Domain 3 : CISM Domain 3: Information Security Program Development and Management
Security governance principles
Least Privilege
Need to Know
A user can not deny having performed a certain action. This uses both
Authentication and Integrity
Some can be both at different times, an active program is a subject; when
closed, the data in program can be object
Subject
(Active)
Most often users, but can also be programs – Subject
manipulates Object
Any passive data (both physical paper and data) – Object is manipulated by Subject.
(Passive)
Cryptography
helps
Confidentiality
Integrity
Authentication
non-repudiation
Modular Math
Definitions:
Cryptology
the science of securing communications
Cryptography
creates messages where the meaning is hidden
Cryptanalysis
science of breaking encrypted communication
Cipher
cryptographic algorithm
Plaintext
Ciphertext
Encryption
Decryption
Use of a well-known text (Often a book) as the key.
Messages would then look like 244.2.13, 12.3.7, 41.42.1. ...
The person reviewing the message would look at page 244, sentence 2, word 13, then page 12, sentence 3, word 7, page 41, sentence 42 word 1, ...
uses a well-known test as a key as well, but uses a previously
agreed upon phrase
Monoalphabetic Ciphers
Polyalphabetic Ciphers
is the relationship between the plaintext and
ciphertext; it should be as random (confusing) as possible.
s how the order of the plaintext should be “diffused”
(dispersed) in the ciphertext.
Substitution
Permutation
legal concern
COCOM
(Coordinating Committee of Multilateral Export Controls) 1947 – 1994
Wassenaar Arrangement
Asymmetric vs Symmetric Encryption and Hybrid
Asymmetric
Pros: It does not need a pre-shared key, only 2x users = total keys.
Cons: It is much slower, it is weaker per bit.
Asymmetric Encryption uses 2 keys: a
(Key Pair).
Public Key
Private Key
Prime Number Factorization:
Discrete Logarithms
examples
RSA cryptography
Diffie–Hellman (DH)
Elliptic Curve Cryptography (ECC)
ElGamal
Knapsack
Symmetric:
Pros: Much faster, stronger per bit.
Cons: Needs a pre-shared key, n(n-1)/2 users,
ex
DES
ata Encryption Standard (Single DES)
ay be called DEA (algorithm)
No longer secure and it has multiple attack vectors published.
3 DES (Triple DES)
Considered secure until 2030 and still commonly used (K1).
IDEA (International Data Encryption Algorithm):
Designed to replace DES.
Symmetric, 128bit key, 64bit block size, considered safe.
Not widely used now, since it is patented and slower than AES.
AES
image
AddRoundKey
ach byte is combined with
a block of the round key using bitwise XOR.
Rounds:
SubBytes
a non-linear substitution step
where each byte is replaced with another
according to a lookup table
ShiftRows
a transposition step where the
last three rows of the state are shifted a
certain number of steps.
MixColumns
a mixing operation which
operates on the columns, combining the
four bytes in each column.
Final Round (no MixColumns):
SubBytes
ShiftRows
AddRoundKey
Blowfish
Uses Fistel.
Symmetric, block cipher, 64 bit blocks, 32-448 bit key lengths.
No longer considered secure.
Developer recommends using Twofish
Twofish.
Uses Fistel.
Symmetric, block cipher 128bit blocks, key length 128, 192, 256 bits.
Considered secure.
Blowfish, Camellia, CAST-128, DES, FEAL,
ICE, KASUMI, LOKI97, Lucifer, MARS,
MAGENTA, MISTY1, RC5, TEA, Triple DES,
Twofish, XTEA, ...
CAST-256, MacGuffin, RC2, RC6, Skipjack
RC4:
Used by WEP/WPA/SSL/TLS.
