-
Fuzzing
Sending random data to a program to test and trigger for failures
-
Seizure of property
A manager can seize property if he/she was not advised by law enforcement. 4th amendment rights do not apply to private citizens unless they are acting as a police agent.
-
Hearsay
Can include evidence created during the course of a trial; non admissable
-
MTD Examples
- maximum tolerable downtime
- Critical = minutes to hours
- Urgent = 24 hours
- Important = 72 hours
- Normal = 7 days
- Nonessential = 30 days
-
Secondary evidence
- oral evidence or copies of documents
- not considered reliable
-
Generations of programming languages (5)
- One = machine language
- Two = Assembly
- Three = High-level
- Four = Very High-level
- Five = AI and natural network language
-
Gramm-Leach-Bliley
- requires financial institutions to develop privacy notices for each customer
- also requires each institution to have a comprehensive security program in place
-
Assembly language
- Allows for direct control of very basic activities within a computer system as in pushing data off a stack
- attackers commonly use this language to control how malicious instructions are carried out
-
Computer Fraud and Abuse Act
- clarifies 1984 law and added:
- 1. using a federal computer in a fraudulent activity
- 2. modifying or damaging a federal computer resulting in a loss of $1000 or more
- 3. trafficking computer passwords
-
Evidence life cycle
- collection and identification
- storage, preservation and transportation
- presentation in court
- return to victim or owner
-
Enticement
"Legally and ethically making a system attractive to an attacker and logging an attacker's actions for use in future prosecution"
-
Electronic Communications Privacy Act of 1986
wiretapping
-
Exigent circumstances
could allow law enforcement to seize evidence without a warrant, such as if a suspect ties to destroy the evidence
-
Incident handling
Contain and repair any damage caused by an event and prevent further damage
-
ActiveX
- software components are digitally signed
- runs only on windows systems
versus Java which uses bytecode and sandboxes
-
Slamming vs. cramming
- Slamming = service provider changed without consent
- Cramming = bogus charges
-
Spit knowledge procedures
ensures that no one person possess all of the necessary steps for carrying out an important task; way of spreading the knowledge
-
Polyinstantiation
- Creating a duplicate, fake record to prevent an inference attack
- allows more than one row to contain the same primary key
-
S-RPC
- Secure Remote Procedure Call
- uses Diffie Hellman public key cryptography to determine the shared secert key for encryption with the DES algorithm
-
Trusted recovery
- Ensures that the right process es are followed after a system failure; either:
- system reboot
- emergency system restart
- cold start
-
Software development
Customer requirements are in the 2nd phase; not project initiation
-
Enterprise JavaBeans (EJB)
- structural design for the development and implementation of distributed applications written in Java
- provides interfaces and methods to allow different applications to communicate
-
Logic bomb
Relies on some action by the user such as saving a file
-
Neural networks
have the ability to LEARN through different scenarios vs.
expert systems - use inference to identify patterns but can not learn
-
Multipartite virus
- Goes after boot records and system files
- Can be very damaging, affecting more areas of a system
-
Life cycle assurance
- pertains to the product's architecture and how it was developed, for example:
- - design specifications
- - clipping level configurations
- - unit and integration testing
- - configuration management
- - trusted distribution
-
Operational assurance
- basic features and architecture, such as:
- - access control mechanisms
- - separation of privileged an user code
- - auditing and monitoring capabilities
- - covert channel analysis
- - trusted recovery
-
SATAN
- Security Administrator Tool for Analyzing Networks
- scanning tool that can uncover weaknesses within a network
-
Diffie Helmann
- discrete logarithms in a finite field
- vulnerable to man in the middle attack
- Key Agreement Protocol
-
RSA
- de facto asymmetric algorithm
- difficulty of factoring large numbers
- one way function = easy to do in one direction (multiply prime numbers) but hard to impossible in the other direction (factoring into prime)
- key size of 1,024 bits and larger should b used
- encryption, key exchange and digital signatures
-
DES
- symmetric block cipher (DEA)
- 64 bit blocks
- true key size is 56 bits! (8 bits parity)
- 16 rounds
-
ECB
used to encrypt a small amount of data
-
OFB
- does not pass errors; used in a noisy environment where there could be corruption
- (no chaining involved)
-
3 tiered model
- More secure than the 2 tier client server model
- Separates user interface, functional process logic and back-end database/storage
-
OSI Stack
- Application = Message
- Transport = segment (message plus TCP_
- Network = datagram (segment plus routing and addressing)
- Data link layer = frame (datagram plus header and trailer)
-
VPN tunneling (3)
- PPTP - de facto standard; works only over IP networks at the data link layer
- IPSEC - not used over dial-up; only works with IP networks at the network layer; provides authentication and encryption; designed for point to point (device to device)
