CISSP (8 Domain)

Certified Information Systems

Security Professional

Instructor : Do Duc Huy

CISSP, CISA, CEH, CCSP, CCNP, RSA CSP
[email protected]
 Module 3

CISSP – SECURITY
ENGINEERING

PART 1: SECURITY ARCHITECTURE & DESIGN OBJECTIVES

PART 2: CRYPTOGRAPHY
PART 3: PHYSICAL SECURITY
PART I: SECURITY ARCHITECTURE & DESIGN OBJECTIVES

 Security Models
 Evaluation Methods, Certification and Accreditation

 Secure System Design Concepts

 Secure Hardware Architecture

 Secure Operating System and Software Architecture

 Virtualization and Distributed Computing

 System Vulnerabilities, Threats and Countermeasures

3
SECURITY ARCHITECTURE & DESIGN
OBJECTIVES

SECURITY MODELS
 PRINCIPLES OF SECURE DESIGN

 An information system’s architecture must satisfy the defined

business and security requirements.
 Security should be built into an information system by design.

 When designing system architecture, security and business

requirements needs to be carefully balanced.
 Tradeoffs are involved in reaching a balance between security and
business requirements.
 Security should be integrated into the design, as opposed to added
later

5
 PRINCIPLES OF SECURE DESIGN

 The security requirements of an information system are driven by the

security policy of the organization that will use the system.
 To incorporate the abstract goals of a security policy into an
information system’s architecture, you will need to use security
models.
 A security model lays out the framework and mathematical models that
act as security-related specifications for a system architecture.
 The system architecture, in turn, is the overall design of the
components -such as hardware, operating systems, applications, and
networks –of an information system. This design should meet the
specifications provided by the security model.

6
 SECURITY MODELS

 What subjects and objects are

permitted to do (within a model or
framework)
 Subject (often a user)
 Object (a resource)

 Managing relationship between

subject and object is access
control
 Understand concepts of read up,
read down, write up, write down

7
 CONTROLS
 Discretionary access control (DAC)
 Defined in the Trusted Computer System Evaluation Criteria (TCSEC); Orange Book
 Means of restricting access to objects based on the identity of subjects and/or groups to which they belong
 A subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any
other subject
 Mandatory access control (MAC)
 Type of access control where the operating system constrains the ability of a subject to access or perform some
sort of operation on an object
 Authorization rule enforced by the operating system kernel
 Security policy is centrally controlled by a security policy administrator
 Rule-based access control (RBAC)
 Access is allowed or denied to objects based on a set of rules defined by a system administrator
 Access properties are stored in Access Control Lists (ACL) associated with each object
 Role-based access control (also RBAC)
 Also known as Non-discretionary Access Control
 Assigns permissions to particular roles in an organization

8
 SECURITY MODELS

 State Machine Models

 The Bell-LaPadula Model **

 The Biba Model **

 The Clark-Wilson Model

 The Brewer & Nash Model

 The Information Flow Model

 The Lattice Model

 The Non-Interference Model

 Access Control Matrix

9
 STATE MACHINE MODELS

 State of a machine is captured in order to verify the security of a

system
 State consists of all current permissions and all current instances of
subjects accessing the objects.
 If the subject can access objects only by means that are concurrent with
the security policy, the system is secure
 Always secure no matter what state it is in
 Finite state machine (FSM)
 State transition

 Secure state machine

 The basis for most other security models

10
 CONFIDENTIALITY MODELS: BELL & LAPADULA

 Originally developed for the U.S. Department of

Defense
 Focused on maintaining the confidentiality of objects
 Three Access Rules:
 Simple Security Property – no read up
 * Security Property (“Star” Security Property) – no write
down
 Strong Star (*) Property –“no read/write up or down”.
 Two Object Label Rules:
 Strong and Weak Tranquility Property - security labels will
not change while the system is operating
 Weak Tranquility Property - security labels will not change
in a way that conflicts with defined security properties
11
 INTEGRITY MODELS - BIBA

 Developed after Bell-LaPadula model

 Focused on maintaining the integrity of
objects
 Three primary rules
 Simple Integrity Axiom – no read down
 * Integrity Axiom (“Star” Integrity Axiom) –
no write up
 Invocation property - a subject cannot
invoke (call upon) subjects at a higher
integrity level

 Essentially the reverse of Bell-LaPadula

12
 INTEGRITY MODELS - CLARK-WILSON MODEL

 Real-world integrity model

 Requires subjects to access objects via programs
 Programs have specific limitations to what they can and cannot do to objects
 Two primary concepts:
 Well-Formed Transactions - ability to enforce control over applications; comprised
of the “access control triple:” user, transformation procedure (TP/well-formed
transaction), and constrained data item (CDI/data that requires integrity) – integrity
verification procedures (IVPs) ensure that data are kept in a valid state
 Separation of Duties - ensures that authorized users do not change data in an
inappropriate way

 Separation of duties and transformation procedures.

1) Authorized access and
2) Modification only in an authorized manner

13
 BREWER AND NASH MODEL (AKA CHINESE WALL)
 Designed to avoid conflicts of interest by prohibiting one person, such as a
consultant, from accessing multiple conflict of interest categories (CoIs)
 Provides access controls that can change dynamically depending upon a
user’s previous actions
 Model states that a subject can write to an object if, and only if, the subject can
not read another object that is in a different data set
 Initially designed to address the risks inherent with employing consultants
working within banking and financial institutions

14
 INFORMATION FLOW MODEL
 In this model, data is thought of as being held in individual discrete
compartments
 Information is compartmentalized based on two factors: classification
and need to know
 Subject clearance has to dominate the object classification and the
subject security profile must contain the one of the categories listed in
the object label, which enforces need to know

15
 LATTICE MODEL
 Model consists of a set of objects constrained between the least upper
bound and the greatest lower bound values.
 The least upper bound is the value that defines the least level of object access
rights granted to a subject.
 The greatest lower bound is value that defines the maximum level of object
access rights granted to a subject
 The goal of this model is to protect the confidentiality of an object and only
allow access by an authorized subject.

16
 NON-INTERFERENCE MODEL

 Model ensures that actions at a

higher security level does not
interfere with the actions at a
lower security level.
 The goal of this model is to
protect the state of an entity at
the lower security level by actions
at the higher security level so that
data does not pass through
covert or timing channels.

17
 ACCESS CONTROL MATRIX

 Commonly used in OS and applications

 Table that defines access permissions between specific subjects and
objects

18
SECURITY ARCHITECTURE & DESIGN OBJECTIVES

EVALUATION METHODS,
CERTIFICATION AND
ACCREDITATION
 EVALUATION CRITERIA

 Why Evaluate?
 To carefully examine the security-related
components of a system
 Trust vs. Assurance

 The Orange Book (TCSEC)

 The Orange Book & the Rainbow Series
 ITSEC (Information Technology Security
Evaluation Criteria)
 Common Criteria

20
 TRUSTED COMPUTER SECURITY
EVALUATION CRITERIA (TCSEC)
 Developed by the National Computer Security Center (NCSC)
 Also known as the Orange Book

 Based on the Bell-LaPadulla model (deals with only confidentiality)

 Uses a hierarchically ordered series of evaluation classes

 Defines Trust and Assurance, but does not allow for them to be
evaluated independently

21
 TCSEC RATINGS:

 A1 – Verified Protection
 B1, B2, B3 – Mandatory Protection

 C1, C2 – Discretionary Protection

 D – Minimal Security

22
INFORMATION TECH SECURITY EVALUATION CRITERIA (ITSEC)

 Created by some European nations in 1991 as a standard to

evaluate security attributes of computer systems
 The First Criteria to evaluate functionality and assurance
separately
 F1 toF10 rates for functionality

 E0 to E6 for assurance

23
COMMON CRITERIA (CC) ISO 15408

 Protection Profile
 Target of evaluation

 Security target

 Evaluation Assurance Level (EAL 1-7)

 Evaluation packages

24
 CC RATINGS - EVALUATION
ASSURANCE LEVEL
 EAL 1 – Functionally tested
 EAL 2 – Structurally tested

 EAL 3 – Methodically tested and checked

 EAL 4 – Methodically designed, tested, and reviewed

 EAL 5 – Semi formally designed and tested

 EAL 6 – Semi-formally verified designed and tested

 EAL 7 – Formally verified designed and tested

25
 CERTIFICATION & ACCREDITATION

 Certification:
 A process that ensures systems and major applications adhere to formal
and established security requirements that are well documented and
authorized.
 It is usually performed by a vendor.

 Accreditation:
 A formal declaration by a Designated Accrediting Authority (DAA) that
information systems are approved to operate at an acceptable level of
risk based on the implementation of an approved set of technical,
managerial, and procedural safeguards.

26
SECURITY ARCHITECTURE & DESIGN OBJECTIVES

SECURE SYSTEM DESIGN

CONCEPTS
 Layering
 Abstraction
 Security Domains
 The Ring Model
 SECURITY ARCHITECTURE

 Security architecture is part of the overall architecture of an

information system. It directs how the components included in the
system architecture should be organized to ensure that security
requirements are met. The security architecture of an information
system should include:
 A description of the locations in the overall architecture where security
measures should be placed.
 A description of how various components of the architecture should
interact to ensure security.
 The security specifications to be followed when designing and
developing the system.

