CISSP Review Notes

8/3/2019 CISSP Review Notes

http://slidepdf.com/reader/full/cissp-review-notes 1/12

I. Smart cardsa. Smart cards are more tamperproof than memory cards, but individuals have introduced

computational errors into smart cards to uncover the encryption keys used and stored onthe cards

i. Fault generation attack: encryption functions after introducing an error (e.g. by

changing input voltage, clock rate, temperature fluctuations) and reviews thecorrect result, which the card performs when no errors are introduced. Analysisof the difference can allow the attacker to reverse engineer the encryption processto uncover the encryption key.

ii. Side channel attacks: nonintrusive; used to uncover sensitive information bymonitoring and capturing the analog characteristics of all supply and interfaceconnections and any other electromagnetic radiation produced by the processorduring normal operation

1. Differential power analysis – examining the power emissions releasedduring processing

2. Electromagnetic analysis – examining the frequencies emitted3. Timing – examining how long a specific process takes

b. An ISO/IEC standard, 14443 outlines physical characteristics, initialization and anti-collision, and transmission protocol for smart cards

i. The DoD is rolling out smart cards across all of their agencies and NIST isdeveloping a framework and conformance testing program for interoperabilityissues

c. Software attacks are noninvasive attacks; input an algorithm on the card that will allowthe attacker to extract account information

d. Microprobing uses needles and ultrasonic vibration to remove the outer protectingmaterial on the card’s circuits so that data can be accessed and manipulated by tapping

into the card’s ROM chips II. Authorization

a. Applications, security add-on packages, and resources can provide authorizationfunctionality

b. Granting access rights should be based on the level of trust a company has in a subjectand the subject’s need to know. Different access criteria can be enforced by roles, groups,location, time, and transaction types

i. A role is based on a job assignment or functionii. If several users require the same type of access to information and resources,

putting them into a group and then assigning rights and permissions to that groupis easier to manage than assigning rights and permissions to each and everyindividual separately (one way access control is enforced through a logical accesscontrol mechanism)

iii. Physical or logical location can be used to restrict access to a resource. Thisrestriction is often implemented to restrict unauthorized individuals fromreconfiguring the server remotely

1. Logical location restrictions are done through network addressrestrictions; network administrator ensures that status requests of an



intrusion detection management console are accepted only from certaincomputers on the network using software

iv. Time of day is a (logical) access control mechanism; temporal access can also bebased on the creation date of a resource

v. Transaction-type restriction can be used to control what data is accessed during

certain types of functions and what commands can be executed on the datac. Access control mechanisms should default to no access (a user can have read, change,

delete, full control, or no access permissionsi. If nothing has been specifically configured for an individual or the group she

belongs to, the user should not be able to access that resourceii. Most access control lists that work on routers and packet-filtering firewalls

default to no accessd. Need to know principle individuals should be given access only to the information they

absolutely require in order to perform their job duties (Management determine thesecurity requirements of individuals and how access is authorized; the securityadministrator configures the security mechanisms to fulfill these requirements)

e. Authorization creep: As employees rotate, they are assigned more access rights andpermissions; thereby posing a risk to a company because too many users have too muchprivilege access to the company assets

i. Rights and permission reviews have been incorporated into many regulatoryinduced processes (including SOX regulations)

III. Single Sign-Ona. SSO capabilities allow a user to enter credential one time and access all pre-authorized

resources in primary and secondary network domains; enables the administrator tostreamline user accounts and better control access rights

b. To work, every platform, application, and resource needs to accept the same credentials,

in the same format, and interpret their meanings similarlyi. It is rare to see a real SSO environment more common to see a cluster of

computers and resources that accept the same credentialsc. Kerberos is an authentication protocol designed in the mid-1980s that works in a

client/server model and is based on symmetric key cryptography and provides end-to-endsecurity

i. Used for years in Unix systems and is currently the default authentication methodfor Windows 2000, 2002, and 2008 operating systems

ii. Mac OS X, Solaris, and Linux 4 all use Kerberos authenticationiii. Kerberos is a single sign-on system for distributed environments and the de

factor standard for heterogeneous networksiv. Has scalability, transparency, reliability and security although its open

architecture (vendors can customize a protocol) invites interoperability andincompatibility issues

v. Designed specifically to eliminate the need to transmit passwords over thenetwork; most Kerberos implementations work with shared secret keys