- L2TP - can extend a WAN; a hybrid of L2F and PPTP; works at data link layer; needs to work with IPSEC for security
-
Bluejacking
- a harmless nuisance; NOT a malicious attack
- involves sending unsolicited information/contacts to a Bluetooth device
-
Cross-site scripting (XSS) (3)
- Persistent = web side; bad input is allowed and STORED on a website (also called 2nd order)
- Non-persistent = URL redirect to a rogue script to try and steal credentials (also called reflected vulnerability)
- DOM-based = client side; malicious script runs within the browser
-
Routing Protocols
- Internet is essentially a network made up of AS's and routing protocols
- AS = autonomous systems which is a grouping of nodes (networks) with common characteristics
- Within an AS, use internal routing protocols such as: Interior Gateway Protocol (IGP)
- - IGP can be one of 2 types
- - Distance based like: RIP (Routing Information Protocol) which is distance based OR IGRP (Interior Gateway Routing Protocol)
- - State-based like: OSPF (Open Shortest Path First) OR IS-IS (Intermediate System to Intermediate System)
- Between AS's use EGP (Exterior Gateway Protocol) such as BGP (Border Gateway Protocol)
-
IGRP
- Proprietary to Cisco
- Interior Gateway Routing Protocol
-
Email spoofing
- Easy to execute because SMTP lacks adequate authentication
- simple Telnet command to port 25 followed by number of SMTP commands allows spoofing
-
SONET and ATM
SONET is the multi-lane highway and ATM are the encapsulated cars on the highway
-
802.1AR
specifies unique per-device identifiers and binds a device cryptographically
No such thing as 802.1XR
-
Platform as a Service (PaaS)
- the software environment that runs on top of the IT network
- a computing platform which can include OS, database and web server
-
Bridge-mode virtual firewall
Allows the firewall to monitor individual traffic links between guest systems, not network links
-
Steganography (3)
- Stego-medium = the medium used for transport such as .doc or JPEG
- Carrier - the signal or data stream or file with the message
- Payload - the actual message
-
End to end encryption
- Takes place within applications layer
- only encrypts the data payload
-
SSL
- works at the Transport layer
- uses public key encryption
- provides data encryption, authentication and message integrity
HTTP is at the application layer
-
PKI
uses a hybrid of asymmetric and symmetric algorithms
public key cryptography = asymmetric
- symmetric algorithms provide confidentiality
- asymmetric algorithms provide authentication and nonrepudiation
- hashing algorithms provide integrity
-
Key Derivation Functions
- A master key used to generate symmetric sub-keys
- derives the keys from a secret value
-
Key lifetime
- corresponds to the value/sensitivity of the data
- less secure data may allow for a longer key lifetime
-
Stream cipher is similar to:
One time pad because it is bit by bit encryption (XOR)
AES is a symmetric BLOCK cipher
-
Stream cipher (example) vs Block ciphers
Stream = RC4
Block = DES, 3DES, RC5, AES, IDEA, BLOWFISH, RC5, RC6
-
SSL process
- starts with the client connection to a web server; the server returns a certificate with it's public key; the client then encrypts a session key with the server's public key
- the CLIENT creates the session key
-
Link encryption vs. end-to-end encryption
Link encryption encrypts everything (headers, trailers and payload) EXCEPT some data link layer messaging; much stronger
End to end encrypts just the payload (no headers and trailers)
-
Running key cipher
Uses components in the physical world such as books, pages, rows and columns to create a key
-
Birthday attack
BRUTE force attack on hashing values to try and force a collision
if 160 bit output, bday attack is possible with 2 to the 80th
-
Zero Knowledge proof
Proving something without needing to share more than you need to know
-
Binding and Sealing
- Binding a hard disk = storing the DECRYPTION key in the TPM
- Sealing = storing a has of the system state in the TPM
-
BIA first step
Data gathering techniques
-
Damage assessment (order)
- 1. Determine cause
- 2. Determine time required to recover
- 3. Declare a disaster (if needed)
-
Business Continuity ISO standard
ISO 27031
- 27005 = risk management
- 27001 = general guidelines
-
Work Recovery Time (WRT)
- Difference between RTO and MTD
- represents the time for restoring data, testing processes and making everything live
-
Categories of computer crimes (3)
- Computer-assisted = used as a tool in carrying out a crime, such as attacking financial systems, performing information warfare
- Computer-targeted = computer was the victim of an attack, such as DOS, malware, rootkits etc.
- Computer-incidental = computer is involved in a secondary manner, such as distribution of child porn
-
Council of Europe Convention
FIRST international treaty seeking to address computer crimes and improving investigative techniques
-
Types of Law (5)
- Customary - deals primarily with personal conduct and patterns of behavior; not widely used unless mixed with something else
- Civil (code) law - rule-based; not precedence based; most widespread system in the world; most of Europe
- Common law - based on previous interpretation of law; 3 types: Civil/tort; Criminal; Regulatory; used in US, England etc.