28
 LAYERING

 Separates hardware and software functionality into modular tiers

 Actions that take place at one layer do not directly affect components
in another
 For networking types; OSI is an example of layering (covered later)

 Generic list of security architecture layers:

 Hardware
 Kernel (and system/device drivers)

 Operating system

 Applications

29
 ABSTRACTION

 Complexity is the enemy of security

 Unnecessary details are hidden from the user
 An example: MP3 player
 A user double-clicks on an MP3 file containing music
 The operating system opens the MP3 file
 OS looks up the application associated with MP3 file
 OS sends the bits to a media player.
 The bits are decoded by a media player, which converts the information into a digital stream,
and sends the stream to the computer’s sound card.
 The sound card converts the stream into sound, sent to the speaker output device. Finally, the
speakers playsound.
 Millions of calculations are occurring as the sound plays, while low-level devices are
accessed.
 Abstraction means the user simply presses play and hears music.
30
 SECURITY DOMAINS

 A security domain is the list of objects a subject is allowed to access.

 A security domain is also a groups of subjects and objects with similar
security requirements
 Kernel - the central core of a computer's operating system; two
domains (or modes)
 User mode – user accounts and processes
 Kernel mode (or supervisor mode) – the kernel itself; low-level access to
memory and hardware components
 The two domains are separated – an error in user mode should not
affect kernel mode operation
 Operating systems run entirely in kernel mode
31
 THE RING MODEL

 Form of CPU hardware layering used to separate and

protect domains (user mode from kernel mode)
 Most CPUs (including Intel x86) have four rings
 Ring 0 – Kernel
 Ring 1 – Operating system components outside of Ring 0
 Ring 2 – Device drivers
 Ring 3 – User applications
 Processes communicate between the rings via system calls
 System calls are slow (compared to performing work within
one ring), but provide security
 Ring model also provides abstraction
 Linux and Windows use rings 0 and 3 only
 Hypervisor mode allows virtual guests to operate in ring 0,
controlled by the hypervisor one ring “below” (ring -1)

32
SECURITY ARCHITECTURE & DESIGN OBJECTIVES

SECURE HARDWARE
ARCHITECTURE
 OPEN AND CLOSED SYSTEMS

 Open systems use open hardware and

standards, using standard components
from various vendors
 IBM-compatible PCs
 Closed systems use proprietary
hardware or software
 SYSTEM UNIT AND MOTHERBOARD

 System unit is the computer case

and everything in it.
 The motherboard is the hardware
board that typically includes:
 The Central Processing Unit (CPU),
 Memory slots

 Firmware

 Peripheral slots such as PCI

(Peripheral Component
Interconnect) slots.

35
 COMPUTER BUS
 Primary communication channel on a
computer system
 Communication between the CPU, memory,
and input/output devices such as keyboard,
mouse, display, etc., occur via the bus
 Bridges:
 Northbridge – also called the Memory
Controller Hub (MCH), connects the CPU to
RAM and video memory; directly connected to
CPU, so it’s faster
 Southbridge - also called the I/O Controller
Hub (ICH), connects input/output (I/O) devices,
such as disk, keyboard, mouse, CD drive, USB
ports, etc.
36
 THE CENTRAL PROCESSING UNIT
(CPU)
 The “brains” - capable of controlling and
performing mathematical calculations
 Everything a computer does is
mathematical
 Rated by the number of clock cycles per
second; a 2.4 GHz
 Pentium 4 CPU has 2.4 billion clock
cycles per second.
 CPU Units:
 Arithmetic Logic Unit (ALU) - performs
mathematical calculations
 Control Unit (CU) – controls and send
instructions to the ALU
37
 THE CENTRAL PROCESSING UNIT
(CPU)
 Fetch & Execute
 A process actually takes four
steps (one CPU or clock
cycle):
 Fetch Instruction 1
 Decode Instruction 1
 Execute Instruction 1
 Write (save) result 1

38
 THE CENTRAL PROCESSING UNIT
(CPU)
 Pipelining
 Combines multiple steps into
one combined process
 Simultaneous fetch
 Decode
 Execute
 Write steps
 Each part is called a pipeline
stage

39
 THE CENTRAL PROCESSING UNIT
(CPU)
 Interrupts
 Interrupts cause the CPU to stop processing its current task, save the state,
and process a new request. Once the interrupt task is complete, the
CPU will start where it left off.
 Interrupts are typically hardware related.

40
 THE CENTRAL PROCESSING UNIT
 Process
(CPU)
 An executable program and its data loaded and running in memory
 Thread
 Also called a lightweight process or “LWP” – a child process; where one
process has “spawned” another process. A heavy-weight process (or
“HWP”) is called a task; one big advantage for threads is that they can
share memory.
 Process states:
 New: a process being created
 Ready: process waiting to be executed by the CPU
 Running: process being executed by the CPU
 Blocked: waiting for I/O
 Terminate: a completed process
41
 THE CENTRAL PROCESSING UNIT
(CPU)
 Multitasking - allows multiple tasks (heavy weight processes) to run
simultaneously on one CPU
 Multiprocessing - multiple processes running on multiple CPUs
 Symmetric Multiprocessing (SMP) - one operating system to manage all CPUs
 Asymmetric Multiprocessing (AMP) - one operating system image per CPU
 Multiprogramming - multiple programs running simultaneously on one
CPU
 Multithreading - multiple threads (light weight processes) running
simultaneously on one CPU

42
 THE CENTRAL PROCESSING UNIT
(CPU)
 Watchdog Timers are designed to recover a system by rebooting after
critical processes hang or crash
 CPU Types
 Complex Instruction Set Computer (CISC) - Intel or AMD

 Reduced Instruction Set Computer (RISC) - ARM architecture

43
 MEMORY PROTECTION

 Preventing processes from accessing memory space belonging to another

 Memory protection is required for multi-user systems

44
 MEMORY PROTECTION

 Methods:
 Process Isolation
 Logical control that attempts to prevent one process from interfering with another
 Object encapsulation - treats a process as a “black box”
 Time multiplexing - multiplexes system resources between multiple processes, each with a
dedicated slice of time
 Hardware Segmentation
 Completely separate hardware
 Virtual Memory
 Virtual address mapping between applications and hardware memory
 Swapping and Paging
 Uses virtual memory to copy contents in primary memory (RAM) to or from secondary
memory (not directly addressable by the CPU, on disk)
 Kernel accessing memory in swap space results in a page fault
45
 BIOS
 Basic Input Output System contains code in firmware that is executed when a
PC is powered on
 The boot process:
 1st thing PC does is run the Power On Self-Test (POST)
 POST finds the boot sector that contains machine code for the OS kernel
 Kernel loads and executes into the OS
 In general, the MBR consists of 512 or more bytes located in the first sector of
the drive.

46
 WORM STORAGE

 Write Once Read Many

 Usually used for record retention and high integrity information
 CD-Rs, DVD-Rs, etc.

 Not CD-RWs or DVD-RWs

47
SECURITY ARCHITECTURE & DESIGN OBJECTIVES

SECURE OPERATING
SYSTEM AND SOFTWARE
ARCHITECTURE
 TRUSTED COMPUTER BASE (TCB)

 TCB is a combination of hardware,

software, and controls that work together
to form a trusted base to enforce your
security policy
 TCB is a subset of a complete
information system
 TCB should be as small as possible
 TCB is the only portion of that system
that can be trusted to adhere to and
enforce the security policy
 TRUSTED PLATFORM MODULE (TPM)

 Developed and updated by the Trusted Computing Group

https://trustedcomputinggroup.org
 Processor that can provide additional security capabilities in hardware

 Usually on the motherboard

 Hardware-based encryption (fast)

 Boot integrity – protecting against rootkits and kernel bypass attacks

 Platform integrity and disk encryption (primary uses)

 KERNEL

 Heart (or core) of the operating system,

usually running at ring 0
 Interface between the operating system
and hardware
 Architectures:
 Monolithic kernel - compiled into one static
executable and the entire kernel runs in
supervisor mode; requires recompiling to
add new features
 Microkernel – a modular kernel; can add
functionality via loadable kernel modules
51
 KERNEL - REFERENCE MONITOR

 Reference monitor
 Core function of the
kernel
 Mediates all access
between subjects
and objects
 Always enabled and
cannot be bypassed

52
 USERS AND FILE PERMISSIONS

 Types of permissions available depend on the file system being used

 Linux and UNIX permissions
 Read (“r”)
 Write (“w”)

 Execute (“x”)

 Permissions may be set separately to the owner, group, or world

53
 USERS AND FILE PERMISSIONS

 Microsoft NTFS Permissions

 Read
 Write

 Read and execute

 Modify

 List Folder Contents (for folders)

 Full control (read, write, execute,

modify, and in addition the ability to
change the permissions.)