RC5:
RC6
Hybrid Encryption:
hash Functions
Integrity:
variable-length plaintext is hashed into a fixed-length value hash or MD
(Message Digest)
Collisions:
ex
MD5
SHA1
SHA2
SHA3
HAVAL
RIPEMD:
RIPEMD160:
Cryptographic Attacks
Steal the Key
Brute Force
Key stretching
Digraph attack
Man-in-the-Middle Attack (MITM):
Session Hijacking
Social Engineering
Rainbow Tables
Known Plaintext
Chosen Plaintext
Adaptive Chosen Plaintext
Meet-in-the-Middle
Known Key
Differential Cryptanalysis
Linear Cryptanalysis
Differential Linear Cryptanalysis
Side Channel Attacks
Implementation Attacks
Key Clustering
Implementing Cryptography
PKI
Digital Signatures:
Digital certificates
CA
ORA (Organizational Registration Authorities)
CRL
Maintained by the CA
Server side, starting to be replaced by OCSP
OCSP
Client/server hybrid, better balance, faster, keeps lists
of revoked certificates.
Clipper chip
abandoned
Provides
Integrity
Non-Repudiation
Hash function using a key.
CBC-MAC, for instance, uses Cipher Block Chaining from a symmetric
encryption (like DES).
Provides integrity and authenticity.
Message Authentication Code)
A pre-shared key is exchanged.
The sender uses XOR to combine the plaintext with a shared key, then
hashes the output using a hashing algorithm (Could be HMAC-MD5 or
HMAC-SHA-1).
That hash is then combined with the key again, creating an HMAC.
The receiver does the same and compares their HMAC with the sender’s
HMAC
If the two HMACs are identical, the sender is authenticated.
HMAC (Hashed Message Authentication Code)
SSL / TLS
Preventive and Detective Controls:
Configuration Management
Software vulnerabilities and Attacks
process levels
Processes at this level are normally undocumented and in a state of
dynamic change, tending to be driven in an ad hoc, uncontrolled and
reactive manner by users or events.
This provides a chaotic or unstable environment for the processe
This level of maturity that some processes are repeatable, possibly with
consistent results.
Process discipline is unlikely to be rigorous, but where it exists it may
help to ensure that existing processes are maintained during times of
stress.
This level that there are sets of defined and documented standard
processes established and subject to some degree of improvement over
time.
These standard processes are in place.
The processes may not have been systematically or repeatedly utilized
enough for the users to become competent or the process to be
validated in a range of situations.
Processes at this level uses process metrics, effective achievement of
the process objectives can be evidenced across a range of operational
conditions.
The suitability of the process in multiple environments has been tested
and the process refined and adapted.
Process users have experienced the process in multiple and varied
conditions, and are able to demonstrate competence.
Processes at this level focus on continually improving process performance through both incremental and innovative technological changes/improvements.
Addressing statistical common causes of process variation and changing
the process to improve process performance.
Acceptance testing:
Is the software functional for the users who will be using it? It is
tested by the users and application managers.
click to edit
Does the software and all of the components it interacts with
ready requirements for operation.
Tested by system administrators are the backups in place, do
we have a DR plan, how do we handle patching, is it checked for
vulnerabilities, ...?
Does the software fulfil the contract specifications? The
what/where/how of the acceptance is defined in the contract.
Is the software compliant with the rules, regulations and laws of our industry?
Does the software interface as expected with other applications
or systems?
Does the software perform as expected in our production
environment vs. the development environment?
When we buy software from vendors either COTS (Commercial Off The Shelf) or
custom built software we need to ensure it is as secure as we need it to be.
Vendors claims of security posture should until proven be seen as marketing
claims.
We need to do our due care and due diligence, as well as use outside council if
needed.
Many organizations deal with C-level executives going to conferences and
buying software that the organization may not want or need
Software development and procurement as well as any other project should be
carefully scoped, planned be based on a clear analysis of what the business
needs and wants.
COTS (Commercial Off-the-Shelf) Software
Custom-Developed Third Party Products
Access Control Defensive
Access Control Categories:
Administrative (Directive) Controls:
Organizational policies and procedures.
Regulation.
Training and awareness.
Technical Controls:
Hardware/software/firmware – Firewalls, routers, encryption.
Physical Controls:
Locks, fences, guards, dogs, gates, bollards.