IV. Role-based access control



a. The RBAC approach simplifies access control administration by allowing permissions tobe managed in terms of user job roles

i. A role is defined in terms of the operations and tasks the role will execute. Whenthe analyst makes a request to access a sever, the operating system reviews therole’s access levels before allowing an operation to occur

ii. Introducing roles introduces the difference between rights being assignedexplicitly and implicitly

iii. The FBAC model is the best system for a company with high employee turnover(the administrator does not continually change the ACLS on the individualobjects; he creates a role, assigns permission to this role, and maps the new userto this role)

b. Core RBAC – users, roles, permissions, operations and session are defined and mappedaccording the security policy

i. Has a many-to-many relationship among individual users and privileges (manyusers can belong to many groups)

ii. Session is a mapping between a user and a subset of assigned rolesiii. Accommodates traditional but robust group-based access controliv. Can be configured to include time of day, location of role, day of week, etc for

access decisionsc. Hierarchical RBAC – allows the administrator to set up an organizational RBAC model

that maps to the organizational structures and functional delineations required in aspecific environment

i. Role relation defined user membership and privilege inheritance1. Limited hierarchies – only one level of hierarchy is allowed2. General hierarchies – allows for many levels of hierarchies

ii. Static Separation of Duty Relations through RBAC – used to deter fraud by

constraining the combination of privileges (e.g. user cannot be a member of boththe Cashier and Accounts Receivable groups)

iii. Dynamic Separation of Duties Relations through RBAC – used to deter fraud byconstraining the combination of privileges that can be activated in any session

d. Role based access control can be managed as 1) Non-RBAC (Users are mapped directlyto applications and no rules are used); 2) Limited RBAC (Users are mapped to multipleroles and mapped directly to other applications that do not have role-based functionality);3) Hybrid RBAC (Users are mapped to multi-application roles with only selected rightassigned to those roles); 4) Full FBAC (Users are mapped to enterprise roles)

e. Current access control models (MAC, DAC, RBAC) do not lend themselves to protectingdata of a given sensitivity level but limit the functions that the users can carry out

V. Access Control Techniques and Technologiesa. Rule-based access control – uses specific rules that indicate what can and cannot happen

between a subject and an object; before a subject can access an object in a certaincircumstance, it must meet a set of predefined rules

b. Rule-based access (compulsory control) allows a developer to define specific anddetailed situations in which a subject can or cannot access an object. Traditionally, it has



been used in MAC systems as an enforcement mechanism of the complex rules of accessthat MAC systems provide.

i. Rule-based access is used in other systems and applications (e.g. contentfiltering)

ii. Routers and firewalls use rules to determine which types of packets are allowed

into a network c. Constrained User Interfaces

i. Restrict users’ access abilities by preventing them from requesting certainfunctions or information or accessing specific system resources

ii. Menus – the options users are given are the command they execute; a shell is atype of virtual environment within a system. It is the user’s interface to theoperating system and works as a command interpreter. If restricted shells areused, the shell only contains the commands the administrators wants the users tobe able to execute.

iii. Database views are mechanism used to restrict user access to data contained indatabases

iv. Physically constraining a user interface can be implemented by providing onlycertain keys on a keypad or certain touch buttons on a screen

d. An access control matrix is a table of subjects and objects indicating what actionsindividual subjects can take on individual objects (usually an attribute of DAC models).The access rights can be assigned directly to the subjects (capabilities) or to the objects(ACLs)

e. A capability table specifies the access rights a certain subject posses pertaining to specificobjects. The capability corresponds to the subject’s row in the access control matrix.Kerberos is a capability-based system. The ticket (token/key) is a capability table. Acapability component is a data structure that contains a unique object identifier and the

access rights the subject has to that objectf. Access control lists are lists of subjects that are authorized to access and specific object

(and define what level of authorization is granted). Authorization can be specified to anindividual or group

i. Map values from the access control matrix to the object. Whereas a capabilitycorresponds to a row in the access control matrix, the ACL corresponds to acolumn of the matrix.

g. Content-dependent access control – access to objects is determined by the content withinthe object; used when corporations employ e-mail filters that look for specific strings

h. Context-dependent access control it based on the context of a collection of informationrather than on the sensitivity of the data

i. Firewalls make context-based access decisions when they collect stateinformation on a packet before allowing it into the network

ii. A stateful firewall understands the necessary steps of communication for specificprotocols and will not allow packets to go through that do not follow thissequence (stateful – understands the necessary steps of a dialog session)

