Security Cert Study Notes

Introduction

Security certs are hard because of their global nature, so I have compiled my study notes into this blog post in the hopes it might help others too.

Treat this as a blob of possibly-correct-but-possibly-not information rather than a definitive source of truth.

U.S.

American Laws

• DMCA is a 1998 United States copyright law.
• GLBA is the Gramm–Leach–Bliley Act.
  • Also known as the Financial Services Modernization Act of 1999
  • GLBA requires financial institutions to protect the privacy of consumer information
  • GLBA requires institutions to send privacy notices
• Economic Espionage Act
  • e.g.: Stops people bringing trade secrets to a competitor
• FISMA is the Federal Information Security Management Act of 2002
  • Covers defense contractors
• CALEA - Communications Assistance for Law Enforcement Act
  • Also known as the “Digital Telephony Act”
  • It’s used for wiretapping
• SOX - Sarbanes–Oxley Act
  • Requires internal controls assessments, including IT transaction flows
  • Applies to publicly traded companies
• SSAE-18 - Statement on Standards for Attestation Engagements no. 18
  • Its focus is reporting on the quality (accuracy, completeness, fairness) of financial reporting.

US Government Agencies

• USPTO - United States Patent and Trademark Office

RFC (Requests for comments)

• RFC 1087 - Ethics and the Internet

Study Notes

Due care, Due dilligence and the prudent man rule

• Due Care: Doing the right thing
• Due Dilligence: The proactive approach of auditing due care has been taken. Risk assesments, security aduits, etc.
• Prudent Man Rule: Determine whether due care has been taken. This rule involves considering what a reasonable person would do in a similar situation.

STRIDE

• STRIDE is a model for identifying security threats
  • Spoofing
  • Tampering
  • Repudiation
  • Information disclosure
  • Denial of service
  • Elevation of privilege

Courts

Standard of proof required on a computer crime case:

• Beyond a reasonable doubt

Parol Evidence Rule:

• The Parol Evidence Rule generally prevents parties from presenting oral evidence that changes the terms of a written contract.

Risk Management

• RMM - Risk Maturity Model

Business Continuity Planning

• BCP - Business Continuity Plan
  • CEO unlikely to be included in a BCP team

Frameworks

• COBIT - Control Objectives for Information and Related Technologies
  • Framework for information technology management and governance
  • Used by business owners
• ITIL - Information Technology Infrastructure Library
  • “The Information Technology Infrastructure Library (ITIL) is a set of practices and a framework for IT activities such as IT service management (ITSM) and IT asset management (ITAM) that focus on aligning IT services with the needs of the business.”

CASB

• CASB - Cloud Access Security Broker

US Government Data Classification

(Highest to lowest)

• Top Secret - disclosure could be expected to cause exceptionally grave damage to the national security.
• Secret - disclosure could be expected to cause serious damage to the national security.
• Confidential - disclosure could be expected to cause damage to the national security.

Tangible Assets

• Tangible assets are physical things

Windows Tooling

Microsoft Group Policy

• Group Policy
  • Infrastructure that allows you to specify managed configurations for users and computers through Group Policy settings and Group Policy Preferences.
  • Useful for ensuring that workstations are being checked for compliance and that settings are applied as required.

SCCM

• SCCM - Microsoft System Center Configuration Manager
  • Used for managing large groups of computers providing remote control, patch management, software distribution, operating system deployment, and hardware and software inventory

SCOM

• SCOM - System Center Operations Manager
  • “is a cross-platform data center monitoring system for operating systems and hypervisors. It uses a single interface that shows state, health, and performance information of computer systems. It also provides alerts generated according to some availability, performance, configuration, or security situation being identified. It works with Microsoft Windows Server and Unix-based hosts.”