Type
Preventative
Detective
Corrective
Recovery
Deterrent
Compensating
IAAA
Identification
Authentication
Authentication (passwords, pass phrase, PIN etc.)
password
attacks
Brute Force attacks
Key stretching
Dictionary attacks
Rainbow tables attacks
Keylogging
physical
software
protections
salting
nonce
arbitrary number that may only be used once
Clipping levels
couple of extra tries
Authentication (ID, passport, smart card, token, cookie on PC etc.).
smartcard
ICC
click to edit
contact
contactless
tokens
HMAC-based one-time password
hared secret and incremental
counter, generate code when
asked, valid till used
Time-based One-Time Password
Single-use passwords
Magnetic Stripe Cards:
Authentication (and
Biometrics) (Fingerprint, iris scan, facial geometry
etc.).
biometrics
Errors for Biometric Authentication
FRR
False rejection rate
FAR
False accept rate
CER
Crossover error rate
click to edit
characteristics
Behavioral characteristics
can change
Physiological characteristics
cannot change
Authentication (IP/MAC Address).
Authentication (Signature, pattern unlock)
What are you allowed to access
DAC, MAC, RBAC, RUBAC
Discretionary Access Control - Discretionary Access Control
when Availability is most important
Access to an object is assigned at the discretion of the object owner.
The owner can add, remove rights, commonly used by most OS's’.
Uses DACL’s (Discretionary ACL), based on user identity
Mandatory Access Control
Access to an object is determined by labels and clearance, this is often used in the military or in organizations where confidentiality is very important.
when Confidentiality is most important
Labels:
object
Clearance:
subject
Access to an object is determined by labels and clearance, this is often used in
the military or in organizations where confidentiality is very important
Role Based Access Control)
when Integrity is most important
Attribute Based Access Control
Can also be referred to as policy-based access control (PBAC) or claims-based access control (CBAC)
Access to objects is granted based on subjects, objects
AND environmental conditions.
Subject (user)
Name, role, ID, clearance, etc.
Object (resource)
Name, owner, and date of creation.
Environment
Location and/or time of access, and threat levels.
Expected to be used by
70% of large enterprises within the next 5 years,
versus around 10% today
Access to an object is controlled based on certain contextual parameters, such
as location, time, sequence of responses, access history.
Providing the username and password combination followed by a challenge and
response mechanism such as CAPTCHA, filtering the access based on MAC
addresses on wireless, or a firewall filtering the data based on packet
Access is provided based on the attributes or content of an object, then it is
known as a content-dependent access control.
In this type of control, the value and attributes of the content that is being
accessed determine the control requirements.
Hiding or showing menus in an application, views in databases, and access to confidential information are all content-dependent.
(also often referred to as Auditing)
Trace an Action to a Subject’s Identity
rove who/what a given action was performed by (non-repudiation)
access control
centralized
pro
All systems and locations have the same security posture.
only a few people have access and can make changes
easy to manage
few people have access
cons
All systems and locations have the same security posture.
decentralized
hybrid
Access control
Identity and access provisioning:
Identity and access provisioning lifecycle
Federated identity
FIDM (Federated Identity Management)
SSO is a subset of federated identity management, it only uses
authentication and technical interoperability
technologies
SAML
xml bases
exchanging
authentication
authorization
OAuth
OpenID
Security Tokens
Microsoft Azure Cloud Services
Windows identity Foundation
Super sign-on
IDaaS (Identity as a service)
Communications or cryptographic protocols designed to transfer authentication data
between two entities.
They authenticate to the connecting entity (often a server) as well as authenticate itself
(often a server or desktop) by declaring the type of information needed for
authentication as well as syntax.
It is the most important layer of protection needed for secure communication between
network
Kerberos:
Asset Management:
Patch Management
Change Managemen
flow
Identifying the change.
Propose the change.
Assessing risks, impacts and benefits of implementing and not implementing.
Provisional change approval, if testing is what we expect this is the final approval.
Testing the change, if what we expected we proceed, if not we go back.
Scheduling the change.
Change notification for impacted parties.