VI. IDS Sensors – filters received data, discards irrelevant information, and detects suspiciousactivity





iii. The memory manager maps the logical address to the physical address so theCPU knows where the instruction is located.

iv. Absolute addresses are loaded into the CPU’s reg istersb. When an application makes a request for a memory segment, it is allocated a specific

memory amount by the operating system. When the application is done with memory, it

should tell the operating system to release the memory so it is available to otherapplications

i. Some applications are written poorly and do not indicate to the system that thismemory is no longer in use; memory leaks can be caused by OS, applications,and software drivers

ii. Hackers can exploit memory leaks using denial-of-service (DoS) attacksiii. A garbage collector is software that runs an algorithm to identify unused

committd memory and then tell the OS to mark that memory as availableIX. Virtual memory

a. Secondary storage- nonvolatile storage media (e.g. computer’s hard drive, floppy disks,and CD-ROMS)

b. Virtual memory – system uses hard drive space to extend its RAM memory spacei. Swap space – reserved hard drive space used to extend RAM capabilities;

Windows use the pagefile.sys file to reserve this spaceii. When a system fills up its volatile memory space, it writes data from memory

onto the hard drive.1. Virtual memory paging: When a program requests access to this data, it

is retrieved from the hard drive back into memory in specific units(pages)

a. Application requests access to memory; memory manager looksup which segments are allocated w=to that process; memory

manager accesses memory frame for process; memory managerreturns data held in memory

2. Internal control locks, maintained by the OS, keep track of what pageframes are residing in RAM a nd what is available “offline”

iii. When a system is shut down, or processes that were using the swap space areterminated, the pointers to the pages are reset to available even though the actualdata written to the disk is still physically there (can be compromised or captured)

1. Routines should erase swap spaces after a processes is done with it andbefore a system shuts down

iv. If a program, file, or data are encrypted and saved on the hard drive, they will bedecrypted when used y the controlling program. While these unencrypted dataare sitting in RAM, the system could write out the data to the swap space on thehard drive, in their unencrypted state.

X. CPU Modes and Protection Ringsa. Protection rigns provide strict boundaries and definitions for what the processes that work

within each ring can access and what operations that can successfully execute



i. Processes that operate within the inner rings have more privileges than processoperating in the outer rings because the inner rings only permit the most trustedcomponents and processes to operate within them

ii. Processes in the inner rings exist in privileged or supervisor mode whileprocesses in outer rings execute in user ode

iii. The actual ringer architecture used y a system is dictator by the processor andoperating system. The hardware chip is constructed to provide a certain numberof rings and the operating system must be developing to work in this ringstructure.

b. OS components operate in a ring that gives them the most access to memory locations,peripheral devices, system drivers, and sensitive configuration parameters.

i. If an application tries to send instructions to the CPU that fall outside itspermission level, the CPU treats this violation as an exception and may shoe ageneral protection fault or exception error and try to shut down the application

c. The most common architecture provides four rings: Ring 0 – operating system kernel;Ring 1 – Remaining parts of the OS; Ring 2 – I/O drivers and utilities; Ring 3 – Applications and user activity

i. Protections ring sprovide an intermediate layer between subjects and objects;each subject and object is logically assigned a number depending upon the levelof trust the OS assigns it. Entities can only access and directly communicate withobjects in their own ring.

1. When an application needs access to components in rings it cannotdirectly access, it makes a request of the OS to perform the necessarytasks through system calls

XI. Operating system architecturea. Ope rating system architecture is the framework that dictates how the OS’s services and

functions are placed and how they interactb. A monolithic operating system architecture – modules of code can call upon each other as

needed; communication between different modiles is not structured and controlled anddata hiding is not provided. MS_DOS is a monolithic operating system

c. Layered operating system (THE, VAX/VMS, Multics, and Unix – separates systemfunctionality into hierarchical layers

i. THE (Technische Hogeschool Eindhoven) multiprogramming system had fivelayers of functionality; layer 0 controlled access to the processor and providedmultiprogramming functionality; layer 1 carried out memory management; layer2 provided inter-process communication; layer 3 deal with I/O devices; layer 4was where the application resided; layer 5 was the user layout and notimplemented directly by THE

ii. Provide data hiding – instructions and data (packaged up as procedures) atvarious layers do not have direct access to instructions and data at any otherlayers

1. Each procedure at each layer has access only to its own data and a set of functions that is requires to carry out its own tasks.



iii. A monolithic OS provides only ne ayer of security, while in a layered system,each layer should provide its own security and access control

