CISSP5

Sending random data to a program to test and trigger for failures

A manager can seize property if he/she was not advised by law enforcement. 4th amendment rights do not apply to private citizens unless they are acting as a police agent.

Can include evidence created during the course of a trial; non admissable

• maximum tolerable downtime
• Critical = minutes to hours
• Urgent = 24 hours
• Important = 72 hours
• Normal = 7 days
• Nonessential = 30 days

• oral evidence or copies of documents
• not considered reliable

• One = machine language
• Two = Assembly
• Three = High-level
• Four = Very High-level
• Five = AI and natural network language

• requires financial institutions to develop privacy notices for each customer
• also requires each institution to have a comprehensive security program in place

• Allows for direct control of very basic activities within a computer system as in pushing data off a stack
• attackers commonly use this language to control how malicious instructions are carried out

• clarifies 1984 law and added:
• 1. using a federal computer in a fraudulent activity
• 2. modifying or damaging a federal computer resulting in a loss of $1000 or more
• 3. trafficking computer passwords

• collection and identification
• storage, preservation and transportation
• presentation in court
• return to victim or owner

"Legally and ethically making a system attractive to an attacker and logging an attacker's actions for use in future prosecution"

wiretapping

could allow law enforcement to seize evidence without a warrant, such as if a suspect ties to destroy the evidence

Contain and repair any damage caused by an event and prevent further damage

• software components are digitally signed
• runs only on windows systems

versus Java which uses bytecode and sandboxes

• Slamming = service provider changed without consent
• Cramming = bogus charges

ensures that no one person possess all of the necessary steps for carrying out an important task; way of spreading the knowledge

• Creating a duplicate, fake record to prevent an inference attack
• allows more than one row to contain the same primary key

• Secure Remote Procedure Call
• uses Diffie Hellman public key cryptography to determine the shared secert key for  encryption with the DES algorithm

• Ensures that the right process es are followed after a system failure; either:
• system reboot
• emergency system restart
• cold start

Customer requirements are in the 2nd phase; not project initiation

• structural design for the development and implementation of distributed applications written in Java
• provides interfaces and methods to allow different applications to communicate

Relies on some action by the user such as saving a file

have the ability to LEARN through different scenarios vs.

expert systems - use inference to identify patterns but can not learn

• Goes after boot records and system files
• Can be very damaging, affecting more areas of a system

• pertains to the product's architecture and how it was developed, for example:
• - design specifications
• - clipping level configurations
• - unit and integration testing
• - configuration management
• - trusted distribution

• basic features and architecture, such as:
• - access control mechanisms
• - separation of privileged an user code
• - auditing and monitoring capabilities
• - covert channel analysis
• - trusted recovery

• Security Administrator Tool for Analyzing Networks
• scanning tool that can uncover weaknesses within a network

• discrete logarithms in a finite field
• vulnerable to man in the middle attack
• Key Agreement Protocol

• de facto asymmetric algorithm
• difficulty of factoring large numbers
• one way function = easy to do in one direction (multiply prime numbers)  but hard to impossible in the other direction (factoring into prime)
• key size of 1,024 bits and larger should b used
• encryption, key exchange and digital signatures

• symmetric block cipher (DEA)
• 64 bit blocks 
• true key size is 56 bits! (8 bits parity)
• 16 rounds

used to encrypt a small amount of data

• does not pass errors; used in a noisy environment where there could be corruption
• (no chaining involved)

• More secure than the 2 tier client server model
• Separates user interface, functional process logic and back-end database/storage

• Application = Message
• Transport = segment (message plus TCP_
• Network = datagram (segment plus routing and addressing)
• Data link layer = frame (datagram plus header and trailer)

• PPTP - de facto standard; works only over IP networks at the data link layer
• IPSEC - not used over dial-up; only works with IP networks at the network layer; provides authentication and encryption; designed for point to point (device to device)
• L2TP - can extend a WAN; a hybrid of L2F and PPTP; works at data link layer; needs to work with IPSEC for security

• a harmless nuisance; NOT a malicious attack
• involves sending unsolicited information/contacts to a Bluetooth device

• Persistent = web side; bad input is allowed and STORED on a website (also called 2nd order)
• Non-persistent = URL redirect to a rogue script to try and steal credentials (also called reflected vulnerability)
• DOM-based = client side; malicious script runs within the browser

