Internal Support System should be in place in case of power loss or natural disaster.

For electric power, use UPS, generator or backup sources. Online UPS are connected to the AC power and can pick up the load quickly. Standby UPS are inactive until power fails. UPS can take the load only a limited time, so it is necessary to have backup power supplies (redundant line, generator).

The company must choose which systems are protected with UPS, do they shut down by power fail or must be constantly on. UPS should be regularly tested.

Electric interference (line noise) are electromagnetic interference (EMI) or radio frequency interference (RFI). Fluorescent lines causes RFI. A motor causes EMI.

Voltage fluctuations are: power excess (spike, surge (longer, from lightnings)), power loss (fault, blackout), power degradation (sag/dip, brownout (reduced voltage by high use)), In-rush current (initial by starting systems): use different electrical segments, voltage regulators, line conditioners.

Prevention:

• Plug electrical devices to a surge protector
• Shut down in orderly fashion
• Use power line monitors
• Use regulators
• Shield lines and cables
• No power lines directly on fluorescent lines

Environmental issues concerns air quality, water, gas, heating...

Water and gas lines should have emergency shutoff valves and positive drains (content flow out). Air condition system (HVAC) must be used to maintain systems heat and humidity to a correct level (use hygrometer). Static electricity happens between two dissimilar objects touching each other (use antistatic armbands).

In ventilation systems use closed-loop (after filtering the air it is re-used), positive pressurization (against contamination or by fire the smoke goes out).

Fire prevention includes training employees, build fire barrier material, install fire extinguishers, use proper fire suppression material, stock combustible material in safe place, identify fire ignition possibilities and fuels. Fire detection and suppression (manual and automatic) must be in place.

Portable extinguishers have a notice explaining on which type of fire they should be used.

Smoke detectors are:

• Smoke activated (early detection, use a photoelectric device that detects variation in light intensity)
• Heat activated (detects high temperature (fixed), or a high temperature period of time (rate-of-rise)

They should be located in the right places and can be lined to the fire station. By fire, the HVAC should switch off.

Fire types are:

• A common combustible, suppress with water, foam
• B liquid, suppress with gas, CO2, foam, dry powders
• C Electrical, suppress with gas, CO2, dry powders
• D combustible metals, suppress with dry powders

CO2 is lethal, colorless and odorless and can be used in unattended facilities.

In the past Halon was used for electric material, but it is dangerous for humans so we use substitutes today (FM-200 or EPA-approved).

By using water sprinklers, the current must be turned off before water comes. Water sprinklers types are:

• Wet pipe (closed heat system): water remains in the pipes and is discharged by temperature control level sensors
• Dry pipe: contains air pressure which is released by fire, opening a valve and the water come out of a tank
• Preaction: like dry pipe, but when water is in the pipe it is not directly released (a thermal-fusible is used). Used in data processing environment
• Deluge: larger sprinklers for bigger water volumes

Perimeter security is built with different layers and 2 main operating modes (when company is open and when it is closed).

Facility access controls can be:

• Locks (keys, programmable)
• Warded lock (cheapest, easy to crack, uses common keys)
• Tumbler lock (pin tumbler, wafer tumbler, lever tumbler)
• Combination lock (mechanical wheels or electronic keypad)
• Cipher locks (programmable, the code can change, execute alarms...)
• Can detect door delay, key override, uses master keys, hostage alarm
• Smart locks uses individual codes instead of same code for everyone
• Device lock (cables, switch controls, port controls, peripheral switch controls, cable straps

Lock strength are measured in grade 1 to grade 3 (more strength) and cylinder security from low, medium to high.

A correct key management is very important.

Attackers uses tension wrench, uses techniques like raking.

By access control, a common problem is piggybacking (a person follows another closely and goes through at the same time).

Access cards can be used:

• user-activated (swipe or PIN)
• system-sensing (or proximity readers or transponders)

External boundary protection mechanisms can be put in place (physical barriers, cameras, guards, signs, fences...).

PIDAS fencing detects if someone tries to get in (Perimeter Intrusion Detection and Assessment System).

Gates have 4 classifications (under UL Underwriters Laboratory):

• I residential
• II commercial
• III industrial
• IV restricted areas

Pollards protects against vehicles driving against the building.

Use proper lightning, glare protections, continuous lightning (controlled, not to blind the neighbor), standby lights, responsive are illumination (by IDS detection).

Use surveillance devices: visual recording devices, closed-circuit TV (CCTV), camera recorders, CCD cameras (see more details). The focal length is important (2.8-4.3mm for a warehouse, 8mm for an entrance), zoom and moving cameras (PTZ: pan, tilt, zoom) also. Use auto iris lens where lights changes.

Intrusion Detection Systems are of different types:

• Electromechanical systems detects changes in circuits (open doors, vibrations, pressure pad)
• Photoelectric systems detects changes in light beams (like smoke detectors, ray lights)
• Passive Infrared Systems detects changes of heat waves
• Acoustical detection system uses microphones
• Wave-pattern motion detector detects different frequencies (microwave, ultrasonic, low frequency)
• Proximity detector (capacitance detector) emits a magnetic field and detects its disturbance

Guards and dogs can be used (and must be in combination with IDS).

Logs must be kept for physical access controls and they have to be tested and drilled.

Threats categories are:

• Natural environmental threats (floods, fire, earthquake...)
• Supply system threats (water, electricity, communication...)
• Manmade threats (vandalism, errors, theft...)
• Politically motivated threats (terrorism, strikes...)

Overall goal is life safety!

Physical security is about safety and security. It is implemented in a layered approach, each layer protecting other layers inside. The goals are availability, integrity and confidentiality.

A team of designer must plan physical security, taking in consideration the acceptable risk level, defining the threat profile (internal and external) and the tactics attackers would use.

In collusion, internal and external people work together to build an attack.

A physical security program should address these goals:

• Crime and disruption prevention
• Reduction of damage
• Crime or disruption detection
• Incident assessment
• Response procedures

The performance of the security program must be evaluated and improve (for efficiency and productivity). A baseline of acceptable risk level must be defined. After implementation, the results must be measured to see if the baseline is fulfilled.

Crime Prevention Through Environmental Design prevents crime with appropriate physical constructions design.

Target Hardening is focused on the protection of a target through physical constructions.

Natural Access Control is the guidance of people entering and leaving a space (doors, lights...).

Several security zones can be build (controlled, restricted, public, sensitive).

Natural surveillance attempts to make attackers feel uncomfortable by opening spaces to maximum visibility.

Territorial Reinforcement attempt to create a sense of dedicated community (extends the company's boundary). Employees feels proud of belonging to this environment.

Designing a Physical Security Program goes through studying the physical building situation, people behavior and activities, law regulations (use a facility safety officer), risk analysis, build a physical security policy.

Facilities must be chosen by considering visibility, surrounding areas, accessibility, natural disasters.

Construction material have to be considered. Load must comply to machines that will be used. Windows, doors, codes, electric power supplies, grounding, fire detection, heating, water must be cost-effective designed. Fire protection construction material goes from light frame, heavy timber, incombustible and fire-resistant (the building will not collapse).

Entry points of a company are critical (doors, windows, roof access, fire escapes, chimneys, service delivery, ventilation.

A mantrap is a small room with 2 doors: the first authentication allow in, then the first door closes and a second authentication must happen (the man is trapped). A fail-safe system will unlock automatically by power failure. A fail-secure system will lock automatically by power failure.

Windows are composed of standard, tempered (stronger) or acrylic glass (strongest but can burn), built with embedded wires, laminated, UV filtering or tinted...

Internal partitions should be correctly separated (beware of dropped ceilings).

Computer rooms are designed to protect computers which can be managed remotely. Strict access mechanisms are used, only one access door (a second only for exit). Data center should be placed in the core of the building, think of flooding or fire and emergency access. Positive air pressure, air condition, UPS. A power off switch should be placed at the entrance: before fire suppression agent (can be a gas instead of water) is released, computers should be switched off.

Assets protection is a big goal (theft, laptop theft, production disruption, material costs, value of data...): inventory, harden OS, BIOS password, register laptops by vendors, no laptop at luggage check, identification labels, backup data, encrypt data, special safes in vehicles, tracking software.

Use safes (wall, floor, chests (standalone), depositories, vault (large)). passive relocking detect tampering and locks itself, thermal relocking detect high temperature and lock itself (extra lock).