1. Modularizing software and code increases the assurance level of thesystem

d. Another approach works within a client/server architecture – portions of software and

functionality that were previously in the monolithic kernel are now at the higher levels of the operating system. The OS functions are divided into different processes that run inuser mode

i. The goal of a client/server architecture is to move as much code as possible fromworking in kernel mode (privileged mode) so the system has a leaner kernel(microkernel)

1. The requesting process is referred to as the client, and the processes thatfulfills the request is called the server

2. The serve process can be a file systems server, memory server, I/oserver, or process server (called subsystems); the client is either a userprocess or another O/S process

ii. In a network , an application works in a client/server model because it providesdistributed computing capabilities. The client portion of the application resideson the work stations and the server portion is usually a back-end database orserver.

XII. Security Policy – provides the framework for the system’s security architecture a. A trusted system must have an architecture that provides the capabilities to protect itself

from untrusted processes, intentional, or accidentally compromises, and attacks atdifferent layers of the system

i. Trust ratings obtained through formal evaluations require a defined subset of subjects and objects, explicit domains, and the isolation of processes so their

access can be controlled and the activities performed on them can be audited1. When a system is testing against specific criteria, a rating is assigned to

the system. The criteria will determine if the security policy is beingproperly supported and enforced.

ii. The security kernel comprises all resources that supervise system activity inaccordance with the system’s security policy and is part of the operating systemthat controls access to system resources

1. For the security kernel to operate, the individual processes must beisolated from each other and domains must be defined to dictate whichobjects are available to which subjects

b. Multilevel security policies prevent information from flowing from a higher securitylevel to a lower security level

c. Least privilege – a process has no more privileges than necessary to fulfill its functionsi. If a process needs to have its status elevated so it can interact directly with a

system resource, the process’s status should be dropped as soon as its task s arecomplete

1. Less privileged processes call upon the processes with complete systemprivileges in the kernel to process sensitive operations



XIII. Security Modelsa. A model is a symbolic representation of a policy that maps the desires of policymakers

into a set of rules that a computer system must followi. A security model maps the abstract goals of the policy to information system

terms by specifying explicit data structures and techniques necessary to enforce

the security policyii. The security model is represented by mathematical relationships and formulas;

which are mapped to system specifications and then developed by programmersthrough programming code

b. State machine models – an abstract mathematical model that uses state variables torepresent the system state

i. A given state consists of all current permission and all current instances of subjects accessing the objects.

1. State transitions – activities that can alter the state; developers of anoperating system need to look at different state transitions to determine if a system that starts up in a secure state can be put into an insecure state

2. To allow a transition, the object’s security attributes and the access rightsof the subject must be reviewed and allowed by the operating system

3. A system that has employed a state model will be in a secure state ineach and every instance of its existence

ii. If subjects can access objects only by means that are concurrent with the securitypolicy, the system is secure

iii. A state machine model provides mathematical constructs that represent sets(subjects and objects) and sequences. When an object accepts an input, thismodifies a state variable ( e.g. [Name, Value])

1. Developers must define what and where the state variables and then

define a secure state for each state variable2. Developers must define and identify allowable state transition functions

a. After the state transition functions are defined, they must betested to verify that the overall machine state will not becompromised

b. Developers must identify all the initial states (default variablevalues) and outline how these values can be changed so theresulting values (final states) still ensure the system is safe

c. Division B – Mandatory Protection – MAC is enforced through security labels. Thearchitecture is based on the Bell-LaPadula security model, and evidence of referencemonitor enforcement must be available

i. B1: Labeled Security – each data object must have a classification label, eachsubject must have a clearance label. The system compares the security labels toensure that requested actions are acceptable. Data leaving the system also havean accurate security level. The security policy is based on an informal statementand the design specifications are reviewed and verified

ii. B2: Structured Protection – the security policy is clearly defined and coumented,and the system design and implemtnation are subjected to more thorough review



and testing procedures; requires more stringent authentication mechanisms andwell-defined interfaces among layers. Subjects and devices need labels and thesystem cannot allow covert channels. A trusted path for logon and authenticationprocesses must exist (that cannot be compromised). Operator and administrationfunctions are separated within the system to provide more trusted and protected

operational functionality. Distinct address spaces must isolate processes and acovert channel analysis should be conducted.

iii. B3: Security Domains – More granularity is provided in each protectionmechanism and the programming code that is not necessary to support thesecurity policy is excluded. The reference monitor components must be smallenough to test and tamperproof. The security administrator role is clearlydefined. When the system starts up and loads its operating system andcomponents, it must be done in an initial secure state to ensure that any weaknessof the system cannot be exploited in this slice of time.