• Internet is essentially a network made up of AS's and routing protocols
• AS = autonomous systems which is a grouping of nodes (networks) with common characteristics
• Within an AS, use internal routing protocols such as: Interior Gateway Protocol (IGP)
• - IGP can be one of 2 types
• - Distance based like: RIP (Routing Information Protocol) which is distance based OR IGRP (Interior Gateway Routing Protocol)
• - State-based like: OSPF (Open Shortest Path First) OR IS-IS (Intermediate System to Intermediate System)
• Between AS's use EGP (Exterior Gateway Protocol) such as BGP (Border Gateway Protocol)

• Proprietary to Cisco
• Interior Gateway Routing Protocol

• Easy to execute because SMTP lacks adequate authentication
• simple Telnet command to port 25 followed by number of SMTP commands allows spoofing

SONET is the multi-lane highway and ATM are the encapsulated cars on the highway

specifies unique per-device identifiers and binds a device cryptographically

No such thing as 802.1XR

• the software environment that runs on top of the IT network
• a computing platform which can include OS, database and web server

Allows the firewall to monitor individual traffic links between guest systems, not network links

• Stego-medium = the medium used for transport such as .doc or JPEG
• Carrier - the signal or data stream or file with the message
• Payload - the actual message

• Takes place within applications layer
• only encrypts the data payload

• works at the Transport layer
• uses public key encryption
• provides data encryption, authentication and message integrity

HTTP is at the application layer

uses a hybrid of asymmetric and symmetric algorithms

public key cryptography = asymmetric

• symmetric algorithms provide confidentiality
• asymmetric algorithms provide authentication and nonrepudiation
• hashing algorithms provide integrity

• A master key used to generate symmetric sub-keys
• derives the keys from a secret value

• corresponds to the value/sensitivity of the data
• less secure data may allow for a longer key lifetime

One time pad because it is bit by bit encryption (XOR)

AES is a symmetric BLOCK cipher

Stream = RC4

Block = DES, 3DES, RC5, AES, IDEA, BLOWFISH, RC5, RC6

• starts with the client connection to a web server; the server returns a certificate with it's public key; the client then encrypts a session key with the server's public key
• the CLIENT creates the session key

Link encryption encrypts everything (headers, trailers and payload) EXCEPT some data link layer messaging; much stronger

End to end encrypts just the payload (no headers and trailers)

Uses components in the physical world such as books, pages, rows and columns to create a key

BRUTE force attack on hashing values to try and force a collision

if 160 bit output, bday attack is possible with 2 to the 80th

Proving something without needing to share more than you need to know

• Binding a hard disk = storing the DECRYPTION key in the TPM
• Sealing = storing a has of the system state in the TPM

Data gathering techniques

• 1. Determine cause
• 2. Determine time required to recover
• 3. Declare a disaster (if needed)

ISO 27031

• 27005 = risk management
• 27001 = general guidelines

• Difference between RTO and MTD
• represents the time for restoring data, testing processes and making everything live

• Computer-assisted = used as a tool in carrying out a crime, such as attacking financial systems, performing information warfare
• Computer-targeted = computer was the victim of an attack, such as DOS, malware, rootkits etc.
• Computer-incidental = computer is involved in a secondary manner, such as distribution of child porn

FIRST international treaty seeking to address computer crimes and improving investigative techniques

• Customary - deals primarily with personal conduct and patterns of behavior; not widely used unless mixed with something else
• Civil (code) law - rule-based; not precedence based; most widespread system in the world; most of Europe
• Common law - based on previous interpretation of law; 3 types: Civil/tort; Criminal; Regulatory; used in US, England etc.
• Religious law - responsibilities and obligations to others and religious duties; Islamic law
• Mixed law - usually a combination of civil and common law

protect a word, name, symbol, sound, logo

• primary US federal antihacking law
• addresses 7 forms of computer activity, making them federal crimes

• company did all it reasonably could
• put proper controls or countermeasures in place

versus due diligence which is RESEARCHING and assessing all of the possible vulnerabilities

• synonomous with digital forensics, network forensics, electronic data discovery, cyber forensics
• all encompassing term dealing with processes to examine computer usage in order for evidence to be admissable in a court of law