- Religious law - responsibilities and obligations to others and religious duties; Islamic law
- Mixed law - usually a combination of civil and common law
-
Trademark
protect a word, name, symbol, sound, logo
-
Computer Fraud and Abuse Act
- primary US federal antihacking law
- addresses 7 forms of computer activity, making them federal crimes
-
Due Care
- company did all it reasonably could
- put proper controls or countermeasures in place
versus due diligence which is RESEARCHING and assessing all of the possible vulnerabilities
-
Computer forensics
- synonomous with digital forensics, network forensics, electronic data discovery, cyber forensics
- all encompassing term dealing with processes to examine computer usage in order for evidence to be admissable in a court of law
-
Secondary evidence
- not viewed as reliable as best evidence
- includes oral evidence of a witness; copies of documents etc.
as compared to best or primary evidence such as an original signed document
-
Legally admissible evidence (4)
- Authentic = RELEVANT; has a reasonable and sensible relationship to the findings
- Complete - presents the whole truth
- Sufficient - believable and persuasive
- Reliable - consistent with the facts; not based on opinion, copies or circumstantial evidence such as computer generated documents or an investigator's notebook
-
Circumstantial evidence
Can prove an intermediate fact that allows one to assume or deduce another fact; insufficient by itself
-
Internet Architecture Board (IAB)
- coordinates Internet design, engineering and management
- responsible for the IETF which issues Requests for Comments
- issues ethics-related statements concerning Internet use; tries to protect the Internet as a resource
-
Computer Ethics Institute
- nonprofit
- has issued its own 10 commandments of Computer Ethics
-
Incident Response stages (6)
- Triage = assess scope and severity
- Investigation = collection of data; as well as analysis, interpretation, reaction and recovery
- Containment = buys time for further work; isolate the system
- Analysis = gather more data to figure out who did it and how
- Tracking = determine if the source was internal or external and how the offender gained access
- Recovery = implement necessaryu fixes
-
Locard's Principle of Exchange
states that a criminal takes something with him and leaves something behind
-
International Organization on Computer Evidence (IOCE)
drew up international principles for procedures related to digital evidence and to guarantee the ability to use digital evidence collected by one nation state in the courts of another
-
ACID test
- Used in On Line Transaction Processing (OLTP) databases to ensure integrity
- Atomicity - either all modifications take affect or none at all
- Consistency - enforcement of integrity rules
- Isolation - no interaction with other processes or transactions
- Durability - once committed, rollback is not allowed
-
Concurrency
- Different processes (applications and users) are accessing the database at the same time
- can result in overwrites or deadlock
- thus reducing integrity
- can be prevented by locking
-
Polymorphism
When different objects are given the same inputs and react differently, i.e. the same input produces different results
-
Object-oriented database (as opposed to others)
when an application queries for data, it receives BOTH the data and the procedure
- relational - applications uses its own procedures; 2 dimensional tables linked by relationships
- hierarchical - must have knowledge of a well-defined path to traverse the tree
-
Regression testing
Retesting a system after changes have been made; oftentimes a change or fix can break something else
-
Tunneling virus
Attempts to install itself under an antivirus program
-
Polymorphic virus
- produces varied copies of itself
- might use noise or bogus instructions or change the sequence of instructions
- might vary its encryption methods
-
Java
- object-oriented, platform-independent programming language
- Compiler converts source code to to bytecode; JVM converts bytcode to machine code (which is why it can tun on multiple machines/processors)
-
Database integrity types (3)
- Entity - ensures tuples are uniquely identified by one primary key
- Referential - ensures that all foreign keys REFER to existing primary keys
- Semantic - ensures that rules and semantics of the database are followed
-
High cohesion and low coupling
HIGH cohesion - Carries out FEW tasks (simpler)
Low coupling - little interaction with other modules (low dependency)
-
Modified prototype method
used when the developer and client are unsure of the final nature of the product
-
SOAP and RPC
- SOAP was designed to replace RPCs to allow applications to communicate
- designed to work across multiple operating systems
- works with HTTP and is allowed thru firewalls
-
Programming languages generations
- Machine language - 1st gen = binary is time consuming and prone to errors
- Assembly - 2nd gen = symbols saved time but required deep knowledge of machine architecture
- High level - 3rd gen = used abstract statements If-then-else
- Very high level - 4th gen = natural language; SQL
-
Deferred commitment (in OOP)
the ability to make a change to a component without changing other parts of the system
-
Checkpoint
- used to recover data if there is a system failure
- periodically saves the state of the application and the user's information
- like a word processor working with a "recovered" document
-
ISO 27034
standard that provides guidance for secure applications
27005 provides standards for Information Security RISK management
-
Software configuration management (SCM) system
- during development within SDLC, ensures that software integrity, changes and traceability is maintained
- can also provide concurrency management, versioning and synchronization
-
Purging
- makes the information unrecoverable, even with extraordinary effort
- required if the media is to be reused in a different compartment or removed from the original area
- can be done with degaussing, zeroization and destruction
-
System cold start
Usually requires intervention by an administrator or user
-
RAID
- RAID 0 = striping only
- RAID 3 = byte level striping and dedicated parity disk
- RAID 5 = BLOCK level striping and parity across ALL disks; most common
- RAID 10 = combination of 1 and 0; striping and mirroring; can survive multiple drive failures
-
Address spoofing
- can be done with tools like Juggernaut and HUNT
- can not be done if running SSL and IPSEC or Kerberos
-
Double blind test
- stealth assessment
- double-blind is when the network and security staff is not aware of the test
- (blind, double-blind or targeted)
-
Mirroring vs. duplexing
- Mirroring = uses the same controller to simultaneously write to separate disks
- Duplexing = uses two or more controllers
|
|