Data Center Security

Fires

• Incipient stage is the earliest a fire can be detected by ionisation
• Preaction - Fill pipes with water when initial signs of fire is detected, then release when heat is detected.
• FM-200 - a non-flammable gas used for fire suppression
• Wet Pipe - In a wet system, the pipes are filled with pressurized water. This can add risk to data centers

SCADA

• SCADA - supervisory control and data acquisition
  • e.g.: Systems used to control industrial processes in a power plant
  • e.g.: Industrial control systems

Security Models

Clark Wilson

• Uses security labels

Items and procedures:

• CDI - Constrained data item
• UDI - Unconstrained data item
• IVP - Integrity verification procedure
• TPs - Transformation procedures

Graham-Denning

• Uses 8 primary protection rules or actions
  • Securely create/delete an object
  • Securely create/delete a subject
  • Securely provide the read/grant/delete/transfer access right

Bell-LaPadula

• Ensures confidentiality by blocking lower-classified objects from accessing higher-classified objects.

Biba Integrity Model

• It focuses on protecting objects from integrity threats
• Simple Integrity Property - Can’t read down
• The * (star) Property - No write up

Take-Grant Model

Four rules:

• Take rule: Allow subject to take rights of an object
• Grant rule: Allow subject to grant rights to an object
• Create rule: Allow subject to create new rights
• Remove rule: Allow subject to remove rights it has

Trusted Platform Module

• TPM - Trusted Platform Module
  • “Trusted Platform Module (TPM) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys.”

Cryptography

Kerckhoffs Princiapal

• Kerckhoffs Princiapal - Cryptographic algorithms should be open to public inspection

Zero Knowlegde Proof

• Zero Knowlegde Proof
  • “is a method by which one party (the prover) can prove to another party (the verifier) that a given statement is true, while avoiding conveying to the verifier any information beyond the mere fact of the statement’s truth.”

Attacks

• Frequeny Analysis Attack
  • “Frequency analysis is the study of the frequency of letters or groups of letters in a ciphertext.”
  • Also known as counting letters
• Side Channel Attack
  • Based on extra information that can be gathered because of the way it is implemented, rather than flaws in the design of the algorithm itself
  • e.g.: Processor utilisation, timing information, power consumption, electromagnetic leaks, etc.
• Timing Attack
  • Example of a side channel attack
  • Attacker measure how long cryptographic operations take to complete
  • This helps give information on the cryptographic process
• Fault Injection Attack
  • Utilises some type of external fault, for example high voltage, high/low temperature, etc.
• Replay Attack
  • Replays an intercepted encrypted message, often a request for authentication
• Birthday Attack
  • Collision attack / reverse hash matching
• Known Plaintext
  • Attacker has a copy of the plain text message and it’s encrypted version (ciphertext)
• Chosen Plaintext
  • When the attacker can get ciphertext corresponding to a plaintext of their own choosing
• Chosen Ciphertext
  • When the attacker can decrypt chosen parts of the ciphertext, and use this to discover the key
• Meet in the middle
  • 2DES is vulnerable to this

Common Criteria

Two key elements:

• PPs - Protection Profiles
• STs - Security Targets

Evaluation Assurance Levels:

• EAL1 - Functionally tested
• EAL2 - Structurally tested
• EAL3 - Methodically tested and checked
• EAL4 - Methodically designed, tested and reviewed
• EAL5 - Semi-formally designed and tested
• EAL6 - Semi-formally verified, designed and tested
• EAL7 - Formally verified, designed and tested

Security Breach

• TEMPEST
  • “TEMPEST is a U.S. National Security Agency specification and a NATO certification referring to spying on information systems through leaking emanations, including unintentional radio or electrical signals, sounds, and vibrations.”
  • This covers topics like the Van Eck radiation phenomenon.
• Mimikatz tool - “is both an exploit on Microsoft Windows that extracts passwords stored in memory and software that performs that exploit.”
  • Used in “Pass the hash” attacks
• ASLR - Address Space Layout Randomisation
  • “Preventing exploitation of memory corruption vulnerabilities”
• zzuf - Application Fuzzer
• Nikto - Open source web server scanner
• Metasploit - Penetration testing framework
• OpenVAS - Open Vulnerability Assessment Scanner
• Nessus - Tenable Vulnerability Scanner for networks, etc.
• MBSA - Microsoft Baseline Security Analyzer
• Bugtraq - Bugtraq was an electronic mailing list dedicated to issues about computer security. No new posts since 2021.