The security modes of operation depends of:

• types of users
• type of data (classification, compartments, categories)
• clearance level, need to know, access approvals

Different security modes are used:

• Dedicated security mode: all users have required clearance and need-to-know to all data
• System high-security mode: all users have required clearance to all data, but only need-to-know to some data
• Compartmented security mode: same as system high-security mode, but users need to have clearance to the data with highest security level
• Multi-level security mode: the user can only access the data what he is cleared to access

Software or hardware guards are used to control information flow between systems with different security levels.

The trust level tells the customer how much protection he can expect and the assurance it will operate correctly. Trusted Computing Base (TCB) are evaluated and ratings are applied to provide clear trust levels for the customer. An assurance level goes more in the detail and can provide higher trust level in a system.
In USA, the National Security Agency (NSA) maintains the National Computer Security Center (NCSC) which is responsible to evaluate computer systems. It's group Trusted Product Evaluation Program (TPEP) oversees the testing against specific set of criteria (guidelines).

Different security evaluation methods exist, described below:

The Orange Book has been developed by the Department of Defense. It is called the Trusted Computer System Evaluation Criteria (TCSEC). It uses different assurance levels (each level has different class, A2 > A1...):

• D minimal security
• C discretionary protection
• C1 Discretionary security protection
• C2 Controlled access protection
• B mandatory protection
• B1 Labeled security (first level where security labels are required)
• B2 Structured protection
• B3 Security domains
• A verified protection
• A1 Verified design

It contains seven topics:

• Security policy
• Identification
• labels
• Documentation
• Accountability
• Life-cycle assurance
• Continuous protection

Evaluated products are place to the Evaluation Products List (EPL). The Orange Book is better suited for organizations than commercial products (small level of ratings, focus on confidentiality and not integrity). The Rainbow Series are books that cover these limitations.

The Red Book or Trusted Network Interpretation (TNI) covers security evaluation of networks and contains the following security items:

• Communication integrity (authentication, message integrity, non repudiation)
• Denial of Service prevention (continuity of operation, network management)
• Compromise protection (data confidentiality, traffic flow confidentiality, selective routing)

The Information Technology Security Evaluation Criteria (ITSEC) is mainly used by European countries and evaluates functionality (F1 to F10) (does it provide the security it claims?) and assurance (E0 to E6) (was it build in a proper manner to provide assurance it will keep secure?). A target of evaluation (TOE) is the system being evaluated.

The Common Criteria (CC) is a collaboration through the International Organization for Standardization (ISO) to merge the different evaluation methods. An evaluation provide against a product an Evaluation Assurance Level (EAL):

• EAL1 functionality tested
• EAL2 structurally tested
• EAL3 methodically tested and checked
• EAL4 methodically designed, tested and reviewed
• EAL5 semiformally designed and tested
• EAL6 semiformally verified design and tested
• EAL7 formally verified design and tested

CC uses protection profiles (PP) that describes the real-world security requirements and the corresponding EAL rating the product will require. PP contains five sections:

• Descriptive elements (description of the problem)
• Rationale (more details of real-world problem)
• Functional requirement (protection boundary)
• Development assurance requirements
• Evaluation assurance requirements

A certification explains which level of security in which environment a product will provide. When the security level is recognized and accepted by the management (accept the risk) it becomes an accreditation.

Open systems follows industry standards and can work with each other (Unix, Linux, Windows, Macintosh). Closed systems do not follow standards and are proprietary. They provide better security, but can not communicate as easily like open systems.

An Enterprise security architecture defines policies, standards, solutions and procedures and how they are linked strategically, tactically and operationally. It provides a more proactive approach than usually a company addresses security in a fire fighting approach.

The Zachman architecture framework is a good template to build robust enterprise security architecture (matrix of [what, how, where, who, when, why] and [planner, owner, designer, builder, implementer, worker]).

Enterprise security architecture follows these items:

• Strategic alignment: risks and regulations are recognized and the plan is accepted
• Process enhancement: business processes can profit from the security to become more effective
• Business enablement: business processes are integrated in the security, or the security should help the business by providing better security, availability or new opportunities
• Security effectiveness: measurement of effective security (SLA, ROI)

Threats are:

• An estimation gives 5 to 15 bugs in 1000 lines of code
• Maintenance hook: backdoor for maintenance activated with keystrokes sequences. Need to be removed before going into production
• Time-of-check/Time-of-use (TOC/TOU) attack (or asynchronous attack): when changing some data between two steps of an operation to gain more access. A race condition is when two processes uses the same resource, but one need to do it before the other and the order changes.
  Countermeasure: take critical operations in one single call. Apply locks during security operations.
• Buffer overflow: too much data is passed to an application so it writes over the limits of the variable in the memory. It can even contains malicious code that can be executed when in a different place in memory.

The Clark-Wilson model was developed to protect the integrity of information and uses the following elements:

• Users
• Transformation Procedures (TPs): a software that make sure operation are secure
• Constrained data items (CDIs): manipulated only by TP (high protection)
• Unconstrained data items (UDIs): manipulated via users (low protection)
• Integrity verification procedures (IVPs): maintains internal and external consistency

Using TP to modify CDI is a well-formed transaction. The model integrates the separation of duties.

The goals of integrity models are:

• Prevent unauthorized users to make modifications
• Prevent authorized users to make wrong modifications (separation of duties)
• Maintain consistency

Clark-Wilson integrate the 3 goals, Biba only the first.

Information flow models (Bell-LaPadula, Biba) focuses on information security or integrity levels. Information are compartmentalized based on classification and need to know.

A covert channel is a way of obtaining information in an unauthorized manner:

• Covert storage channel uses some type of storage space in the system
• Covert timing channel uses modulation of system resources

Countermeasures must be implemented in the development of the system.

In a noninterference model, actions in a security model has no influence on the state of another level (do not interfere with). The model try to ensure that it is not possible to pass data through covert channels and is a way to limit inference (guess) attacks.

A lattice model is built on the notion of group. It integrates the notion of least upper bound (what is the lowest authorized action?) and greatest lower bound (what is the higher unauthorized action?)

The Brewer and Nash model (Chinese wall model) provides access control that change depending on previous actions to avoid conflict of interest. For example, you can not write to this data set as long as you can read the other one (to avoid conflict of interest, because the two data set are from competitors).

The Graham-Denning model define basics right in terms of commands, how to securely:

• create an object or subject
• delete an object or subject
• provide read, grant, delete or transfer access rights

The Harrison-Ruzzo-Ulman model uses a finite set of operations on an object.

The system architecture has to be well thought and designed with the overall goal in mind, but security is one of the biggest concern. Where or at which level or layer the security mechanisms have to be implemented. The more closer to the user, the more detail-oriented it is.

The more complex the security mechanism is, the assurance it provides: it is much more difficult to understand what happen and to test. To simple mechanisms may not provide enough security.

All the systems must then correctly interact with each other.

The trusted computing base (TCB) is the domain of trusted components. Not all components must be part of it. TCB includes hardware, software and firmware. By choosing the TCB level of trust (for example Orange Book rating B1), all components within TCB must comply to this level.

The TCB is composed of the kernel, but the OS you install must also be part of it. So by installing the OS you choose to install the TCB also. Then the OS has a trusted path (communication path between user or application and the kernel), a trusted shell (you can not work outside it).

Microsoft implements it since Windows Server 2003 and calls it Next Generation Secure Computing Base (NGSCB) and calls its kernel nexus. The processes have to execute in their own execution domain. The 4 basic functions of the TCB are:

• Process activation (deals with the different processes being executed by the CPU)
• Execution domain switching (when a process needs to gain access to a higher protection ring, for example a process in user mode need to execute an activity in privileged mode)
• Memory protection
• I/O operations

The Orange Book allows to determine a specific level of trust described in its evaluation criteria.

Processes outside the TCB are outside the security perimeter (boundary between trusted and untrusted). The communication between the two parts need to be controlled.

The reference monitor is an access control concept to ensure that subjects (programs, users, processes) have the necessary rights to access objects (file, program, resource).

The security kernel implements the reference monitor concept. It has 3 main requirements:

• isolation (tamperproof) of the process that implements the reference monitor concept
• must be invoked for every access
• small enough to be tested and verified

The security policy (toward OS, devices and applications) sets the goals of what the security mechanism are supposed to do. Multilevel security policy prevent information from flowing from high security level to low security level.

Least privilege must be implemented (processes gain only the needed privilege). If higher privilege is required it should call another process, or gain high privilege only for the necessary time, then should come back to low privilege.

The security model is a symbolic representation of the security policy and contains the set of rules a computer must follow. Security policy is abstract, the security model contains mathematical and technical explanation how to implement it. With it, programmers are able to writer the required code.