54
SECURITY ARCHITECTURE & DESIGN OBJECTIVES

VIRTUALIZATION AND
DISTRIBUTED COMPUTING
 VIRTUALIZATION

 Adds a software layer between the

operating system and computer
hardware
 Multiple “guest” systems can run on
one physical “host”
 Two types:
 Transparent (or Full) Virtualization
– runs stock operating systems; no
changes to the OS are necessary
 Paravirtualization – specially
modified operating
systems/modified kernel

56
 HYPERVISOR

 Software that controls access between “guest” operating systems and

the “host” hardware
 Type 1 – part of the operating system; runs on host hardware, e.g.
VMware ESX
 Type 2 – runs as an application within the operating system, e.g.
Vmware Workstation

57
 VIRTUALIZATION

 Benefits
 Lower hardware cost
 Lower power cost

 Smaller footprint

 Security Issues
 More complex
 Easy to bring up new systems (without proper checks/balances)

 An issue in the host and/or hypervisor could affect every guest

(VMEscape)

Tip: Don’t host systems with varying security sensitivities on the same hardware
58
 CLOUD COMPUTING
 Cloud Computing: Leverage economies of scale
 Cloud services:
 Infrastructure as a Service (IaaS) – customer configures operating
system and all else (Linux server hosting)
 Platform as a Service (PaaS) – pre-configured operating system,
customer installs & configures everything else (Web service hosting)
 Software as a Service (SaaS) – everything is configured, customer
just uses (Web mail)
 Types:
 Private cloud – cloud is dedicated to one single customer
 Public cloud – cloud is shared amongst multiple organizations
 Security Issues
 Need strict SLAs
 Limited visibility
 Shared infrastructure and shared target
 Right to audit, right to assess (vulnerabilities), and right to test
(pentest)
 Physical boundaries (geographically)

59
 GRID COMPUTING

 Uses the combined power of multiple systems (can be 1000s)

 Spare resources are pooled

 Grids are a form of distributed computing whereby a “super virtual

computer” is composed of many networked loosely coupled
computers acting together to perform large tasks – Wikipedia
 SETI@home ("SETI at home") - 5.2 million participants worldwide
logging more than 2,000,000 years of aggregate computing time

60
 PEER TO PEER (P2P)

 Any system can act as a client, a server, or both

 Decentralized and neutral

 Napster (central index servers = busted), Gnutella, and BitTorrent

 IP issues, data integrity, and data loss are all risks

61
 THIN CLIENT

 Thin Clients
 Rely on central servers – central servers run applications,
store data, and simplified security
 Cheaper than full PCs
 Diskless Workstations
 Contains CPU, memory, and firmware (no disk drive)
 Kernel and operating system loaded via network
 BIOS => POST => TCP/IP => BOOTP (typically *nix) or
DHCP (more robust)
 Thin Client Applications
 Browser-based access to centralized applications and data
 Runs on a full PC
 Citrix ICA, OpenThinClient, etc.
62
 THE INTERNET OF THINGS (IOT)

 Small Internet connect devices

 Refrigerators, Televisions, home automation, etc.

 Security freaking nightmare! Vendors don’t patch, poor customer

support, features overrule security, etc.
63
SECURITY ARCHITECTURE & DESIGN OBJECTIVES

SYSTEM VULNERABILITIES,
THREATS AND
COUNTERMEASURES
 EMANATIONS

 Energy that escapes an electronic system

 TEMPEST is a National Security Agency specification and a NATO
certification referring to spying on information systems through leaking
emanations, including unintentional radio or electrical signals, sounds,
and vibrations. – Wikipedia
 COVERT CHANNELS

 Any communication that violates security policy

 Storage channels – uses storage (or storage characteristics) to violate
security policy; most common is temporary files and cache
 Timing channels – usually an inference attack using timing and delays in
processing

66
 BACKDOOR

 Backdoors
 System shortcut to bypass security checks
 Bypass login, sometimes planted as part of a
larger attack
 Maintenance Hooks
 Shortcuts installed on purpose by system
designers or programmers
 Should never be left in a production system

67
MALWARE (MALICIOUS SOFTWARE/CODE)

 Malware: Zero-day exploit is malicious code for which there is no

vendor patch (or fix)
 Computer Virus
 Doesn’t spread automatically
 Types:
 Macro virus
 Boot sector virus
 Stealth virus
 Polymorphic Virus
 Multipartite Virus

68
 MALWARE
 Worms
 Self-propagate
 Damages include:
 Malicious code itself
 Wasted resources (usually network-related)
 Famous worms include Morris Worm, ILOVEYOU, Nimda, Code Red,
and Melissa
 Trojans
 One function is benign (maybe a game)
 A second function is malicious (could be anything)

 Famous Trojans include the Zeus Trojan, CryptoLocker, Netbus, Back

Orifice, and Shedun (Android)
69
 MALWARE
 Rootkits
 Replaces portions of the kernel and/or operating system
 User-mode (ring 3, called “userland”) and kernel-mode (ring 0)

 Common rootkitted binaries are ls, ps, and many others

 Packers
 Provides runtime compression of executables (or binaries); can be used
to evade signature-based detection
 Small executable decompresser is prepended to the .exe file

 Logic Bombs
 Triggered when a logical condition is met (transaction number,
countdown, time, etc.)
 Worms often contain logic bombs
70
 ANTIVIRUS SOFTWARE
 AV Types:
 Signature-based (static signatures)
 Heuristic-based (anomaly and behavior)

 Prevention vs Monitoring and Response

 EDP: Endpoint Detection and Prevention
 EDR: Endpoint Detection and Response

71
 ATTACK TYPES

 Server-side Attacks (or service-side attacks)

 Attacking a service
 Client-side Attacks
 Downloads

72
WEB ARCHITECTURE AND ATTACKS
https://www.owasp.org/

73
 APPLETS

 Small pieces of mobile code that are embedded in other software

such as Web browsers
 Downloaded from servers and run locally
 Java:
 Object-oriented
 Bytecode is platform independent; requires the Java Virtual Machine (JVM)
 Applets run in a sandbox
 ActiveX:
 Functionally very similar to Java applets
 Only on M$ systems
 Use digital certificates for security
74
 XML AND SOA

 XML – Extensible Markup Language

 Defines a set of rules for encoding documents in a format that is both
human-readable and machine-readable
 XML documents should begin by declaring some information about
themselves
 SOA– Service Oriented Architecture
 An architectural pattern in computer software design in which application
components provide services to other components via a communications
protocol, typically over a network
 Service can be used and reused throughout an organization rather than
built within each individual application
 SOA concepts include SOAP, REST, DCOM, CORBA, and others
75
 DATABASE SECURITY

 Polyinstantiation
 Two different objects (instances) with the same name
 Depending on the security level established, one record contains
sensitive information, and the other one does not, that is, a user will see
the record's information depending on his/her level of confidentiality
dictated by the policy

76
 DATABASE SECURITY

 Inference
 Requires deduction using clues
 Controls might be polyinstantiation or diffusion

 Aggregation
 Mathematical process that asks every question
 No deduction

 Control might be limiting the number of queries

77
 PART II: CRYPTOGRAPHY

 Historical uses of Cryptography

 Security Services provided by cryptography

 Definitions and terms

 Symmetric Cryptography

 Asymmetric Cryptography

 Hybrid Cryptography

 Integrity through Hashing, MACs and Digital Signatures

 Public Key Infrastructure

 IPSec and VPN

 Attacks on Cryptography
79
 CRYPTOGRAPHY IN HISTORY

 Caesar Cipher
 Scytale

 Vignere

 Vernam

 Enigma Machine and Purple Machine

80
 CAESAR CIPHER

 Simple Substitution
 Shift Characters 3 spaces

 A=D, B=E, C=F, etc..

 Substitution Ciphers are subject to pattern

analysis

81
 SCYTALE

 Spartans used this cipher to communicate

messages to generals in the field
 Wrapped tape around a rod

 Diameter of the rod is the pre-agreed upon secret

(key)

82
 VIGENERE

 First polyalphabetic cipher

 Key word is agreed upon ahead of time

 First letter of the key is matched up against first letter of the message,
and so on

83
 CRYPTOGRAPHY IN WARFARE

 Enigma Machine/Purple Machine

 Used by the Germans/Japanese
in WWII
 Breaking the cryptography of
these devices is credited with
reducing the length of the war.

84
ALAN TURING

85
 VERNAM CIPHER
 One Time Pad
 Only mathematically unbreakable form of cryptography
 Key must be used only once
 Pad must be at least as long as the message

 Key pad is statistically unpredictable

 Key Pad must be delivered and stored securely

86
SECURITY SERVICES PROVIDED
BY CRYPTOGRAPHY
 Privacy: Prevents unauthorized disclosure of information
 Authenticity: Verifies the claimed identity

 Integrity: Detects modification or corruption

 Non-Repudiation: Combines authenticity and integrity. A

sender can’t dispute having sent a message, nor its contents.

87
 DEFINITIONS AND CONCEPTS

Plain Text + Initialization Vector + Algorithm (aka Cipher) + Key

=
CipherText

88
 INITIALIZATION VECTOR

 Here are some random numbers (I promise, they’re really random!)