d. Division A: Verified Protection – formal methods used to ensure that all subjects andobjects are controlled with the necessary DAC and MAC

i. A1: Verified Design – The assurance of an A1 system is higher than a B3 systembecause of the formality in the way the A1 system was designed, the way thespecifications were developed, and the level of detail in verification techniques.Formal techniques prove the equivalence between the specifications and thesecurity policy model. A more stringent change configuration is implementedand the overall design can be verified. Delivery to the customer may also bescrutinized.

e. TCSEC addresses confidentiality but not integrityXIV. The Orange Book and Rainbow Series

a. The Orange Book mainly addresses government and military requirements and

expectations for their computer systems. Many people within the security field havepointed out several deficiencies in the Orange Book when it is being applied to systemsthat are to be used in commercial areas

i. It looks specifically at the OS and not at other issues like networking, databases,etc.

ii. It focuses mainly on one attribute of security – confidentialityiii. It works with government classifications and not the protection classifications

commercial industries useiv. It has a relatively small number of ratings

b. The Orange Book emphasizes controlling which users can access a system and not whatthey can fo with the information once authorized. Commercial organizations are moreconcerned about the integrity of their data.

XV. TOC/TOU countermeasuresa. To protect against race condition attacks, programmers should use atomic operations

when only one system call is used to check authentication and then grant access in onetask. This should prevent the processor from switiching to another process in betweentwo tasks.



b. To avoid TOC/TOU attacks, the operating system should apply software locks to items itwill use when it is carrying out its “checking” tasks (e.g. if a user requests access to a file,while the system is validating the user’s authorization, it should put a software lock onthe file being requested)

i. Locks can be applied to files easily but it is more difficult to secure database

components and table entriesXVI. Buffer Overflows – occur when too much data are accepted as input to an application or

operating system.a. A buffer is an allocated segment of memory. An attacker can insert code of a specific

length into the bugger, followed by the commands the attacker wants executed.i. The purpose of a buffer flow may be to make a mess by shoving arbitrary data

into various memory segments; or to accomplish a specific task by pushing intothe memory segment a carefully crafted set of data

1. The task could be to open a command shell with administrative privilegeor execute malicious code

b. Software may be written to accept data from a user, website, database or anotherapplication. A procedure is code than can carry out a specific type of function on the dataand return the result to the requesting software.

i. When a programmer writes a piece of software that will accept data, this datawill be stored in a variable. When the software calls upon a procedure to execute,it stacks the necessary instructions and data in a memory segment for theprocedure to read from.

ii. Data accepted from an outside entity is placed in a variable which resides in abuffer. The buffer must be the right size to accept the inputted data.

iii. The buffers can hold data which are placed on a memory stack XVII. Parameters are passed into empty variables and put into a linear construct (memory stack)

which acts like a queue for the procedure to pull from while it carries out a calculationa. The return pointer is a pointer to the reque sting application’s memory address that tells

the procedure to return control to the requesting application after the procedure hasworked through all values on the stack.

b. The applications places on top of the return pointer the rest of the data inputted and sendsa request to the procedure to execute the calculation

c. The procedure takes the data off the stack starting at the top and carries out its functionson all the data and returns the result and control back to the application once it hits thereturn pointer

d. The stack is just a segment in memory that allows communication between the requestingapplication and procedure or subroutine

i. Requesting applications must conduct bounds checking to ensure the inputteddata are of an acceptable length

e. In a carefully crafter buffer overflow attack, the stack is filled properly so the returnpointer can be overwritten and control is given to the malicious instructions that havebeen loaded onto the stack instead of back to the requesting application. This allows themalicious instructions to be executed in the security context of the requesting application.



f. Windows’ core is written in the C language and has layers and layers of object -orientedcode on top of it. When a procedure needs to call on the oepratin gsystem to conductsome task, it calls upon a system service via an API call.

i. The C language is susceptible to buffer overflow attacks because it allows fordirect pointer manipulations to occur. Specific commands can provide access to

low-level memory addresses without carrying out bounds checking The Cfunctions that do perform the necessary boundary checking include strncpy(),strncat(), snprintf(), and vsnprintf().

ii. When a buffer overflow is identified, the vendor usually sends out a patch. Someproducts installed on systems can alsowatch for input values that might result in bufferoverflows

Documents

CISSP Review Notes