The state machine model refers to a specific state at a t time and each move to another state goes through a transitional state. It's the responsibility of the system to allow or not the transition to the new state (is it allowed by the policy?) The system must be able to avoid insecure state in taking special actions (like reboot).

The Bell-Lapadula model has been developed by the u.s. military. It is a multi level security policy that describe a secure state machine. The main goal is to prevent secret information from being accessed in an unauthorized manner (only confidentiality). It is very secure and effective. It's a subject to object model and has 3 main rules:

• simple security rule (a subject can not read data classified in a higher security level = no read up)
• star property rule (a subject can not write to a lower security level = no write down, would mean a downgrading of the information)
• strong star property rule (a subject with read/write permission can only read/write on the same security level)

The term "domination" is used to design a higher security level.

The basic security theorem says that a system in a secure state where every allowed state transition are secure will remain secure no matter what input occur.

The tranquility principle means that subjects and objects can not change their security level.

All MAC (mandatory access control) model is a Bell-Lapadula model.

Another rule property of this model is the discretionary security property (ds-property) allowing MAC and DAC model to be implemented in one OS.

The Biba model is a state machine model similar to Bell-Lapadula but addressing only integrity of data. It has 3 rules:

• star integrity algorithm (subject can not write to a higher integrity level = no write up)
• simple integrity axiom (subject can not read from lower integrity level = no read down)
• invocation property (subject can not request service to subjects at higher  integrity level)

Data in higher integrity level are clean data, in lower integrity level are dirty data. The invocation property of this model says that a subject can not invoke a subject at a higher integrity level (or a dirty subject can not invoke a clean tool to contaminate a clean object).

2 fundamental concepts are used:

• Security policy is how entities and systems should act to provide security
• Security model explains the requirements to apply the security policy

To apply a correct security it has to be designed, then implemented with the correct systems and methods and the goals have to be verified. This chapter explains how to evaluate systems security.

Computer architecture is composed of:

• The central processing unit (CPU) is the core (x86, SPARC...). It has logical circuits and memory. A register is a temporary storage location where the CPU takes the next information to execute. The execution is done in the arithmetic logic unit (ALU). Information is composed of instructions (program) and data. The control unit manage and synchronize the system while different applications access it.
  • general registers holds general information
  • special registers holds program counter (holds next instruction memory address), stack pointer and program status word (PSW: holds condition bits like user or supervisor mode
  • an address bus connects to the RAM and I/O devices. Data is sent through the data bus
• Multiprocessors can be used in symmetric mode (available CPU is used) or asymmetric mode (an application has priority and can reserve one CPU)

Operating system architecture is composed of:

• Process management: a process is the set of instructions actually running. The OS assigns memory, CPU time slot, APIs, files... Many processes exist: display data on screen, print jobs, save data and execute today simultaneously (OS are multiprogramming: multiple processes are loaded, and multitasking: executed in the same time).
  • Cooperative multitasking (windows 3.1) was used when programs uses resources and had to release them.
  • Preemptive multitasking (modern OS): the OS uses time sharing for resource allocation
  • Processes can launch children processes (forking)
  • Process state are running (runs), ready (wait to send instruction) or blocked (wait for input data)
  • The OS maintain a process table to keep information of all the process and be able to put them to the registers when required
  • Interrupts are used to inform processes when they can communicate with the CPU (considering priority levels)
    • Maskable interrupts: the program doesn't need to stop what he is doing when it occurs
    • Non-maskable interrupts are critical and can not be ignored
• Thread management: a thread is a collection of data and instructions that has to be worked on by the CPU. Each process can send several thread to the CPU. A thread is dynamically created and destroyed. A multithreading application is able to carry out several threads at the same time.
• Process scheduling are algorithms that control time sharing of the CPU. If a process event doesn't occur and the other processes are waiting for it, a deadlock event occur. The OS can kill the process to release the situation, or load all processes before executing them.
• Process isolation can be used by the OS to isolate processes from each other (so one hang will not hang others):
  • With encapsulation processes can not directly communicate because data is hidden (data hiding), they have to use the correct interface
  • With time multiplexing, the processes share the same resources and the OS controls it
  • Naming distinction is applied and each process has its own ID (PID)
  • When the application does not work directly with the physical memory address it is called virtual mapping which is controlled by the OS
• Memory management must provide abstraction level for programmers, maximize performance with available memory and protect the applications and OS loaded into memory. Abstraction is when memory details are hidden. The memory manager allocate and de-allocate memory segments (registers, RAM, SWAP...) as needed (by the use of a base register = where memory starts and limit register = where it ends):
  • Relocation
  • Protection
  • Sharing
  • Logical organization (sharing of specific modules like DLLs)
  • Physical organization
• Memory types are:
• Random access memory (RAM) is where programs and data are temporarily stored for execution. It is volatile and need to be refreshed or data fly away, this is why it is called dynamic RAM (DRAM). Static RAM (SRAM) does not need refresh, so it is faster.
  • Synchronous DRAM (SDRAM) increases the speed by synchronizing with CPU speed
  • Extended data out DRAM (EDO DRAM) is faster by capturing the next block of data while sending the first block
  • Burst EDO DRAM (BEDO DRAM) can send more data at a time
  • Double data rate SDRAM (DDR SDRAM) carry out 2 operations per clock cycle
• Read-only memory (ROM) is non volatile memory
  • Programmable ROM (PROM) can be programmed only once
  • Erasable and Programmable ROM (EPROM) can be programmed several times (erased with UV)
  • Electrically EPROM (EEPROM) doesn't need UV and can erase electrically
  • Flash memory are quicker than EEPROM
• Cache memory are temporary memory used by the CPU to speed up access to data that is often used
• Memory mapping is used to protect access to memory. A CPU can access directly the memory (absolute address) and applications have to go through logical addresses (relative address) of a memory mapper
• Memory leaks are caused if the system goes out of memory (for example an application doesn't give back memory after it's use). Hackers use this to produce DoS attacks (computer hangs). Code has to be better written to release memory, or can use a garbage collector which identifies unused memory and give it back to the system
• Virtual memory is composed of RAM and secondary storage like HDD. Swap space is the reserved space on a HDD to extend the RAM (pagefile.sys on Windows). The system write information through page frames (pagging). If a crash occurs, information in the page file is not automatically destroyed, this is a security threat
• To protect itself, a CPU uses protection rings. Inner rings work as privileged mode and outer rings as user mode:
• Ring 0: OS kernel
• Ring 1: OS
• Ring 2: I/O drivers and utilities
• Ring 3: applications and user
• Operating system architecture are:
• monolithic (MSDOS, Windows NT, 2000, Vista, Linux) no control, but increase speed. OS in ring 0, user in ring 3
• layered (VAX/VMS, some Unix) system functionality is separated in layers and uses data hiding
• client/server structure: the OS moves as much code as possible in user mode and keep only the microkernel as absolute privileged mode
• Domains is the set of resources that a subject has access to. A process in a privileged domain can execute its instruction in its execution domain
• Layering and data hiding are both used by layered and client/server OS
• Evolution of terminology: "monolithic system" = all the code runs in privileged mode (in the kernel)
• Virtual machines are simulated environment (VMWare, JVM Java Virtual Machine runs application in web sandboxes)
• Additional storage devices like floppy disks, CDROM, USB disks may boot the system. A lot of media carry out memory (cellular phones), connect with firewire, bluetooth...
• I/O device management: HDD are addressed with fixed-size blocks (block device), printers, NICs, mouse are character device controlled through a device driver that convert in blocks. 
• Interrupts are used to gain access to the device through the interrupt controller. The OS has to be device independant
• Programmable I/O is slow because data is sent and then the CPU has to wait until the device is ok to receive the rest
• Interrupt-driven I/O is faster, the CPU send what he has to print and do something else until an interrupt comes, so he knows he can send the rest
• I/O using DMA requires a DMA controller that take all the data from the CPU and do the job for him
• Premapped I/O the device can directly access memory
• Fully mapped I/O the device works only with logical memory

Accountability is used to verify security is applied and systems configured properly, track attacks, detect intrusions, reconstruct events. A lot of information are in the logs and the goal is to find the correct information in it. Administrators should define what should be logged or not at which clipping level. IDS can be used to help control the logs and take the correct actions.

Audits are used to track problems when they occurs, but also to provide alerts before they occurs.

Audits are to be kept secure, have mechanism to protect integrity, have logs of high-privilege users.