7523494
If we start at track 0 and +7 +5 –2 +3 + 4 +9 -4
We still don’t have randomness. Vary the starting point and that will
make the process more random
 Very similar to a “seed” or a “salt”

89
ALGORITHM

90
 ELEMENTS OF CRYPTOGRAPHY

 Desirable Qualities of an Algorithm

 Confusion
 Diffusion

 Avalanche

 Permutations

 Open—Kerckhoff’s Principle

 Desirable Qualities of a Key

 Long

 Random

 Secret

91
 S-BOX
 Substitution-box: a best example of confusion and diffusion
 Example (DES): Given a 6-bit input, the 4-bit output is found by selecting the row using
the outer two bits (the first and last bits), and the column using the inner four bits.
 Input "011011" => Output "1001”

92
 P-BOX

 Permutation Box
 Swap the position
 Reversible

 P-Box and S-Box

93
 AVALANCHE EFFECT

 A small change in either the key or the plaintext should cause a

drastic change in the ciphertext
 Eg: SHA1

94
 DEFINITIONS AND CONCEPTS

 Plain text is unencrypted text

 Initialization Vector (IV) adds randomness to the beginning of the
process
 Algorithm is the collection of math functions that can be performed

 Key: Instruction set on how to use the algorithm

95
CRYPTOGRAPHY

96
 SYMMETRIC CRYPTOGRAPHY

 Symmetric = Same
 In symmetric cryptography the same key is used to both encrypt and
decrypt
 Very fast means of encrypting/decrypting with good strength for
privacy
 Preferred means of protecting privacy data

 Also can be called “Private Key” “Secret Key” or “Shared Key”

Cryptography

97
 STREAM VS. BLOCK

 Stream Ciphers encrypt one bit (up to one byte) of data at a time.
 Transposition, Substitution, XOR
 Very fast and efficient

 Not as Secure

 RC-4 is the only stream cipher necessary for the test

 Block Ciphers chunk data into blocks. Each chunk goes through a
series of math functions called S-boxes

98
 STREAM CIPHERS XOR

 If Values are:
 Alike: 0
 Different: 1

99
BLOCK CIPHERS

100
DRAWBACKS TO SYMMETRIC
CRYPTOGRAPHY

101
 ASYMMETRIC CRYPTOGRAPHY

 Every user has a key pair.

 Public key is made available to anyone who requests it
 Private key is only available to that user and must not be disclosed or
shared
 The keys are mathematically related so that anything encrypted with
one key can only be decrypted by the other.

102
ASYMMETRIC CRYPTOGRAPHY
AND HASHING SERVICES
 P.A.I.N
 Privacy: Receiver’s Public Key
 Authenticity: Sender’s Private Key

 Integrity (not asymmetric OR symmetric)

 Non-Repudiation: Hash encrypted Sender’s Private Key

103
SSL/TLS - HYBRID CRYPTOGRAPHY

104
SUMMARY OF SYMMETRIC VS.
ASYMMETRIC

105
 COMMON SYMMETRIC ALGORITHM
 DES
 3DES
 AES
 RC-4
 RC-5
 Two Fish
 Blowfish
 IDEA
 CAST
 MARS
 Skipjack

106
 COMMON ASYMMETRIC ALGORITHMS

 DSA
 RSA

 ECC (Elliptical Curve Cryptography)

 El Gamal

 Diffie Hellman

 Knapsack

107
THE BUDDY SYSTEM FOR ASYMMETRIC ALGORITHMS

 RSA and DSA

 ECC and El Gamal

 DH (Diffie Hellman) and Knapsack

108
 RSA

 Named for Rivest, Shamir, and Adleman, the creators

 Currently the standard for Digital Signatures

 Uses the idea that there is no efficient way to factor the product of
large prime numbers
 The math used for RSA is sometimes referred to as a trap-door
function
 ****Factorization****

109
 DIFFIE-HELLMAN

 The first asymmetric algorithm

 Secure key-agreement without pre-shared secrets

 Based on discrete logarithms in a finite field

110
DIFFIE HELLMAN KEY AGREEMENT

111
 ECC (ELLIPTICAL CURVE CRYPTOGRAPHY)

 Based upon plotting points upon a curve

 Very efficient, but only designed to work within certain environments

 Frequently used for handheld devices due to their limited processing

capability

112
 REVIEW SYMMETRIC VS.
ASYMMETRIC
 Symmetric
 Fast
 Out of band key exchange

 No integrity, authenticity or authenticity

 Not Scalable

 Asymmetric
 Slow
 Scales to large organizations well

 Provides non-repudiation

 Key exchange does not require exchange of any secret information

113
HYBRID CRYPTOGRAPHY IN SSL/TLS

 Client initiates a secure connection

 Server responds by sending it’s public key to the client
 The client then generates a symmetric session key.
 Client encrypts uses the server’s public key to encrypt the session
key.
 Client sends the session key (encrypted with the server’s public
key) to the server
 Server uses it’s private key to decrypt the session key
 Now that a symmetric session key has been distributed, both
parties have a secure channel across which to communicate.

114
 INTEGRITY

 Data gets modified

 Accidentally through corruption
 Intentionally through malicious alteration

 Hash: only good for accidental modification

 MAC: Provides reasonable authenticity and integrity not strong
enough to be non-repudiation (because it uses a symmetric key)
 Digital Signatures: Can detect both malicious and accidental
modification, but requires an overhead. Provides true non-repudiation

115
HASHING

116
 HASHING

 Digital representation of the contents of the file

 If the file changes, the hash will change

 One way math

 When two different documents produce the same hash it is called a

collision
 A birthday attack is an attempt to cause collisions. It is based on the
idea that it is easier to find two hashes that happen to match than to
produce a specific hash.

117
 HASHING ALGORITHMS

 Variable length message, fixed length has

 MD-5 used to be the standard with a 128 bit hash

 SHA-1 160 bit replaced MD-5 for the most part

 SHA-256 is becoming very frequently used

 RipeMD, Tiger, Whirlpool, HAVAL are lesser known hashing

algorithms

118
 HASHING

A hash creates a digital representation of a message. However, there is nothing about

a hash that guarantees the origin of the message, or the authenticity of the hash itself.
Therefore it is only useful in detecting unintentional modification, like corruption.

119
DIGITAL SIGNATURE

120
MESSAGE AUTHENTICATION
CODE - MAC
Message + Symmetric Number +Hashing algorithm
= HMAC
 Integrity and (reasonable) authenticity

 A MAC does not provide true authenticity (symmetric)

121
 DIGITAL SIGNATURE

 Message is hashed.
 Hash is encrypted by Sender’s Private Key.

 SHA-1 is generally used for the hash

 RSA is the asymmetric encryption algorithm that encrypts the hash

with the sender’s private key.

122
PKI PUBLIC KEY INFRASTRUCTURES
 What’s wrong with this picture?

123
 WHAT PREVENTS MITM ATTACKS

 Authentication
 Remember Encryption can NOT thwart a MITM attack

 Authentication is what prevents MITM

124
HOW DO WE PROVE OUR
IDENTITY?
 Name?
 Expiration Date

 Class?

 Serial Number?

 Is it issued by a
trusted authority?
 Is it standardized?

125
 CERTIFICATES

 X.509 v.4 standard

 Provides authenticity of a
server’s public key
 Necessary to avoid MITM
attacks with server’s
using SSL or TLS
 Digitally signed by
Certificate Authority

126
 PKI (PUBLIC KEY INFRASTRUCTURE)

 Certificate Authority (CA)

 Registration Authority (RA)

 Certificate Repository

 Certificate Revocation List

127
CERTIFICATE CONTENTS

128
 CERTIFICATE REVOCATION

 CRL: CA publishes CRL. Client is responsible for downloading to see

if a certificate has been revoked.
 OCSP (Online Certificate Status Protocol) Streamlines the process of
verifying whether or not a certificate has been revoked.

129
TRUSTED CERTIFICATE
AUTHORITIES

130
 ENCRYPTING DATA IN TRANSIT

 Protect Data as it traverses the network

 Most protocols like IP, HTTP FTP are not inherently secure

131
ENCRYPTING DATA IN TRANSIT: SSL/TLS

132
 IPSEC

 IPSEC is an encapsulation framework. Tunnel vs. Transport mode

dictates what portion of the IP Packet is to be encapsulated.