• not viewed as reliable as best evidence
• includes oral evidence of a witness; copies of documents etc.

as compared to best or primary evidence such as an original signed document

• Authentic = RELEVANT; has a reasonable and sensible relationship to the findings
• Complete - presents the whole truth
• Sufficient - believable and persuasive
• Reliable - consistent with the facts; not based on opinion, copies or circumstantial evidence such as computer generated documents or an investigator's notebook

Can prove an intermediate fact that allows one to assume or deduce another fact; insufficient by itself

• coordinates Internet design, engineering and management
• responsible for the IETF which issues Requests for Comments
• issues ethics-related statements concerning Internet use; tries to protect the Internet as a resource

• nonprofit 
• has issued its own 10 commandments of Computer Ethics

• Triage = assess scope and severity
• Investigation = collection of data; as well as analysis, interpretation, reaction and recovery
• Containment = buys time for further work; isolate the system
• Analysis = gather more data to figure out who did it and how
• Tracking = determine if the source was internal or external and how the offender gained access
• Recovery = implement necessaryu fixes

states that a criminal takes something with him and leaves something behind

drew up international principles for procedures related to digital evidence and to guarantee  the ability to use digital evidence collected by one nation state in the courts of another

• Used in On Line Transaction Processing (OLTP) databases to ensure integrity 
• Atomicity - either all modifications take affect or none at all
• Consistency - enforcement of integrity rules
• Isolation - no interaction with other processes or transactions
• Durability - once committed, rollback is not allowed

• Different processes (applications and users) are accessing the database at the same time
• can result in overwrites or deadlock
• thus reducing integrity
• can be prevented by locking

When different objects are given the same inputs and react differently, i.e. the same input produces different results

when an application queries for data, it receives BOTH the data and the procedure

• relational - applications uses its own procedures; 2 dimensional tables linked by relationships
• hierarchical - must have knowledge of a well-defined path to traverse the tree

Retesting a system after changes have been made; oftentimes a change or fix can break something else

Attempts to install itself under an antivirus program

• produces varied copies of itself
• might use noise or bogus instructions or change the sequence of instructions
• might vary its encryption methods

• object-oriented, platform-independent programming language
• Compiler converts source code to to bytecode; JVM converts bytcode to machine code (which is why it can tun on multiple machines/processors)

• Entity - ensures tuples are uniquely identified by one primary key
• Referential - ensures that all foreign keys REFER to existing primary keys 
• Semantic - ensures that rules and semantics of the database are followed

HIGH cohesion - Carries out FEW tasks (simpler)

Low coupling - little interaction with other modules (low dependency)

used when the developer and client are unsure of the final nature of the product

• SOAP was designed to replace RPCs to allow applications to communicate
• designed to work across multiple operating systems
• works with HTTP and is allowed thru firewalls

• Machine language - 1st gen = binary is time consuming and prone to errors
• Assembly - 2nd gen = symbols saved time but required deep knowledge of machine architecture
• High level - 3rd gen = used abstract statements If-then-else
• Very high level - 4th gen = natural language; SQL

the ability to make a change to a component without changing other parts of the system

• used to recover data if there is a system failure
• periodically saves the state of the application and the user's information
• like a word processor working with a "recovered" document

standard that provides guidance for secure applications

27005 provides standards for Information Security RISK management

• during development within SDLC, ensures that software integrity, changes and traceability is maintained 
• can also provide concurrency management, versioning and synchronization

• makes the information unrecoverable, even with extraordinary effort
• required if the media is to be reused in a different compartment or removed from the original area
• can be done with degaussing, zeroization and destruction

Usually requires intervention by an administrator or user

• RAID 0 = striping only
• RAID 3 = byte level striping and dedicated parity disk
• RAID 5 = BLOCK level striping and parity across ALL disks; most common
• RAID 10 = combination of 1 and 0; striping and mirroring; can survive multiple drive failures

• can be done with tools like Juggernaut and HUNT
• can not be done if running SSL and IPSEC or Kerberos

• stealth assessment
• double-blind is when the network and security staff is not aware of the test
• (blind, double-blind or targeted)

• Mirroring = uses the same controller to simultaneously write to separate disks
• Duplexing = uses two or more controllers