Audits are to be reviewed, not only event-driven (after an incident) but periodically. Some tools can help also to make real-time audits or help manage the logs, like audit-reduction tools.

keyboard monitoring can be used only under certain circumstances (privacy).

If an attacker deletes specific audit data concerning him it is called scrubbing. Only certain persons should be able to delete or modify audit information. Write-once media (CD-ROM) can be used to keep logs.

To keep all access control mechanisms effective requires good access control practices (maintenance). That is some action must be taken in a regular basis (remove unused accounts, change default passwords...).

The following lists possible problems that can happen by social engineering, covert channels, malicious code...:

• Object reuse (USB drives, application process, old HDD)
• Emanation security (electric airwaves)
  • Tempest standard carried out by the DoD controls the electrical emanations (shielding material). Faraday cages provides also a protection against electrical emanation (laptop cover)
  • White noise is a unified spectrum of random electrical signal. So an attacker can not find out the correct information
  • Control zone is a specific area protecting against electrical emanations

Access control monitoring is import to keep track of who access the network and resources.

• Intrusion detection systems (IDS) detect access frauds and can launch selected operations. They have sensors that collect traffic, an analyzer that can detect frauds and a management console for operation.
• Network based IDS (NIDS) records network traffic with network interface card in promiscuous mode (it captures all traffic)
• Host based IDS (HIDS) are installed on systems and records events on the system itself
• Types of IDS are:
• signature based (pattern matching, stateful matching): for example a Land attack is when source IP and destination IP are modified to be the same: some systems crashes. IDS record a state (set of value) before an attack, and after an attack (the set of values have changed). Some IDS can detect state changes happening during an attack
• anomaly based (statistical, protocol, traffic): the IDS has first a learning mode where he records normal activity. Then he can statistically detect attacks if the activity is out of the normal scope. IDS can also detect abnormal protocol activities
• rule based: it is used with an expert system made up of a knowledge base, inference engine (kind of artificial intelligence) and rule based programming (IF...THEN...)
• IDS sensors role is to filter data, discard irrelevant information and detect suspicious activity. On switches, the spanning port allows to collect all the data transiting through the switch. It is important to take the traffic load into consideration when using IDS (IDS overflow)
• Intrusion prevention system (IPS) is more proactive than an IDS and can react directly to protect the perimeter
• Honeypot is a computer with open ports and systems without important information where an attacker can be detected. Enticement is when detecting an attack, entrapment is when inducing to load information (illegal)
• Network sniffers records all network activity, uses filters and allow to analyze the complete network protocols and data

Access control can have some threats:

• Dictionary attacks (test dictionary words against passwords or passwords hash, inline, or on the password files)
• Brute force attacks (test all combinations)
• Hybrid attacks (use both attacks)
• Wardialing (test every phone numbers until a modem responds)
• Spoofing at logon by presenting a fake logon screen to record user's password
• Phishing by simulating an authoritative entity and trying to get information from the user (bank account, passwords, credit numbers...)
• fake emails
• similar domain names or redirection (www.micr0soft.com, www.msn.com@notmsn.com)
• java script that hide the true domain name
• popup when you are on a legitimate site, but the popup comes from another site
• Pharming uses a modified DNS server to resolve to the wrong IP Address
• Identity theft is when someone uses one's name or account identity

.

A security domain is a group of users, applications and network services that are managed under the same security policy and trust level. Domains can be organized in a hierarchy, with trust level inheritance and firewalls regulation between them. Single Sign-On systems allows subjects to access to different domains without the need to authenticate each time.

Directory Services contain information of the different ressources, frequently based on the X.500 standard. . Examples are LDAP, Novell Netware Directory Service (NDS), Microsoft Active Directory (AD).

Thin clients (Computers without HDD, DVD-ROM, USB...) provides another technology for Single Sign-On, because they are directly connected to the central server and are easier to control.

Access Control Models dictates how subjects access objects. They are of 3 types:

• Discretionary (DAC: discretionary access control). Each object belongs to it's subject and the subject can decide who has access to it. For example file owner's can assign access right to the file for others (users or groups). This is implemented in Windows, Unix, Linux, Macintosh...
• Mandatory (MAC: mandatory access control). Each object and subject have an associated security label (or sensitivity label) with its classification and category (department, projects...). The category enforces the "need to know" rule. Depending the level of classification access are granted or not. This is implemented in special OS like SE Linux or Trusted Solaris. System guards are used between MAC domains to control the communication.
• Non-discretionary (or role based RBAC). Users are assigned to roles, and access grants are based only on the roles. It is suited for companies with a high employee turnover.
  RBAC model has several approaches:
  • Core RBAC: several roles can be assigned to one user and he will gain the rights corresponding to all the roles
  • Hierarchical RBAC: roles follow a hierarchy with inherited access levels. Separation of duties can be applied to avoid fraud:
    • Static Separation of Duty (SSD): a user can not be member of two distinct roles
    • Dynamic Separation of Duty (DSD): a user can be member of two roles, but only one policy apply, depending on which role he is using at the time

Different access control technologies are used to apply the access control models:

• Rule based access control is based on the logical rule "if X then Y" (for example implemented in firewalls)
• Constrained user interfaces limits what the user can do through an interface. There are of 3 sorts:
  • Menus and shells (only the allowed commands are implemented)
  • Database views (displays only the allowed records)
  • Physical (only the corresponding buttons are accessible, for example ATM)
• Access control matrix are tables of subjects and objects with corresponding access rights
• Capability tables specifies the access rights of a subject to certain objects. For example, Kerberos ticket is the capability table of the user
• Access control lists are lists of subjects and authorization specific to an object. ACLs are used in several OSs
• Content dependent access control is used by filters granting access depending on the content (for example by surfing the web)
• Context dependent access control grants access depending on the situation. For example a stateful firewall analyze the sequence to allow the packets through.

You need then access control administration that can be centralized or decentralized:

• Centralized access control administration: only one entity has the possibility to manage access control. It uses authentication protocols referred has AAA (Authentication, Authorization and Auditing):
• RADIUS: Remote Authentication Dial-In User Service. Remote users provides credentials to an access server (access through phone line, DSL...). The access server ask the RADIUS server who hold the user name and password if the information is correct. Authentication protocols PAP, CHAP or EAP are commonly used. Formerly developed by Livingston Enterprise it is now an open standard (RFC 2138 and RFC 2139)
• TACACS: Terminal Access Controller Access Control System (Extended TACACS or XTACACS, TACACS+) uses TCP as transport protocol where RADIUS uses UDP. TACACS uses static passwords, where TACACS+ allows dynamic passwords (one-time passwords). RADIUS encrypt only the password, TACACS+ encrypts all the information. RADIUS combines authentication and authorization, TACACS+ separates the 3 AAA.
  Watchdog are timers used like an heartbeat to detect software fault or hangings. It can be used in AAA protocols to detect packets that are not send for example.
• Diameter: is based on RADIUS and implements new technologies to support roaming protocols, Mobile IP (using a home IP when traveling), Ethernet over PPP, VoIP. It is composed of a based protocol and the extensions. Diameter is a peer-based protocol, that is, the server can also initiate a communication. It is backward compatible with RADIUS and provides security with IPSec or TLS
• Decentralized access control administration: the controls are given to the entities near the resources. It is faster to give access, but difficult to keep overall control. Inconsistency can arise over time because no central management removes access rights of an employee when he leaves, maybe some access have been given by someone and remains

Access control methods provides interoperability through 3 different layers:

• Administrative controls are provided by senior management
• Policy and procedures (rules...)
• Personnel control (engagement, termination...)
• Supervisory Structure (each employee has a superior)
• Security awareness training (build security knowledge for employees)
• Testing (do security cover our goals?)
• Physical controls (human gatekeepers, doors with locks...)
• Network segregation (physical or logical)
• Perimeter security (define areas of security levels)
• Computer controls (computer physical protections)
• Work area separation (finance and labs share not the same areas)
• Data backups
• Cabling (Protect the signal, select the physical path)
• Control zone (define different security zone levels)
• Technical controls (control access software and systems)
• System access (authentication, authorization)
• Network architecture (IP subnets, DMZ, physical or logical segregation)
• Network access (controlled by firewalls, routers)
• Encryption and protocols (confidentiality and integrity of data, enforce specific paths)
• Auditing (log files and records of activity)

Access control types have different level of functionality:

• Preventive (avoid incident), administrative (policies, employee checks, data classification, security awareness), physical (badges, guards, locks), technical (passwords, biometrics, encryption, antivirus)
• Detective (identifies incident)
• Corrective (fixes a problem)
• Deterrent (discourage attackers)
• Recovery (bring back to regular operation)
• Compensating (provides alternative, for example if another security can not be used)
• Directive (put in place due to regulation)

Chapter 4: Access Control (Part III)

Cryptographic keys can be used for authentication. Someone can prove his identity by digitally signing a message (with his private key). With the public key we can verify the signature, verify the origin and the integrity of the message.