Encryption Algorithms

2DES

• 2DES - Doubel DES
  • Vulnerable to Meet-in-the-middle (Unlike DES and 3DES)

CRL

• CRL - Certificate Revocation List
  • “a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should no longer be trusted”

Wireless networks

WPA

• Instead of using LEAP, should use PEAP or EAP-TLS
• Implement WPA2 if supported
• WPA3 in SAE mode
  • This is the best option to allow hotel guests to connect to wifi with an account
• WPA2 Enterprise Mode
• This uses radius which can lock out password attempts

802.1x - EAP

• EAP
• Port based auth

802.3 - Ethernet

• Cat 5e - 1000 Mbps

802.11a - Wireless

802.11ac

• Ad-hoc mode
• ac is fastest

802.11n

• 2.4 GHx and 5 GHz

802.15.1 - Bluetooth

• Note: Bluetooth does not provide strong encryption

TCP

• RST means reset

OSI Model

• Application
  • SMTP, HTTP, SNMP, etc.
  • Uses Data Streams
• Presentation
  • JPEG, ASCII, MIDI, etc.
  • Uses Data Streams
• Session
  • Uses Data Streams
  • Removing the header from data is called de-encapsulation
• Transport
  • Uses Segments
• Network
  • ICMP, RIP, network address translation
  • Uses Packets
• Data Link
  • ARP / RARP (Reverse Address Resolution Protocol)
  • MAC addresses
  • Uses Frames
• Physical
  • Uses Bits

VoIP

• SIPS - Session initilisation protocol
  • Secure VoIP with SIPS
  • SIP == not encrypted
  • SIPS == encrypted

Routing

• Distance-vector protocol
  • Maintains a list of destination networks, and distance in hops and the direction of traffic

S/MIME

• Usage modes:
  • SIP = not encrypted
  • SIPS = encrypted
• Signed messages that provide integrity, sender auth, and non-repudiation
• Enveloped message mode that provides integrity, sender auth and confidentiality

Multilayer Protocols

• Drawback is covert channels are allowed

IPSec

IPSec provides:

• Encryption, Access Control, Non-repudiation and message authentication

4G Service Providers

• Encryption Capabilities
• Device-based Authentication
• SIM-based Authentication

5G Network

Advantages over 4G:

• Enhanced subscriber identity protection
• Mutual authentication capabilities

PAN - Personal Area Networks

• Zigbee is ideal for lower power IoT / Personal Area Networks

VPN Protocols

• PPTP - Point-to-Point Tunneling Protocol
  • PPTP is an obsolete method for implementing virtual private network
• L2TP - Layer Two Tunneling Protocol
  • L2TP is an extension of PPTP
  • L2TP is more secure than PPTP
• IPsec
  • Internet Protocol (IP) is the common standard
  • IPSec adds encryption and authentication to make the protocol more secure.
• VNC - Virtual Network Computing
  • VNC is a graphical desktop-sharing system that uses the Remote Frame Buffer protocol (RFB) to remotely control another computer.

Localhost

• 127.0.0.1 is an example of a lookback address

Network Storage

• FCoE - Fibe Channel over Ethernet

Access Control

• Capability Table
  • This focuses on subjects and which objects can access them.
• Access Control Matrix
  • ACM is a table that lists objects, subjects and their privileges.
• Access Control List
  • ACL lists focus on objects and which subjects can access them.

AAA

AAA services concept refers to identification, authentication, authorisation, auditing, and accounting

• TACACS+ is the most commonly used AAA protocol

RADIUS

• Often used for network access
• RADIUS uses UDP
• Only passwords are encrypted
• Can implement encryption over TCP using TLS for protection

SPML

• SPML - Service Provisioning Markup Language
  • SPML is an XML-based framework for exchanging user, resource and service provisioning information between cooperating organizations.

Federation vs SSO

• “The key difference between SSO and FIM is while SSO is designed to authenticate a single credential across various systems within one organization, federated identity management systems offer single access to a number of applications across various enterprises.” - okta

Biometric Factor Errors

There are two types; Type 1 and Type 2

• Type 1 - FRR - False Rejection Rate
  • Error occurs when a valid subject is not authenticated
• Type 2 - FAR - False Acception Rate
  • Error occurs when an invalid subject is incorrectly validated

CER (Crossover error rate) is the cross over of FAR and FRR.