133
 IPSEC SUB-PROTOCOLS
 AH (Authentication Header) Provides integrity, authenticity, and non-
repudiation through the use of an ICV (Integrity Check Value). The ICV is
run on the entire packet (header, data, trailer) except for particular fields in
the header that are dynamic (like TTL, etc..). NO CONFIDENTIALITY
 ESP (Encapsulating Security Payload) Provides authenticity and integrity
through a MAC (no non-repudiation since a MAC is symmetric). The main
service provided is ENCRYPTION. ICV is run on payload only.
 IKE: Internet Key Exchange---No Security Services. Just management of
secure connection
 Oakley: Uses Diffie Hellman to agree upon a key
 ISAKMP (Internet Security Association and Key Management Protocol)
Manages Keys, Security Associations (SAs) and Security Parameters
Index (SPI)
134
SECURITY ASSOCIATIONS AND SPIS

135
 SSH (SECURE SHELL)

 Secure alternative to unsecure remote administrative protocols

 Telnet, FTP, R-utilitites (Rlogin, etc..) transmit credentials in clear text

 SSH sets up a secure tunnel

136
IMPLEMENTATION OF CRYPTOGRAPHY: DIGITAL ENVELOPES IN S/MIME

 S/MIME (Secure Multipart Internet Mail Exchange) :

 Standards based secure email by creating a digital envelope
 Sender functions:
 Calculate hash value on message
 Encrypt message with session key
 Encrypt hash value with private key
 Encrypt session key with receiver’s public key
 Receiver functions:
 Decrypt session key with private key
 Decrypt hash value with sender’s public key
 Decrypt message
 Calculate hash value and compare with one sent

137
CRYPTOGRAPHY: PGP (PRETTY GOOD PRIVACY)

 Proprietary mail standard from Phil Zimmerman

 Free, but proprietary software must be installed

 Uses Web of Trust

 Passphrases instead of passwords

 Learned keys are stored in a file called the key ring

138
PROTECTING CONFIDENTIALITY OF DATA REST

 Data stored on local drives must be protected

 Log off of workstations not in use

 Use encryption within the operating system (ex: EFS in

Windows environment)
 Whole Drive Encryption: Protect Hard Drive in the event the
disk is stolen
 TPM
 USB

 Directory Services

139
 ATTACKS ON CRYPTOGRAPHY

 Ciphertext Only: Attacker has captured encrypted text on the network.

Usually means all the attacker can do is brute force
 Known Plain Text: The attacker has captured cipher text, but also knows
what a portion of the message is in plain text (like an automatic signature)
 Chosen Plaintext: Attacker can see the full text encrypted and decrypted.
Usually the attacker has initiated the message
 Chosen Ciphertext: An attacker can see whatever they want in plain or
ciphertext. They have compromised a workstation. Sometimes called a
lunchtime or midnight attack.
 Meet in the Middle (Not to be confused with Man in the Middle). These
attacks are targeted towards algorithms like 3DES where there are
multiple key. An attacker tries to learn what each key does individually.

140
 PART III: PHYSICAL SECURITY

 Perimeter Defenses
 Site selection, design, and configuration

 Environmental Controls

142
 PHYSICAL SECURITY

 Physical assets: people, buildings, systems, and data

 CISSP® exam considers human safety as the most critical concern
of this domain - trumps all other concerns
 Physical security protects against threats such as unauthorized
access and disasters, both man-made and natural

143
 PERIMETER DEFENSES

 Perimeter Defenses
 Help prevent, detect, and correct unauthorized physical access
 Should employ defense-in-depth

 Fences, doors, walls, locks, etc.

 Fences
 May range from deterrents (such as 3-foot/1 meter-tall fencing) to
preventive devices (8-foot/2.4 meter)
 Should be designed to steer ingress and egress to controlled points,
such as exterior doors and gates

144
 PERIMETER DEFENSES
 Gates
 Range in strength from ornamental (a class I gate designed to
deter access) to a class IV gate designed to prevent a car from
crashing through (such as gates at airports and prisons)
 ASTM International's “ASTM F2200” Standard Specification for
Automated Vehicular Gate Construction at
http://www.astm.org/Standards/F2200.htm
 Types of Vehicle Gates:
 Class I Residential (home use)
 Class II Commercial/General Access (parking garage)
 Class III Industrial/Limited Access (loading dock for 18-wheeler
trucks)
 Class IV Restricted Access (airport or prison)
 Gates should be placed at controlled points at the perimeter -
Secure sites
 Use fences and topography to steer traffic to these points.
145
 PERIMETER DEFENSES
 Bollards
 A traffic bollard is a strong post designed to
stop a car Term derives from the short/strong
posts (called mooring bollards) used to tie
ships to piers when docked
 Often installed in front of convenience stores,
to prevent a confused driver who mixes up the
accelerator and brake from driving into the
store.
 Used in secure facilities to prevent cars from
entering (whether intentionally or not)
 Can use large concrete planters for the same
effect
 Usually placed in front of physically weak
areas of a building, such as entryways 146
 PERIMETER DEFENSES
 Lights
 Can act as both a detective and deterrent control
 Criminals will usually favor a poorly lighted target
over a more visible one
 Should be bright enough to illuminate the desired
field of vision (the area being protected)
 Fresnel (pronounced fray-NELL) lights - Same
type originally used in lighthouses, use Fresnel
lenses to aim light in a specific direction
 Light measurement:
 Lumen, the amount of light one candle creates
 Footcandles; one footcandle is one lumen per
square foot
 Lux, based on the metric system, more commonly
used now: one lux is one lumen per square meter.

147
 PERIMETER DEFENSES
 CCTV
 Closed Circuit Television (CCTV)

 Detective device used to aid in detecting the

presence of intruders in restricted areas
 Can also be used as a deterrent device/control
 CCTVs using the normal light spectrum require
sufficient visibility to illuminate the field of view
 Infrared devices can “see in the dark” by displaying
heat
 Features:
 Pan&Tit
 Autoscan
 Motion detection
 Recording
 Magnetic tape such as VHS (tube cameras)
 CCD cameras use DVR (Digital Video Recorder) or
NVR (Network Video Recorder) for backups
 NVR has the advantage of allowing centralized
storage of all video data 148
 LOCKS
 Locks
 Preventive physical security control
 Used on doors and windows to prevent unauthorized
physical access
 May be mechanical, such as key locks or combination
locks
 May be electronic - often used with smart cards or
magnetic stripe cards
 Key locks
 Require a physical key to unlock
 Keys may be shared or sometimes copied, which lowers
the accountability of key locks
 A common type is the pin tumbler lock, which has two sets
of pins: driver pins and key pins.
 The correct key makes the pins line up with the shear line,
allowing the lock tumbler (plug) to turn 149
 LOCKS
 Lock Picking
 The art of opening a lock without a key
 A set of lock picks can be used to lift the pins in a pin
tumbler lock, allowing the attacker to open the lock
without a key
 Lock bumping
 A technique uses a shaved-down key which will
physically fit into the lock. The attacker inserts the
shaved key and “bumps” the exposed portion
(sometimes with the handle of a screwdriver).
 This causes the pins to jump, and the attacker quickly
turns the key and opens the lock.
 All key locks can be picked or bumped: the only
question is how long it will take
Shaved down key – bumping key

150
 LOCKS
 Master Key
 Opens any lock for a given security zone in a
building
 Access to the master key should be tightly
controlled
 Core Key
 Core keys are used to remove the lock core in
interchangeable core locks (where the lock core
may be easily removed and replaced with another
core)
 Once the lock core is removed, the door may often
be opened with a screwdriver

 Functional equivalent to the master key, core

keys should be kept equally secure
151
 LOCKS
 Combination Locks
 Have dials that must be turned to specific numbers, in a specific order
(alternating clockwise and counterclockwise turns) to unlock
 A weak form of physical access control for production environments
such as data centers
 Button or keypad locks also use numeric combinations

 Limited accountability due to shared combinations

 Button or keypad locks are also vulnerable because prolonged use can
cause wear on the most used buttons or keys
 Combinations may be discovered via a brute-force attack, where every
possible combination is attempted
 Locks may also be compromised via shoulder surfing

 Simple locks such as pushbutton locks with limited combinations do not

qualify as preventive devices; they are deterrent ONLY
 Can be used for low-security applications such as locking an employee
restroom, but should not be used to protect sensitive data or assets
 LOCKS
 Smart Cards
 A physical access control device which is often used for electronic locks, credit
card purchases, or dual-factor authentication systems
 “Smart” means the card contains a computer circuit
 Smart card is also known as “Integrated Circuit Card” (ICC).
 May be “contact” or “contactless”
 Contact cards must be inserted into a smart card reader
 Contactless cards are read wirelessly
 One type of contactless card technology is Radio-Frequency Identification (RFID)
 Contain RFID tags (also called transponders) which are read by RFID transceivers

 Magnetic Stripe Cards

 Magnetic stripe card contains a magnetic stripe which stores information
 Passive devices that contain no circuits
 Sometimes called swipe cards: they are used by swiping through a card reader
 Many international credit cards are smart cards, while magnetic stripe cards are
more commonly used as credit cards in the United States
 LOCKS
 CAC
 The “Common Access Card” (CAC) is an example of a
worldwide smart card deployment by the U.S. Department of
Defense (DoD)
 Used for physical access control, to provide dual-factor
authentication to critical systems, to digitally sign documents,
and others
 CAC cards store data including cryptographic certificates as
part of the DoD's Public Key Infrastructure (PKI)
 Both smart and magnetic stripe may be used in combination
with electronic locks to provide physical access control
 Better accountability when compared with mechanical locks:
audit data can be collected electronically
 TAILGATING/PIGGYBACKING

 Occurs when an unauthorized person follows

an authorized person into a building after the
authorized person unlocks and opens the door
 Policy should forbid employees from allowing
tailgating and security awareness efforts
 Attackers attempting to tailgate often combine
social engineering techniques, such as
carrying large boxes, increasing the chances
an authorized user will “help out” by holding
the door open