A passphrase is a longer password (normally composed of words). The system converts the passphrase into a virtual password that match the system requirements.

A memory card holds the information (in comparison with smart cards, that process the information). The user can unlock the card with a PIN code to provide the credentials hold in the memory card. Memory cards requires readers. Another sort of memory card contains no hardware but only scramble characters. Instead of introducing a code, the user is the only person who knows the art of reading the scramble data to find out his password. With such memory cards no reader is required.

Smart cards hold the information and can process it. They are of 2 sort: contact and contactless. Contact smart cards have a chip with visible contacts, contactless cards use an antenna that generate energy when near a magnetic field. It's enough energy to power the internal chip. Authentication with smart cards can be one-time passwords, challenge/response mechanism or use of private key in a PKI environment.
Hybrid cards have 2 chips with contact and contactless connectors. Combi cards have 1 chip with both connectors.
Smart cards can store information with encryption and/or tamperproof mechanisms.

Smart cards attacks are very inventive:

• Fault generation: by introducing errors to the card (low power, data error...) it may be possible to reverse engineer the encryption algorithm by comparing the results
• Side-channel attacks: are non invasive attacks. Only the behavior of the card in different situation is analyzed. Differential power analysis examines power emission during processing, electromagnetic analysis the frequencies emitted
• Software attacks: like software readers but tries to find out the content of the card
• Microprobing: uses needles and ultrasonic vibrations to remove protection material to connect to the card ROM

Smart cards standards:

• ISO/IEC 14443-1: Physical characteristics
• ISO/IEC 14443-3: Initialization and anticollision
• ISO/IEC 14443-4: Transmission protocol

References:

• NIST Smart Card Standards and Research
• Smart Card Alliance
• Smart Cards: a Primer
• What is a Smart Card

After authentication, the system has to verify what kind of access is allowed to the resources: this is authorization. Authorization is based on access criteria. The access criteria can be enforced by roles, groups, location, time and transaction types. Assigning rights to a role is efficient, because it is not bound to the person, but to the role a person takes. Rights are also assigned to groups, because several persons need the same access right to one resource. Physical or logical location can also determine the rights to give, for example it is not allowed to gain access from remote locations. Time of day can also be used to restrain access only for a given time (for example during working time). Some restrictions can also be applied depending on the transaction-type (consulting his bank account or doing a money transfer is not the same type of transaction).

The best approach to security is starting from no access and giving access based on need to know.

When employees move from one position to another they take sometimes their rights with, gaining more and more rights into the company. This is called authorization creep and should be avoided with controls.

Access rights should be given to allow the worker to do his job and not more. It is the principle of need-to-know or least-privilege. Access rights are decided by the chiefs and administrators apply the decisions.

In today heterogeneous and distributed environment, users have to manage several user IDs and passwords. One of the main problem is password management for the user and very often password are forgotten and productivity suffer from it. By assigning a single place where the user should provide his ID and password and from where he would gain access to all other systems is called a single sign-on (SSO).
But this technology suffer from a wide variety of different systems that are not always interoperable.
There is also a security issue: if someone gains access, he has access to everything!

Kerberos is a security protocol for authentication based on symmetric keys. It is used for Unix and for Windows since Windows 2000. It allows the use of passwords for authentication but it eliminates the need to transmit the password over the network.
Kerberos components are:

• The Key Distribution Center (KDC) is the trusted component that provides authentication services and key distribution.
• Principals are users, applications or network services that have accounts on the KDC. They share secret keys with the KDC. A set of principals is called a realm.
• A ticket is generated by the ticket granting service (TGS) on the KDC and given to a principal to authenticate against another principal (for example a user accessing a printer).

Kerberos process for a user authentication:

1. The user authenticate with username/password on the computer: the username is sent to the authentication service (AS) on the KDC
2. The KDC sends back a ticket granting ticket (TGT) encrypted with the user's password
3. If the computer can decrypt the TGT with the password entered by the user the authentication is successful

Kerberos process for a user accessing a service:

1. The TGT is sent to the TGS on the KDC
2. The TGS creates a second ticket with 2 instance of a same session key (1 encrypted with user's secret key, 1 encrypted with service's secret key) and an authenticator with user's information and send it back to the user
3. The session key is decrypted by the user, adds a second authenticator and sends it to the service
4. The service decrypt the session key and the 2 authenticators and can compare the information to verify the principal and the KDC

Timestamp and sequence numbers are added to authenticators to fight against replay attacks.

Potential weakness of Kerberos:

• Single point of failure of the KDC
• Scalability
• Secret key are stored temporarily and decrypted on user's computer
• Kerberos doesn't detect dictionary attacks
• Kerberos can work without network encryption
• Too short keys are vulnerable to brute force attacks

SESAME (Secure European System for Applications in a Multi-vendor Environment) is an improvement of Kerberos that uses symmetric and asymmetric keys. Components are:

• The trusted authentication server is the Privileged Attribute Server (PAS)
• Privileged Attribute Certificates (PAC) are subject's information signed by the PAS (PACs are similar to tickets in Kerberos)

A standard API (Application Programming Interface) is used by SESAME and Kerberos: GSS-API (Generic Security Services API).

References:

• Kerberos FAQ
• MIT Kerberos documentation
• SESAME in a nutshell
• SESAME links

Chapter 4: Access control (Part II)

Biometrics verifies an identity by analyzing a unique individual's behavioral attribute (what you do, but it changes in time: signature) or physical attribute (what you are, iris, retina, fingerprint, don't change in time).

The biometric system must be very sensitive and need calibration to limit the number of false positives (false acceptance rate or Type II error) and false negatives (false rejection rate or Type I error).

Crossover error rate (CER, or EER Equal error rate) is a percentage that represents the point where false rejection rate = false acceptance rate (CER of 3 is more accurate than CER of 4).
CER is used to compare biometrics products.

Biometrics is very expensive and has to deal with some problems: user acceptance, enrollment timeframe, throughput (it should not take more than 5 to 10 seconds to authenticate)).

By enrollment, the biometric reader converts the data it reads into binary values (may be encrypted and/or hashed). By authentication the user provides it's biometric data and the binary information is compared to the one stored during enrollment.

The following are different types of biometric systems:

• Fingerprint: made up of ridge endings and bifurcations called minutiae that are distinctive for each individual
• Palm scan: the palm has creases, ridges, grooves and include fingerprints.
• Hand geometry: shape and width of hand and fingers
• Retina scan: a camera project a beam to scan the blood-vessel pattern on the backside of the eyeball
• Iris scan: the iris has unique patterns, rifts, colors, rings, coronas and furrows. Iris scan is the most accurate and it remains constant with age
• Signature dynamics: electrical signal is captured when someone signs (manner, speed, pressure)
• Keyboard dynamics: it measures the speed and motion of typing a specific phrase
• Voice print: some words are recorded and during authentication a list of some these words are displayed and compared with the record
• Facial scan: bone structure, nose ridges, eye widths, forehead size and chin shapes
• Hand topography: looks the different peaks, valleys, overall shape and curvature of the hand. Different cameras catch different views of the hand

Some biometric systems controls pulsation and/or heat to verify that the person is alive.

References:

• Michigan State University Biometrics Research
• The Biometric Consortium

Password is a string of characters the user knows. It is the most commonly used authentication system, but also the weakest (because passwords are simple, given to others, written down.

