrity, and Access Control

Non-repudiation with proof of origin (message signature)

Non-repudiation with proof of delivery (signed receipts)

Confidentiality, data origin authentication, and integrity are provi