155
 MANTRAPS AND TURNSTILES
 Mantraps are a preventive physical control with two doors
 The first door must close and lock before the second
door may be opened
 Each door typically requires a separate form of
authentication to open
 The intruder is trapped between the doors after
entering the mantrap
 Turnstiles are designed to prevent tailgating by enforcing
a “one person per authentication” rule
 Secure data centers may use floor-to-ceiling turnstiles
with interlocking blades to prevent an attacker from
going over or under the turnstile
 Both mantraps and turnstiles must be designed to
allow safe egress in case of emergency
 No system should require authentication for egress
during emergencies
156
 CONTRABAND CHECKS
 Seek to identify objects that are prohibited to enter a secure perimeter (such as an
airplane)
 Secure buildings such as government or military buildings may employ contraband
checks
 Often used to detect metals, weapons, or explosives
 May also be used to detect controlled substances such as illegal drugs, portable
cameras or storage media

157
 MOTION DETECTORS AND OTHER PERIMETER ALARMS

 Ultrasonic and microwave motion detectors work like “Doppler radar”

used to predict the weather
 A wave of energy is sent out, and the “echo” is returned when it
bounces off an object
 A motion detector that is 20 ft away from a wall will consistently
receive an echo in the time it takes for the wave to hit the wall and
bounce back to the receiver, for example. The echo will be returned
more quickly when a new object (such as a person walking in range
of the sensor) reflects the wave
 Active sensors - means they actively send energy

 A photoelectric motion sensor sends a beam of light across a

monitored space to a photoelectric sensor
 The sensor alerts when the light beam is broken

 Also an active sensor

 A passive sensor is a “read-only” device; example is a passive infrared

(PIR) sensor that detects infrared energy created by body heat.
158
 MOTION DETECTORS AND OTHER PERIMETER ALARMS

 Perimeter alarms include magnetic door and

window alarms
 Include matched pairs of sensors on the wall,
as well as window/door
 An electrical circuit flows through the sensor
pairs as long as the door or window is closed;
the circuit breaks when either is opened
 Often armed for secured areas as well as in
general areas during off hours such as nights or
weekends
 Once armed, a central alarm system will alert
when any door or window is opened

159
 DOORS AND WINDOWS
 Attackers will often target the “weakest link in the chain”
 Examples of “weakest link” design include a concrete wall with a hollowcore door, or a
gypsum wall with a steel door.
 Door hinges should face inward, or be otherwise protected
 Doors with internal motion sensors should never include mail slots
 Externally-facing emergency doors should be marked for emergency use only and
equipped with panic bars. The use of a panic bar should trigger an alarm.
 Glass windows are structurally weak and can be dangerous when shattered. Bullet-proof
or explosive-resistant glass can be used for secured areas. Wire mesh or security film
can lower the danger of shattered glass and provide additional strength. Use of simple
glass windows in a secure perimeter requires a compensating control such as window
burglar alarms.
 Alternatives to glass windows include polycarbonate such as Lexan and acrylic such as
Plexiglass. Lexan is used in race cars and airplanes for is strength and shatter
resistance.
160
 WALLS, FLOORS, AND CEILINGS
 Walls around any internal secure perimeter such as a data center should be “slab to slab”
 Raised floors and drop ceilings can obscure where the walls truly start and stop
 Any wall protecting a secure perimeter (whether internal or external) should be strong enough to
resist cutting
 Simple gypsum “sheetrock” walls can be cut open with a sharp tool such as a carpet knife, and
should not be used for secure perimeters
 Walls should have an appropriate fire rating (the amount of time required to fail due to a fire)
 The National Fire Protection Agency (NFPA) 75: Standard for the Protection of Information
Technology
 Equipment states “The computer room shall be separated from other occupancies within the building
by fire-resistant rated walls, floor, and ceiling constructed of noncombustible or limited combustible
materials.
 The fire resistant rating shall be commensurate with the exposure, but not less than one hour.”

161
 GUARDS

 A dynamic control
 May aid in inspection of access credentials, monitor CCTVs, monitor
environmental controls, respond to incidents, act as a deterrent (all things
being equal, criminals are more likely to target an unguarded building over a
guarded building), and more
 Professional guards have attended advanced training and/or schooling;
amateur guards (sometimes derogatively called “Mall Cops”) have not
 Term “pseudo guard” means an unarmed security guard
 Guard's orders should be complete and clear
 Guards are often attacked via social engineering, so this threat should be
directly addressed via security awareness and training.

162
 DOGS

 Often used in controlled areas, such as between the exterior building

wall and a perimeter fence
 Primarily serve as both deterrent and detective controls

 A site without dogs is more likely to be physically attacked than a site

with dogs (deterrent), and dogs alert security guards through barking
(detective)
 The primary drawback to using dogs as a perimeter control is legal
liability

163
SITE SELECTION, DESIGN, AND CONFIGURATION

 Describes the process of building a secure facility such as a data

center, from the site selection process through the final design
 The exam could pose a scenario where you are asked about any part
of the site selection process, beginning with the land the data center
will be built on
 Site selection is the “greenfield” process of choosing a site to construct
a building or data center. A “greenfield” is an undeveloped lot of land.

164
SITE SELECTION, DESIGN, AND CONFIGURATION

 Topography
 The physical shape of the land: hills, valleys, trees, etc.

 Highly secure sites such as military installations will leverage (and

sometimes alter) the topography of the site as a defensive measure
 Can be used to steer ingress and egress to controlled points

 Utility Reliability
 Electrical outages are among the most common of all failures and disasters

 Uninterruptible Power Supplies (UPSs) will provide protection against

electrical failure for a short period (usually hours or less)
 Generators provide longer protection, but will require refueling in order to
operate for extended periods.

165
SITE SELECTION, DESIGN, AND CONFIGURATION

 Site Design and Configuration Issues

 Site design cannot compensate for poor site selection decisions

 Site Marking
 Data centers are not externally marked

 Attention-avoiding details such as muted building design

The Netflix DVD service avoids site marking of its service centers, which look
like nondescript warehouses in regular office parks. There are no Netflix signs
or corporate logos to be seen.
Assuming a low profile avoids drawing unwanted attention to the warehouses,
which adds defense-in-depth protection to the valuable contents inside. As an
additional bonus, this encourages subscribers to return DVDs via postal mail
(as opposed to attempting to return DVDs by dropping them off in person).
166
SITE SELECTION, DESIGN, AND CONFIGURATION

 Shared Tenancy and Adjacent Buildings

 Other tenants in a building can pose security issues: they are already behind the physical
security perimeter
 Their physical security controls will impact yours: a tenant's poor visitor security practices can
endanger your security
 Adjacent buildings pose a similar risk
 Attackers can enter a less secure adjacent building and use that as a base to attack an
adjacent building, often breaking in through a shared wall
 Many bank heists have been pulled off this way; including the theft of over $20 million dollars
from British Bank of the Middle East in 1976 (the attackers blasted a hole through the shared
wall of an adjacent church)
http://www.dailymail.co.uk/home/moslive/article-459185/Soldiers-Fortune.html
 Another security risk associated with shared tenancy (or neighbors who are physically close)
is wireless security

167
SITE SELECTION, DESIGN, AND CONFIGURATION

 Shared Demarc
 Demarc (the demarcation point, where the ISP's (Internet Service Provider) responsibility
ends and the customer's begins)
 Most buildings have one demarc area, where all external circuits enter the building
 Should employ strong physical access control, including identifying, authenticating, and
authorizing all access
 For very secure sites, construction of multiple segregated demarcs is recommended.

168
 PHYSICAL SYSTEM DEFENSES
 System Defenses
 One of the last lines of defense in a defense-in-depth strategy

 Assume an attacker has physical access to a device or media containing sensitive information

 Asset Tracking
 You cannot protect your data unless you know where (and what) it is

 Data such as serial numbers and model numbers are useful in cases of loss due to theft or
disaster.
 Port Controls
 Computers may contain multiple “ports” which may allow copying data to or from a system

 USB drives can be small (some are smaller than a piece of chewing gum) and inexpensive and
may hold dozens of gigabytes or more
 Small enough to evade perimeter contraband checks

 Ports can be physically disabled

 Ports may also be electronically locked via system policy

169
 PHYSICAL SYSTEM DEFENSES

 Drive and Tape Encryption

 Drive and tape encryption protect data at rest
 One of the few controls which will protect data after physical security has been
breached
 Recommended for all mobile devices and media containing sensitive information
which may physically leave a site or security zone
 Whole-disk encryption of mobile device hard drives is recommended
 Disk encryption/decryption may occur in software or hardware
 Many breach notification laws concerning Personally Identifiable Information (PII)
contain exclusions for lost data that is encrypted

170
 PHYSICAL SYSTEM DEFENSES

 Media Storage and Transportation

 All sensitive backup data should be stored offsite, whether transmitted offsite via
networks, or physically moved as backup media
 Sites using backup media should follow strict procedures for rotating media offsite
 Always use bonded and insured company for offsite media storage
 The company should employ secure vehicles and store media at a secure site
 Ensure that the storage site is unlikely to be impacted by the same disaster that
may strike the primary site, such as a flood, earthquake, or fire
 Never use informal practices, which as storing backup media at employee's
houses