Password management are tools to increase security. It can contains:

• Password generators: make sure passwords are random
• Password requirements: make certain type of characters are used
• Password record: make sure the same password will not be used
• Password change: make sure the password is changed periodically

These are techniques to attack a password:

• Electronic monitoring: track network traffic to catch the password and reuse it (replay attack)
• Access password file: contains user's passwords
• Brute force attacks: try many possible strings
• Dictionary attacks: try list of words
• Social engineering: get confidence of the user to gain authorization
• Rainbow tables: using a table of already calculated passwords hash

Some countermeasures:

• Presenting a message to inform of last logon and unsuccessful logons
• Limit logon attempt: (clipping level) lock account after n unsuccessful tries (for minutes or days)
• Password audit: login logs
• Password aging: Limit password lifetime (balance between protection and practicality should be applied)
• Education of the users
• Password checkers (or password crackers): requires management's approval to check users passwords and find the weakest before an attacker would
• Password hashing and encryption: passwords are not send and stored in clear text, a hash function is used (commonly MD4 or MD5)
  • On Windows password's hash are stored in the SAM (Security Accounts Management) database. Syskey can be used to encrypt the SAM with a local key. It has 3 modes:
  1. Mode 1: the key is stored on the system itself
  2. Mode 2: the key is stored locally but is protected with a password
  3. Mode 3: the key is stored externally (floppy, CD-ROM...)
  • On Unix passwords are stored has a hash in a passwd file. Unix uses a salts (random value) so a same password will not have the same hash value
    
• Cognitive password: the user responds to questions about himself (cat's name, preferred color...). This system takes time to proceed, so it is used for example by help desks to identify the user or for password reset
• One-Time Password: one password is used only once
  • Token Devices (hard- or soft-tokens) are used to generate dynamic passwords. On it's side, the system is also able to calculate the same password to verify it.
    • Synchronous: time or a counter is used by the device and the system as reference
    • Asynchronous: uses a challenge/response mechanism. The system sends a random value (nonce), the user enter the value into the device which returns a one-time password
• Many-Time Password: dynamic passwords are used, but they are valid for a limited time (10 logins, 1 day...)

References:

• A One-Time Password System
• The One-Time-Password SASL Mechanism
• One-Time Password
• Savernova 

One month left, I have to hurry up!

Chapter 4: Access Control

Access controls are security features that control how users and systems communicate and interact with each other. Access is the flow from a subject (active request) to an object (passive entity).

Access control is the first line of security that provides control, restriction, monitoring and protection:

• availability: users must have access to do their job
• integrity: modifications must happen only with authorization
• confidentiality: only authorized persons have access to the information (information classification is relevant)

4 steps happen in an access control:

1. Identification: verify the subject is who it claims to be (user name)
2. Authentication: a second information is asked to verify the identity (password)
3. Authorization: check the permissions the subject has
4. Accountability: record the subject identity and its manipulations on the system

Race condition is the manipulation of access control order. By completing an authorization before an authentication, a hacker could exploit the system.

Logical access controls (or technical access controls) are software components that provides access control.

References:

• FWPro Secure Coding Standards
• Race Conditions and Deadlocks

There are 3 types of authentication:

• something you know (authentication by knowledge): password, PIN
• something you have (authentication by ownership): key, access card, badge
• something you are (authentication by characteristic): biometric

Strong authentication (or 2-factor authentication) is the use of at least 2 of the 3 types of authentication.

Securing identity follow 3 aspects: uniqueness (each user has another identity), nondescriptive (identity should not explain what the subject is (like administrator!)) and issuance (only authorized persons issues identities).

Identity management has different meanings and can contain: user account management, access control, password management, single sign-on, managing rights and permissions, auditing, monitoring...
For a company, identity management should provide unique identified identities, manage whole identity life cycle (create, maintain, terminate) for inside and outside access in an automated fashion.
Because of the growing complexity of networks and applications, it is more and more difficult to control access. Identity management should simplify administration of these tasks and provide unique management of different systems and technologies access controls.

These are some technologies used for identity management:

• Directories are central databases with information about users and resources (typical LDAP, based on X.500 or Active Directory). Directory service allows the configuration and management of the directory and manage identification, authentication, authorization and access control. Namespaces are used to organize all the items (LDAP assigns DN (distinguished names) to each object, f.e. dn: cn=Username,dc=CoachCenter,dc=com).
  Security policies applies on different levels of the directory tree and manage authorizations.
  A meta-directory gathers all information from the different directories and databases (authoritative sources) to provide a unique and up-to-date reference of all users and resources information.
  A virtual directory is quite the same, but does not store the information on its own location, it just point to where it is.
  
• Web access management (WAM) is software controls of what a web user can access over a browser. A policy server stores the permissions the user have and web servers request these policies. Often WAM provides single sign-on the the user to use different web resources without the need to authenticate again (but the credentials have to be stored temporarily: cookies). This is done because web connections are based on stateless connections (no permanent connections are used), so each request is a new connection.
  
• Password management is password reset, password creation, modification and termination on all different systems. To help this management the following techniques can be used:
  • Password synchronization (one same password is copied on every system)
  • Self-service password reset (by answering some personal questions, the user can reset passwords himself)
  • Assisted password reset (helps help-desk to reset passwords in a secure manner, identify the users...)
    
• Legacy single sign-on is the technology that allows a user to authenticate once in a system, and then does not need to authenticate again on a different system to gain access (it is not password synchronization, the user does not need to authenticate again).
  SSO technologies represents potential bottle-neck, single point of failure and single point of attack. 80% of the applications may be SSO compatible, but remaining 20% may not be.
  
• Account management is the work to create, maintain and terminate user accounts on the different systems. Account management tools help to synchronize the accounts rights over the different systems and to tailor the accounts for an effective security level. A workflow is applied to know from the manager which resources the employee has access to. If this happens automatically, it helps keep records of all account permission changes.
  User provisioning refers to give or take away a user right depending on the business need.
  
• Profile update allows to keep centrally the users information for reference. Updates are made by administrators, automatically or by the user itself (self service).

A digital identity does not only contains a user profile. It contains also biometric information and user's life history.

Identity federation allows multiple companies to share the same user information, so that the user using one service is already authenticated when he request another service from another company (like airplane + hotel reservation).

References:

• Identity management (Opengroup)
• Identity management (Wikipedia)

Chapter 3: Information Security and Risk Management (Part IV)

Information classification is used to indicate the level of security to apply. The reason is economic but also for operational purpose (efforts are applied where it should be).

Different schemes of classification are used (not to many and no overlapping), depending on the type of business:

• commercial business: public -> sensitive -> private -> confidential
• military: unclassified -> sensitive but unclassified -> confidential -> secret -> top secret
• common classification: private, privileged, proprietary, for official use only

Criteria used to classify data can be: usefulness, value, level of damage if, laws, lost of opportunity...

Applications and systems must also be classified (level of protection it provides).

When data is classified, the corresponding controls should apply (access control, encryption, auditing, monitoring, backup, change control, physical security).

References:

• Guide for mapping types of Information and Information Systems to Security
• Information classification: A Corporate Implementation Guide

In a company there are different layers of security. The following roles and responsibilities should be defined:

By moving data to and from Europe some rules must be followed:

• Safe harbor
• OECD Guidelines and transborder information flow

References:

• Information Technology Security

Personnel is often the most important risk in a company. A clear structure helps safety and separation of duties (split knowledge: no one knows all the stuff, dual control: two people must be present to terminate the task) eliminates a lot of risks. With separation of duties a fraud can happen only with collusion of the authors. Each employee should sign a nondisclosure agreement and his quality should be controlled (military records, education, diplomas, references...)

With rotation of duties you ensure that no one stays too long at same position and you reduce the risk of frauds. Mandatory vacations forces the employee to leave it's position for a period of time and another employee will take it's responsibilities.

By termination (employee leaves the company...), exact procedures must be in place.

To inform correctly everyone in the company, an effective awareness training must be implemented. Different training must apply to different groups: management, staff, technique. Security training should happen periodically. Other activities can take place to enforce security awareness (banners...). The program should be evaluated. Skilled staff is a very important element in security, so people have to be well educated.

References:

• Free practice quizzes
• CISSP and SSCP Open Study Guides
• CSRC Awareness, Training and Education

Review Quick Tips on page 144 of All in one CISSP study guide.

1. Assign value to assets (value, maintenance, profit to company, liability...)
2. Estimate potential loss per threat (physical damage, loss of productivity, loss of sensitive data, cost for recovering, loss expectancy...)
3. Perform a threat analysis (likelihood of each threat, past records, annual rate of occurrence (ARO)...)
4. Derive the overall annual loss potential per threat (potential loss and probability, annualized loss expectancy (ALE), cost/benefit of countermeasures...)
5. Reduce, transfer, avoid or accept the risk (avoid=discontinue activity that is causing the risk)

Single Loss Expectancy SLE = asset value x exposure factor (FE)
Annualized Loss Expectancy ALE = SLE x annualized rate of occurrence ARO

The results of the quantitative risk analysis is a report with details of asset value, business impact, frequency, countermeasure effectiveness, countermeasure costs, probability and uncertainty. 