OpenID Connect

OpenID Connect uses JSON

Authorisation Mechanisms

• RBAC (Role BAC)
  • e.g. give permissions based on job role
• Rule BAC
  • Firewalls, etc.
• DAC
  • Subjects can give other subjects rights. Like google doc sharing.
• ABAC
  • Policy based access control. Uses info about subjects
• MAC
  • e.g. Access control model enforced by operating system

Testing

• Mutation Testing
  • “Mutation testing is used to design new software tests and evaluate the quality of existing software tests. Mutation testing involves modifying a program in small ways.”

Printers

• Line Printer Daemon protocol
  • LPR - Line Printer Remote (Port 515)
  • LPD - Line Printer Daemon (Port 9100)

SOC - Security Operations Centre

• SOC 1
  • Focuses on financial reporting
• SOC 2
  • Focuses on a broader range of data management practices
  • Type 1: Covers short time frame
  • Type 2: Covers long time frame
• SOC 3
  • Provides a summary of the SOC 2 report

Monitoring

Logging

• NetFlow - Collect IP network traffic as it enters or exits an interface

UEBA

• EUBA - User and entity behaviour analysis
  • “Security software that uses behavioral analytics and machine learning to identify abnormal and potentially dangerous user and device behavior.”

EDR - Endpoint Detection Response

• EDR - Endpoint Detection Response

QoS

• QoS - Quality of service
  • Can be used to prioritise traffic based on a policy

Backups

• Differential Backups
  • A differential backup strategy only copies data changes since the last full backup
• Incremental Backups
  • Incremental data backup strategy copies data changes since the last backup
• Electronic Vaulting
  • Automated technology moves database backups from primary database server to a remote site on a scheduled basis, typically daily.
• Remote Journaling
  • Remote journaling involves backing up the data in a database and transporting it to a remote site more frequently, usually once every hour.
• Remote Mirroring
  • e.g. Real time mirroring of live database to mirror so it can take over at any time

SW-CMM - Software Capability Maturity Model

• SW-CMM - Software Capability Maturity Model
• Level 1 - Initial
  • “The starting point for use of a new or undocumented repeat process”
• Level 2 - Repeatable
  • “The process is at least documented sufficiently such that repeating the same steps may be attempted.”
• Level 3 - Defined
  • “The process is defined/confirmed as a standard business process”
• Level 4 - Managed (Capable)
  • “The process is quantitatively managed in accordance with agreed-upon metrics.”
• Level 5 - Optimizing (Efficient)
  • “Process management includes deliberate process optimization/improvement.”

CAB

• CAB - Change-advisory board
  • Review and approve/reject code changes

Stealth Virus

• “A stealth virus is a computer virus that uses various mechanisms to avoid detection by antivirus software”
• When the computer has a virus that the anti-virus can’t detect.

RFC - Request For Change

• Contains a description of each proposed change

Polyinstantiation

• Polyinstantiation
  • Protect against database inference attacks
  • “Polyinstantiation is the presence of multiple instances of the same data, where the instances differ for the access class associated with them.”

SDC - Software Defined Security

• “The functions of network security devices, such as firewalling, intrusion detection, access controls, and network segmentation are extracted from hardware devices to a software layer.”

MDM - Mobile Device Management

Features include:

• Remotely wiping the device
• Enforcing encryption
• Managing device backups

Facility Design

OSHA - Occupational Safety and Health Administration

EPA - Environmental Protection Agency

CPTED - Crime Prevention Through Environmental Design

Recommendations include:

• Keep planters under 2.5m tall
• Data center should be in middle of building

3 main strategies:

• Natural access control
• Natural surveilance
• Natural territorial reinforcement

Power Supplies

Dual Power Supplies

• Can mitigate power loss caused by equipment failures
• Can address hardware issues that arise within the server, allowing the server to stay on if one of the power supplies fail

SCAP

• SCAP - Security Content Automation Protocol
• “The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization, including e.g., FISMA (Federal Information Security Management Act, 2002) compliance.”

XST - Cross-Site tracing

• Cross-Site tracing leverages HTTP TRACE or TRACK. Used to steal a user’s cookies via XSS (cross-site scripting)