171
 PHYSICAL SYSTEM DEFENSES

 Media Cleaning and Destruction

 All forms of media should be securely cleaned or destroyed before disposal to
prevent object reuse
 Objects may be physical (such as paper files in manila folders) or electronic (data
on a hard drive)
 Attacks range from nontechnical attacks such as dumpster diving (searching for
information by rummaging through unsecured trash) totechnical attacks such as
recovering information from unallocated blocks on a disk drive
 All cleaning and destruction actions should follow a formal policy, and all such
activity should be documented, including the serial numbers of any hard disks, type
of data they contained, date of cleaning or destruction, and personnel performing
these actions

172
PHYSICAL SECURITY

ENVIRONMENTAL
CONTROLS
• Electricity
• HVAC
• Fire safety
 ELECTRICITY

 Reliable electricity is critical for any data center

 One of the top priorities when selecting, building, and designing a site

174
 TYPES OF ELECTRICAL FAULTS

 All types of electrical faults can impact availability and integrity

 The following are common types of electrical faults:

 Blackout: prolonged loss of power

 Brownout: prolonged low voltage

 Fault: short loss of power

 Surge: prolonged high voltage

 Spike: temporary high voltage

 Sag: temporary low voltage

175
SURGE PROTECTORS, UPSS, AND GENERATORS
 Surge Protectors
 Protect equipment from damage due to electrical surges
 Contain a circuit or fuse which is tripped during a power spike or surge, shorting the power or regulating it
down to acceptable levels
 Uninterruptible Power Supplies
 Provide temporary backup power in the event of a power outage
 May also “clean” the power, protecting against surges, spikes, and other forms of electrical faults
 Backup power is provided via batteries or fuel cells
 Provide power for a limited period of time, and can be used as a bridge to generator power; generators
typically take a short period of time to start up and begin providing power
 Generators
 Designed to provide power for longer periods of times than UPSs
 Will run as long as fuel is available
 Sufficient fuel should be stored onsite for the period the generator is expected to provide power
 Refueling strategies should consider a disaster's effect on fuel supply and delivery
 Generators should not be placed in areas which may flood or otherwise be impacted by weather events
 Should be tested and serviced regularly.
 http://www.cumminspower.com/www/literature/technicalpapers/PT-7006-Standby-Katrina-en.pdf
176
 EMI

 All electricity generates magnetism, so any electrical conductor emits

 Electromagnetic Interference (EMI)

 Network cables that are poorly shielded or run too closely together
may suffer crosstalk, where magnetism from one cable “crosses” over
to another nearby cable
 Crosstalk can be mitigated via proper network cable management

 Never route power cables close to network cables

177
 HVAC
 HVAC
 Keep the air at a reasonable temperature and humidity

 Operate in a closed loop, recirculating treated air (helps

reduce dust and other airborne contaminants)
 Positive Pressure and Drains
 All HVAC units should employ positive pressure and
drainage
 Means air and water should be expelled from the
building
 Untreated air should never be “inhaled” into the building,
and water should drain away from the building
 A common malfunction of HVAC units is condensation of
water pooling into the building, often going under raised
floors where it may not be detected
 Positive drains are designed to avoid this problem

 Location of all gas and water lines, as well as all drains,

should be formally documented.
178
 HEAT AND HUMIDITY
 Humidity levels of 40-55% are recommended
 A commonly recommended “set point” temperature range for a data center is 68-77 °F
(20-25 °C)
 With sufficient data center airflow, higher temperatures can be used
 Can result in energy savings; however, the data center may heat to dangerous levels more
quickly in the event of HVAC failure

Note - Many sources cite 68-72 °F (20-22 °C) as the optimum data center temperature
range; in 2004, the American Society of Heating, Refrigerating and Air-Conditioning
Engineers (ASHRAE) recommended up to 77 °F/25 °C.
As a result, the 2008 ASHRAE recommendations allow a much wider range: temperature
of 18 °C (64.4 °F) to 27 °C (80.6 °F) and humidity from 25% to 60%, depending on the dew
point. Higher set points require adequate airflow. Details may be found at
http://tc99.ashraetcs.org
179
 STATIC AND CORROSION

 Sudden static discharge can cause damage from system reboots to chip or
disk damage
 Static is mitigated by maintaining proper humidity, proper grounding all circuits
in a proper manner, and using antistatic sprays, wrist straps, and work
surfaces
 Personnel working with sensitive computer equipment such as boards,
modules, or memory chips should ground themselves before performing any
work.
 High humidity levels can allow the water in the air to condense onto (and into)
equipment, which may lead to corrosion.
 Both static and corrosion are mitigated by maintaining proper humidity levels.

180
 AIRBORNE CONTAMINANTS

 Dust is a common problem: airborne dust particles can be drawn into

computer enclosures, where they become trapped
 Built-up dust can cause overheating and static buildup

 CPU fans can be impeded by dust buildup, which can lead to CPU
failure due to overheating
 Other contaminants can cause corrosion or damaging chemical
reactions.

181
 HEAT, FLAME, AND SMOKE DETECTORS

 Heat, Flame, and Smoke Detectors

 Three methods for detecting fire
 Typically alert locally, and may also be centrally monitored by a fire
alarm system
 An audible alarm and flashing lights should be used, so that both deaf
and blind personnel will be aware of the alarm
 Heat Detectors
 Alert when temperature exceeds an established safe baseline
 May trigger when a specific temperature is exceeded or when
temperature changes at a specific rate (such as “10 °F in less than 5
minutes”)
182
 HEAT, FLAME, AND SMOKE DETECTORS
 Smoke Detectors
 Work through two primary methods: ionization and photoelectric
 Ionization-based smoke detectors contain a small radioactive source which creates a
small electric charge
 Photoelectric sensors work in a similar fashion, except that they contain an LED (Light
Emitting Diode) and a photoelectric sensor that generates a small charge while receiving
light
 Both types of alarm alert when smoke interrupts the radioactivity or light, lowering or
blocking the electric charge
 Dust should always be avoided in data centers. Small airborne dust particles can
trigger smoke detectors just as smoke does, leading to false alarms.
 Flame Detectors
 Detect infrared or ultraviolet light emitted in fire
 One drawback to this type of detection is that the detector usually requires lineof-site
to detect the flame; smoke detectors do not have this limitation
183
SAFETY TRAINING AND AWARENESS

 Safety Training and Awareness

 Training provides a skill set such as learning to operate an emergency power
system
 Awareness changes user behavior (“Don't let anyone follow you into the building
after you swipe your access card”)
 Evacuation Routes
 Evacuation routes should be prominently posted
 All personnel should be advised of the quickest evacuation route from their areas
 Guests should be advised of evacuation routes as well
 All sites should use a meeting point, where all personnel will meet in the event of
emergency

184
SAFETY TRAINING AND AWARENESS

 Evacuation Roles and Procedures

 The two primary evacuation roles are safety warden and meeting point leader
 The safety warden ensures that all personnel safely evacuate the building in the
event of an emergency or drill
 The meeting point leader assures that all personnel are accounted for at the
emergency meeting point
 Special care should be given to any personnel with handicaps, which could affect
egress during an emergency
 Elevators should never be used during a fire
 All sites should have mitigating controls to allow safe egress for all personnel

185
 FIRES AND SUPPRESSION
 ABCD Fires and Suppression
 Fire suppression systems are
used to extinguish fires
 Different types of fires require
different suppressive agents
 Class K fires are kitchen fires,
such as burning oil or grease.
Wet chemicals are used to
extinguish class K fires

186
 TYPES OF FIRE SUPPRESSION
AGENTS
 Always consult local fire code before implementing a fire suppression
system
 All fire suppression agents work via four methods (sometimes in
combination):
 reducing the temperature of the fire,
 reducing the supply of oxygen,

 reducing the supply of fuel,

 interfering with the chemical reaction within fire

187
 TYPES OF FIRE SUPPRESSION
AGENTS
 Water
 Suppresses fire by lowering the temperature below the kindling point
(also called the ignition point)
 Safest of all suppressive agents, and recommended for extinguishing
common combustible fires such as burning paper or wood
 It is important to cut electrical power when extinguishing a fire with water
to reduce the risk of electrocution

188
 TYPES OF FIRE SUPPRESSION
AGENTS
 Soda Acid
 Old giant brass fire extinguishers
 Suppress fire by lowering temperature, soda acid also has additional
suppressive properties beyond plain water: it creates foam which can
float on the surface of some liquid fires, starving the oxygen supply

189
 TYPES OF FIRE SUPPRESSION
AGENTS
 Dry Powder
 Dry powder (such as sodium chloride) works by lowering temperature
and mothering the fire, starving it of oxygen.
 Dry powder is primarily used to extinguish metal fires (flammable metals
include sodium, magnesium, and many others)

190
 TYPES OF FIRE SUPPRESSION
AGENTS
 Wet Chemical
 Primarily used to extinguish kitchen fires (type K fires in the U.S.; type F
in Europe)
 May also be used on common combustible fires (type A)

 The chemical is usually potassium acetate mixed with water. This covers
a grease or oil fire in a soapy film which lowers the temperature.