Qualitative risk analysis is based on intuition, brainstorming, interviews, surveys, opinions on countermeasures... All is based on estimations and each estimation has a level of uncertainty. Scenarios are produced by the people the most aware of the risks in the company and resumed in a 1 page report. It explains the possible threat, the expected loss, the expected possibility (rank 1 to 5 for example), the advantage of each safeguard. The report exposes the results in a Probability/Impact risk matrix.

The Delphi technique allows people involved in the analysis to bring their opinion anonymously to reduce the pressure on each individual. 

To calculate the cost/benefit of a countermeasure (or safeguard) we use the following formula:

ALE (before) - ALE (after) - annual cost of safeguard = value of safeguard

It is important not to forget in the costs of a Safeguard all indirect costs (management of the solution, reconfiguration, extra material, new procedures...).

The countermeasures have to be effective, some of the main characteristics it should provide are: modularity, default less privilege, minimum human intervention, distinction between user and administrator, auditing, minimize impact and dependence to other components, provide reset, testable, proper alerting and clear reporting...

If a company implements some countermeasure there will still remain some residual risk. If no countermeasure is implemented a total risk remains.

Now the company has to deal with the total and residual risk. It can:

• transfer it (for example by taking an insurance)
• avoid it (terminate the service concerned by the risk)
• mitigate it (the risk goes under an acceptable level by introducing several countermeasure)
• accept it (accept the potential loss)

References:

• NIST Risk Management Guide for Information Technology Systems
• Carnegie Melon SEPM Certificate Programs
• Risk Management and Business Continuity Planning
• NIST Security Metrics Guide for Information Technology Systems
• Threats and Risk Assessment Working Guide

Policies, Standards, Baselines, Guidelines and Procedures

It is important that security meets the organizations goals and objectives. The company has to comply with law and regulations. A good security program must provide a strategy defined in procedures, standards, guidelines, training...

A security policy is a document that explains the roles of security in the company, who is in charge, how to achieve the goals. Policies are:

• organizational security policy: explains roles and responsibilities, regulations, everyone in the company should find easily his own responsibilities and how he has to apply security. The policy explains also what happens if the rules are not applied.
• issue-specific security policy: is a detailed security policy for a specific purpose (for example email policy)
• system-specific security policy: presents the policies specific to the companies infrastructure (allowed applications, how to use the database...)

Policies fall into following categories:

• regulatory: complies with industry specific regulations (health care, insurance...)
• advisory: explains to the employees how they should act
• information: gives explanation to employees for a bet

Standards and organizational standards defines user behavior, how hardware and software are to be used... Standards are the tactical tools to achieve the security goals.

A baseline is:

• a reference point in time to compare after countermeasure for example, or
• the minimum level of protection required

Guidelines are recommended actions where standards do not apply.

Procedures are step by step guides to achieve certain goals, like installing a new operating system.

Procedures, standards, guidelines and baselines should be modular (not in the same unique document) for different audience distribution.

Security policies are written in documents, but then, they have to be implemented (training, presentations...)

When a company has accomplished the necessary steps to achieve a certain level of security, we say it practices due care (do correct). By understanding the risks it accomplish due diligence (do detect).

References:

• NCSA Security Policies and Procedures
• SANS Institute Security Policy Project
• Information Security Policy World

1. Plan and Organize
   1. Establish management commitment
   2. Establish oversight steering committee
   3. Assess business drivers
   4. Carry out a threat profile on the organization
   5. Carry out a risk assessment
   6. Develop security architectures at an organizational, application, network and component level
   7. Identify solutions per architecture level
   8. Obtain management approval to move forward
2. Implement
   1. Assigne roles and responsibilities
   2. Develop and implement security policies, procedures, standards, baselines and guidelines
   3. Identify sensitive data at rest and in transit
   4. Implement the following blueprints:
      1. Asset identification and management
      2. Risk management
      3. Vulnerability management
      4. Compliance
      5. Identity management and access control
      6. Change control
      7. Software development life cycle
      8. Business continuity planning
      9. Awareness and training
      10. Physical security
      11. Incident response
   5. Implements solutions (administrative, technical, physical) per blueprint
   6. Develop auditing and monitoring solutions per blueprint
   7. Establish goals, service level agreements (SLAs) and metrics per blueprint
3. Operate and Maintain
   1. Follow procedures to ensure all baselines are met in each implemented blueprint
   2. Carry out internal and external audits
   3. Carry out tasks outlined per blueprint
   4. Manage service level agreements per blueprint
4. Monitor and Evaluate
   1. Review logs, audit results, collected metric values and SLAs per blueprint
   2. Assess goal accomplishments per blueprint
   3. Carry out quarterly meetings with steering committees
   4. Develop improvement steps and integrate into the Plan and Organize phase

Depending on the art of business, the security model focuses on different requirements: a private industry will focus on availability and integrity and a military organization on confidentiality.

Information Risk Management (IRM) is the process of identifying risk, reducing and maintaining it to an acceptable level.

The main risk categories are:

• Physical damage (fire, water, natural disaster...)
• Human interaction (mistakes or sabotage...)
• Equipment malfunction (material failure...)
• Inside and outside attacks (hacking, cracking...)
• Misuse of data (espionage, theft...)
• Loss of data (intentional or unintentional destruction...)
• Application error (bugs...)

The IRM policy is a subset of the corporate risk management policy and addresses level of acceptable risk, risk identification, roles and responsibilities, performance impact, budget, risk monitoring and control.

The risk management team is composed with organization employee and enough free ressource has to be guaranteed by management.

Risk analysis is a method of identifying vulnerabilities and threats and assessing possible damage to determine where to implement safeguards. It has 4 main goals:

• Identify assets and their values
• Identify vulnerabilities and threats
• Quantify the probability and business impact of these potential threats
• Provide an economic balance between the impact of the threat and the cost of the countermesure

A risk analysis provides a cost/benefit comparison. No need to spend more money than the value of protected systems or data. A correct project sizing must be done and management must approve it before continuing. A risk analysis team is composed of key personnel from key areas of the organization.

The value of an asset is calculated considering the cost to acquire or develop, to maintain and protect, the value to users and adversaries, of intelectual property, price that others would pay for it, cost to replace, liability issues and usefullness. Value can be tangible (computers) or intangible (reputation).

Threats are commonly virus, hacker, users, fire, employee, contractor, attacker, intruder. But harder to identify are threats within application's code which can conduct to illogical processing and cascading errors.

Risks have potential loss (immediate lose) and delayed loss (loss after months or years because a bad reputation).

Risk methodologies: NIST SP 800-30 and 800-66, FRAP (Facilitated Risk Analysis Process), OCTAVE (Carnegie Mellon University's Software Engineering Institute), CRAMM (CCTA Risk Analysis and Management Method and Spanning Tree Analysis. 

Failure Modes and Effect Analysis (FMEA) is a method to identify failures, their causes and effects. It can follow these steps:

• Create a block diagramm of a system control
• Consider what happens if each block fails
• Draw a table with failures and their effects
• Correct the design of the system
• Review it with several engineers

For more complex multiple systems a fault tree analysis is a more usefull approach. It consist of taking an undesired effect at root, then identifying all possible failures that can cause this effect, and so on by using OR/AND logical links.

• Administrative controls (policies, guidelines, risk management, training, change control)
• Technical controls (access control, passwords, identification, authentication)
• Physical controls (facility access, system locks, monitoring intrusion, environmental controls)

The information owner is responsible for data protection and is liable in case of negligence. He classifies data and dictate how data should be protected.

Security program objectives are (AIC triad):

• Availability (performant systems, backup and quick recovery, no single point of failure, redundancy, environmental protections)
• Integrity (no data alteration, assurance of accuracy, no corruption by viruses or mistakes, access control, intrusion detection, hashing)
• Confidentiality (secrecy on systems, in transit and at destination, shoulder surfing, social engineering, encryption, data classification)

Functional requirement = does this solution carry out the required tasks?
Assurance requirement = how sure are we of the level of protection this solution provides?

A vulnerability is a weakness in a system that provides an open door for an attacker.
A threat is any potential danger to information or systems.
A risk is the likelihood of a threat agent taking advantage of a vulnerability and it's impact.
An exposure is an instance of being exposed to losses from a threat agent.
A countermesure or safeguard is an action to eliminate a vulnerability or reduce the risk.

A common security mistake is to apply security through obscurity, or believing that the enemy is less intelligent than you are. It is especially dangerous because it gives a wrong sense of security. In cryptography no algorithm should be kept secret, only the key is properly protected.