Implementing the change.
Post implementation reporting of the actual change impact.
Evaluation Methods, Certification and Accreditation:
products
The Orange Book"
The Trusted Computer
System Evaluation Criteria – (TCSEC)
ITSEC
ITSEC
The European Information Technology Security Evaluation Criteria
The International Common Criteria (ISO/IEC 15408)
The product or system that is the subject of the evaluation.
A document which identifies security
requirements for a class of security devices. Products can comply with
more than one PP. Customers looking for particular types of products
can focus on those products certified against the PP that meet their
requirements.
The document that identifies the security
properties of the target of evaluation. The ST may have one or more
PPs.
How did the system or product
score on the testing?
EAL Level 1-7:
EAL1: Functionally Tested.
EAL2: Structurally Tested.
EAL3: Methodically Tested and Checked.
EAL4: Methodically Designed, Tested and Reviewed
EAL5: Semi-formally Designed and Tested.
EAL6: Semi-formally Verified Design and Tested.
EAL7: Formally Verified Design and Tested.
A full picture approach to assessing how effective our access controls are, they
have a very broad scope.
Security assessments often span multiple areas, and can use some or all of these
components:
Policies, procedures, and other administrative controls.
Assessing the real world-effectiveness of administrative controls.
Change management.
Architectural review.
Penetration tests.
Vulnerability asses
Security audit:
SOC2
SOC 2 Type 1
report on management’s description of a service organization’s system and the suitability of the design of controls.
SOC2 Type 2
report on management’s description of a service
organization’s system and the suitability of the design and operating effectiveness of controls.
Internal and 3rd-Party Audits
External auditors who validate our compliance, they are experts and the
audit adds credibility.
Can also be a knowledge transfer for the organization, required annually
in many organizations.
Internal auditors to improve our security and find flaws, often done
before an external audit.
Reviewing security audit logs in an IT system is one of the easiest ways to verify
that access control mechanisms are working as intended.
Reviewing audit logs is primarily a detective control.
NIST Special Publication 800-92 suggests
Network Security Software/Hardware
Operating System
Centralized Logging:
Vulnerability scanning/testing:
Penetration Testing (Pen Testing)
process
Discovery
Gaining Access:
type
blackbox
White box
Gray (Grey) box
vector
Social engineering
Authority
click to edit
Intimidation
attacks
leverage
Consensus
Scarcity
Urgency
Familiarity
Uses modem to dial a series of phone numbers, looking for an answering modem carrier tone, the penetration tester then attempts to access the answering system.
War driving
Network attacks
Wireless tests
Software testing
Static testing
Passively testing the code, it is not running
Dynamic testing
Actively testing the code while executing it.
approach
White box software testing:
Black box software testing
Normally a table, used to map customer requirements to the testing plan using a many-to-many relationship comparison.
A requirements traceability matrix may be used to check if the current project requirements are being met, and to help in the creation of a
request for proposal, software requirements specification, various
deliverable documents, and project plan tasks.
test
Software Testing levels
Unit testing
Tests that verify the functionality of a specific section of code
Integration testing
Component interface testing
Used to conduct operational readiness (pre-release) of a
product, service or system as part of a quality management
system.
Software Testing types:
Testing that provides a lot of different inputs in order to try to
cause unauthorized access or for the application to enter
unpredictable state or crash.
If the program crashes or hangs the fuzz test failed.
The Fuzz tester can enter values into the script or use pre-
compiled random or specific values.
Mutating fuzzing
The tester analyses real info and modifies it iteratively.
All-Pairs Testing is defined as a black-box test design technique
in which test cases are designed to execute all possible discrete
combinations of each pair of input parameters.
Executing a malicious act against a system, attackers won't do
what normal users would, we need to test misuse to ensure our
application or software is safe.
Identifies how much of the code was tested in relation to the
entire application.
To ensure there are no significant gaps where a lack of testing
could allow for bugs or security issues to be present that
otherwise should have been discovered.
With 50+ millions line of code in a Windows OS, often spot
checks on critical areas are only enforced