191
 TYPES OF FIRE SUPPRESSION
AGENTS
 CO2
 Fires may be smothered by removing the oxygen: this is how CO2 fire
suppression works.
 A risk associated with CO2 is it is odorless and colorless, and our bodies
will breathe it as air. By the time we begin suffocating due to lack of
oxygen, it is often too late.
 CO2 is dangerous suppressive agent, which is only recommended in
unstaffed areas such as electrical substations
 Any personnel entering a CO2-protected area should be trained for CO2
safety; additional safety controls (such as oxygen tanks) are usually
recommended

192
 TYPES OF FIRE SUPPRESSION
AGENTS
 Halon and Halon Substitutes
 Extinguishes fire via a chemical reaction that consumes energy and lowers the temperature of
the fire
 Halon is being phased out, and a number of replacements with similar properties are now
used
 Montreal Accord
 Halon has ozone-depleting properties
 The 1989 Montreal Protocol (formally called the “Montreal Protocol on Substances That
Deplete the Ozone Layer”) banned production and consumption of new halon in developed
countries by January 1, 1994.
 Existing halon systems may be used. While new halon is not being produced, recycled halon
may be used
 There are exceptions for certain critical uses, such as airplanes and submarines.

See http://ozone.unep.org for more information on the Montreal Protocol.

193
 TYPES OF FIRE SUPPRESSION
AGENTS
 Halon Replacements
 Recommended replacements for halon include the following systems:
 Argon
 FE-13
 FM-200
 Inergen

 FE-13 is the newest of these agents, and comparatively safe. It may be breathed in
concentrations of up to 30%. Other halon replacements are typically only safe up to 10-15%
concentration.

194
 COUNT-DOWN TIMERS

 CO2, halon, and halon substitutes such as FM-200 are considered

gas-based systems.
 All gas systems should use a countdown timer (both visible and
audible) before gas is released
 Allow personnel evacuation before release

 A secondary effect is to allow personnel to stop the release in case of

false alarm.

 Note - Water is usually the recommended fire suppression agent.

Water (in the absence of electricity) is the safest suppression agent
for people.
195
 SPRINKLER SYSTEMS

 Sprinkler Systems
 All sprinkler systems should be combined with a fire alarm that alerts
people to evacuate
 Safe evacuation is the primary goal of fire safety.

 Wet Pipe
 Wet pipes have water right up to the sprinkler heads: the pipes are “wet.”
 The sprinkler head contains a metal (common in older sprinklers) or
small glass bulb designed to melt or break at a specific temperature
 The sprinkler head opens and water flows

 Each head will open independently as the trigger temperature is

exceeded.
196
 SPRINKLER SYSTEMS

 Wet Pipe
 Bulbs come in different colors, which indicate the ceiling temperature
which will trigger the bulb to burst and open the sprinkler head
 The colors used are
 orange (135 °F/57 °C),
 red (155 °F/68 °C),
 yellow (175 °F/79 °C),
 green (200 °F/93 °C),
 blue (286 °F/141 °C)
NFPA 13: Standard for the Installation of Sprinkler Systems describes the
color conventions used for these sprinkler heads. See:
http://www.nfpa.org/aboutthecodes/AboutTheCodes.asp?DocNum=13
197
 SPRINKLER SYSTEMS
 Dry Pipe
 Also have closed sprinkler heads: the difference is the pipes are filled with
compressed air
 Water is held back by a valve that remains closed as long as sufficient air pressure
remains in the pipes
 As the dry pipe sprinkler heads open, the air pressure drops in each pipe, allowing the
valve to open and send water to that head
 Dry pipes are often used in areas where water may freeze, such as parking garages.

 Deluge
 Similar to dry pipes, except the sprinkler heads are open and larger than dry pipe
heads
 The pipes are empty at normal air pressure; the water is held back by a deluge valve

 The valve is opened when a fire alarm (which may monitor smoke or flame sensors)
triggers.
198
 SPRINKLER SYSTEMS

 Pre-Action
 Combination of wet, dry, or deluge systems, and require two separate
triggers to release water
 Single interlock systems release water into the pipes when a fire alarm triggers
 The water releases once the head opens
 Double interlock systems use compressed air (same as dry pipes): the water
will not fill the pipes until both the fire alarm triggers and the sprinkler head
opens
 Preaction systems are used in areas such as museums, where accidental
discharge would be expensive.
 Double-interlock systems are used in cold areas such as freezers to avoid
frozen pipes
199
 PORTABLE FIRE EXTINGUISHERS

 Should be marked with the type of fire they are designed to extinguish
 Should be small enough to be operated by any personnel who may
need to use one
 Use the “PASS” method to extinguish a fire with a portable fire
extinguisher:
 Pull the pin
 Aim low

 Squeeze the pin

 Sweep the fire

200
MODULE REVIEW
 CHAPTER 3 SECURITY ENGINEERING REVIEW
Part I Security Architecture and Design:  Symmetric Cryptography
 Trusted Computer Base Elements  Asymmetric Cryptography
 Security Perimeter  Hybrid Cryptography
 Reference Monitor  Integrity through Hashing, MACs and
 Security Kernel Digital Signatures
 Security Models  Public Key Infrastructure
 Computer/Security Architecture  IPSec
 Security Models  Attacks on Cryptography
 Security Evaluation Criteria
Part III Physical Security:
Part II Cryptography:  Perimeter Defenses

 Historical uses of Cryptography  Site selection, design, and configuration

 Security Services provided by  Environmental Controls

cryptography
 Definitions and terms
202
MODULE SELF CHECK
 MODULE SELF CHECK

Which of the following security standards is internationally

recognized as the standards for sound security practices and is
focused on the standardization and certification of an
organization’s Information Security Management System (ISMS)?

 A. ISO 15408
 B. ISO 27001

 C. ISO 9001

 D. ISO 9146

204
 MODULE SELF CHECK

A two-dimensional grouping of individual subjects into groups or

roles and granting access to groups to objects is an example of
which of the following types of models?

 A. Multilevel lattice
 B. State machine

 C. Non-interference

 D. Matrix-based

205
 MODULE SELF CHECK

Which of the following models ensures that a subject with

clearance level of ‘Secret’ has the ability to write only to objects
classified as ‘Secret’ or ‘Top Secret’ but is prevented from writing
information classified as ‘Public’?

 A. Biba-Integrity
 B. Clark–Wilson

 C. Brewer–Nash

 D. Bell–LaPadula

206
 MODULE SELF CHECK

Which of the following models is BEST considered in a shared

datahosting environment so that the data of one customer is not
disclosed to a competitor or other customers sharing that hosted
environment?

 A. Brewer–Nash
 B. Clark–Wilson

 C. Bell–LaPadula

 D. Lipner

207
 MODULE SELF CHECK

Which of the following ISO standards provides the evaluation

criteria that can be used to evaluate security requirements of
different products with different functions?

 A. 15408
 B. 27000

 C. 9100

 D. 27002

208
 MODULE SELF CHECK

Which of the following evaluation assurance level that is formally

verified, designed and tested is expected for high risk situation?

 A. EAL 1
 B. EAL 3

 C. EAL 5

 D. EAL 7

209
 MODULE SELF CHECK

Asymmetric key cryptography is used for the following:

 A. Encryption of data, Access Control, Steganography

 B. Steganography, Access control, Nonrepudiation

 C. Nonrepudiation, Steganography, Encryption of Data

 D. Encryption of Data, Nonrepudiation, Access Control

210
 MODULE SELF CHECK

Which of the following supports asymmetric key cryptography?

 A. Diffie–Hellman
 B. Rijndael

 C. Blowfish

 D. SHA-256

211
 MODULE SELF CHECK

When a certificate is revoked, what is the proper procedure?

 A. Setting new key expiry dates

 B. Updating the certificate revocation list

 C. Removal of the private key from all directories

 D. Notification to all employees of revoked keys

212
 MODULE SELF CHECK

The only cipher system said to be unbreakable by brute force is

 A. AES
 B. DES

 C. One-time pad

 D. Triple DES

213
 MODULE SELF CHECK

The doors of a data center spring open in the event of a fire. This
is an example of

 A. Fail-safe
 B. Fail-secure

 C. Fail-proof

 D. Fail-closed

214
 MODULE SELF CHECK

What is the most common and inexpensive form of physical

access control device?

 A. Lighting
 B. Security guard

 C. Key locks

 D. Fences

215
 MODULE SELF CHECK

What is the ideal humidity range for a computer room?

 A. 20–40 percent
 B. 40–60 percent

 C. 60–75 percent

 D. 80–95 percent

216
 MODULE SELF CHECK

A Type B fire extinguisher may use all except which of the

following suppression mediums?

 A. Water
 B. CO2

 C. Halon or an acceptable halon substitute

 D. Soda acid

217
 MODULE SELF CHECK

What is the best type of water-based fire suppression system for a

computer facility?

 A. Wet pipe system

 B. Dry pipe system

 C. Preaction system

 D. Deluge system

218