An organizational security model is a framework with different layer. Each layer protection provides support for the layers below and above it. Layers can be business objectives, vulnerability assessment, penetration testing, risk assessment, risk analysis, risk and threats identification, protection requirements, data classification, functionality evaluation, legal liabilities, security awareness, system reliability, policy and procedures, cost effective solutions, safeguards, countermesures, data integrity, confidentiality, availability.
Daily goals are operational goals. Goals in the midterm are tactical goals while long term goals are strategic goals. Planning with these three goals is called the planning horizon, not all changes can be done in a week.

The CISO (Corporate Information Security Officer) is in charge or creating the security program. Proper authority and budget should be given to him and his hierarchy position in the company should be high enough to ensure correct communication with the CEO and the IT department. CISO should inform about government regulations and standards and company risks and has to build the security program (develop budget, security goals, training, procedures...)

ISACA (Information Systems Audit and Control Association) and ITGI (IT Governance Institute) have developed a framework to define goals for the controls to properly manage IT: the Control Objectives for Information and related Technologis (CobiT).

CobiT is broken into 4 domains:

• Plan and Organize
• Acquire and Implement
• Deliver and Support
• Monitor and Evaluate

This models deals with 34 control objectives that lays out to a complete roadmap for implementing controls.

CobiT was derived from COSO (Committe of Sponsoring Organizations). CobiT is a model for IT Governance (operational), COSO for corporate Governance (strategic).

COSO is made up of following components:

• Control Environment (company culture and philosophy)
• Risk Assessment (risk objectives and changes)
• Control Activities (procedures)
• Information and Communication
• Monitoring

The most common standard is ISO17799, derived from British Standard BS7799. An organization would provide confidence to their customer to certify against ISO 17799. ISO 17799 part II would be used by the certification party to certify the organization.

ISO 17799 domains are:

• Information security policy for the organization (security goals and objectives)
• Creation of information security infrastructure (security roles and responsibilities)
• Asset classification and control (inventory, classification)
• Personnel security (roles, responsibilities, training)
• Physical and environmental security (location, security perimeter, access control)
• Communications and operations management (change control, incident handling, capacity planning)
• Access control (authentication, monitoring)
• System development and maintenance (security in a system's lifetime)
• Business continuity management (continuity planning and testing)
• Compliance (regulations, audits)

ITIL (Information Technology Infrastructure Library) is the de facto standard of best practices for IT service management. ITIL provides the "how to" achieve the goals.

The standards are moving:

• BS7799 Part I -> ISO 17799:2005 (list of controls) -> ISO 27002 (in the future)
• BS7799 Part II -> ISO 27001:2005 (steps for setting up and maintaining a security program)

• IT moved from a closed environment (mainframes connected with some terminals and physical access) to a distributed environment (each computer or device is connected with milions of other devices)
• System knowledge was by a few specialists, but now it is distributed to million of people through point and click applications over the Internet
• Companies, public and military infrastructures are more and more dependent on their computer and electronic data
• Computing power and intelligence moved from centralized mainframes to decentralized client/server platforms, increasing the number of mistakes and issues generated by individuals (software need to be "idiot-proof" today)
• The computer become a very powerfull tool that can be dangerous in bad hands
• We move from "hacking for fun" with low consequences to "hacking for profit" with potentialy dramatic consequences

Information warfare is the action to deploy, exploit, corrupt or destroy enemy's information and its function, while protecting oneself against those actions.

Computer exploits are kept secret most of the time because companies and organizations don't want to risk a loss in confidence from their customers and don't want to encourage further attacks because their systems are weak.
Despite of this, companies and organizations are becoming aware of the security risks and many policies or regulations try to inform how to protect oneself (ECP: Electronic Communications Policy, HIPAA: Health Insurance Portability and Acountability Act, PRA: Public Record Act, Sarbanes-Oxley Act...).
It is more common to take the CEO of a company responsible in case of security breaches and knowing what to do in "case of" can save money. Some insurance requires also proof of proper security protections to cover damages.

Governments are responsible of protecting citizens and public infrastructures against cyber attacks. They are aware that they can not achieve this goal without working with the industry, so they made efforts to build organizations responsible to coordinate the information sharing (DHS: Department of Homeland Security, ISACs: Information Sharing and Analysis Center). Despite of this, these efforts are not followed with great results and public sector is relying on private efforts. 

Managers often consider that security is only a technical issue under responsibility of the IT staff, but it's wrong. Information security is a management issue that may require technical solutions. Information security should be applied in a top-down approach.

The World Wide Web is an application layer over the Internet that provides new possibilities to companies to gain new customers and sell products and services. But it brings also new issues to the company that connect to the Internet through Web applications and services (XML, SOAP). New data exchange occurs between the company and its customers. A common approach is to introduce two-tier or three-tier architectures. 

• A two-tier architecture consist of servers and back-end databases
• A three-tier architecture consist of front-end servers (presentation), middle servers (business application) and back-end databases

But security issues come from two camps: infrastructure and programming. Both should be taken in consideration and one of the biggest challenge today relies on application security.

Only a layered approach (consider each level of possible attack: programming code, protocols, operating system, application configuration, user activity...) can bring security to a correct level. Attacks can happen on each of the 7 layers of the OSI model. Considering this is an architectural view. An environment evolves over time and the first step in securing it is to find out what the current architecture is.

Once security is applied, it is secure only for a period of time. Patches have to be applied, intrusion detection and scanning have to be used to controll the level of security, new security solutions have to be deployed in response to new risks and the security personal has to learn about the new technologies and threats.

Trust in products and systems are evaluated with different standards: TCSEC (Trusted Computer System Evaluation Criteria or Orange Book for USA), ITSEC (Information Technology Security Evaluation Criteria for Europe)... All countries agree to apply now a common standard: CC or Common Criteria.

Trying to bring some standards also in cybercrime laws, the OECD (Organization for Economic Co-operation and Development) proposes it's Principles of Corporate Governance (guidance for legislations and regulations).

1. Access Control
2. Telecommunications and Network Security
3. Information Security and Risk Management
4. Application Security
5. Cryptography
6. Security Architecture and Design
7. Operations Security
8. Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP)
9. Legal Regulations, Compliance and Investigation
10. Physical (Environmental) Security

• 5 years experience in 2 CBK (Common Body of Knowledge) domains
• 4 years experience in 2 of the ten CISSP domains + 4 years college or master degree in information security from a National Center of Excellence
• 3 years experience in 2 of the ten CISSP domains + 4 years college or master degree in information security from a National Center of Excellence + 1 professional certification
• 1 sponsor (an ISC2 already certified person) who can certify for your experience

Details of CISSP requirements can be found by ISC2 (ISC2 has been founded in 1989 to develop security certifications).

The CISSP Exam is:

• 250 multiple choice questions
• 4 answer choices for each question, only 1 is correct
• 6 hours duration
• 700 points to pass the exam (max 1'000 points)
• questions have different number of points
• the exam is NOT computerized, it's on paper! (it demonstrate how much ISC2 is concerned with possible computer crime in examinations!)

The Eyam results are communicated after up to 6 weeks, but normaly in 1 or 2 weeks. You will only know your score if you DID NOT pass the exam (less than 700 points)!

You can re-pass the exam as soon as you want (of course, it costs once again).
The certification is valid for 3 years. On ISC2 recertification pages you will find different possibilities to extend you certification after 3 years. 

There is a little test at the end of the chapter to see how much you are prepared for the exam. Well, I will have to study a bit: 11 of 22 = 50%!
With such questions, if you don't understand a term you are out. So learn the exact meaning and definitions of terms and expressions.

1. Becoming a CISSP (17 pages)
2. Security Trends (35 pages)
3. Information Security and Risk Management (102 pages)
4. Access Control (124 pages)
5. Security Architecture and Design (122 pages)
6. Physical and Environmental Security (80 pages)
7. Telecommunications and Network Security (178 pages)
8. Cryptography (110 pages)
9. Business Continuity and Disaster Recovery (66 pages)
10. Legal, Regulations, Compliance and Investigation (70 pages)
11. Application Security (122 pages)
12. Operations Security (82 pages)

The quantity of pages within each chapter gives you an estimation on how broad is the topic (I have the chance that I have worked many years in networking! ;-)

I will start with chapter one in the next message (I have to do some "productive" job now!)

1. I need to write down what I understood, or I would forget what I have read the next day
2. An open blog gives me a good motivation to follow my plans
3. This blog could be a good resume of the CISSP exam guide (and could be a good coach if you want to take the same exam!)

So, let me write down day after day what I have learned!