Tuesday, May 6, 2008

WIFI Security

802.11a 5GHz 52Mbps OFDM (ortogonal multiplexing) low distance (hight frequency, lower distance)
802.11b 2,4GHz 5MHz*14channels DSSS (spreaded spectrum) (ch14 only used in Japan)
802.11g 2.4GHz

*Open System Authentication
The only "security" check is the ESSID

*Shared Key authentication

WEP -> CRC32 + RC4 (the same all the communication) -> weak security
WPA -> TKIP + RC4 (different every time)
WPA2-> AES + EAP -> strong security

*Bluetooth attacks
- bluejack send spam anonymously to victyms.
- bluebof exploit overflows in services remotelly.
- bluebug use AT commands on victims cell phone.

Sunday, May 4, 2008

Trusted Computer Base and Reference Monitor

Te Orange Book (Department of Defense Trusted Computer System Evaluation Criteria)
defines the trusted computer base (TCB) as the combination of all hardware, firmware and software responsible for enforcing the security policy.

The Reference Monitor also defined at Orange Book, and refers to an abstract machine that mediates all accesses to objects by subjects.

Saturday, May 3, 2008

Security Models

The main security models are: lattice, state machine, research, Bell-Lapadula (BLP), Biba, Clark-Wilson, access control matrix, information flow models, Graham-Denning, Harrison-Ruzzo-Ullman and Brewer-Nash (chinese wall).

* Latice
- one way information flow
- confidentiality and integrity
- security labels to all objects
- this model is used by (Bell-lapadula, biba, chinese wall)

* State machine
- The policy define the points the secure state can change.
- Check if current state is secure state.
- check the state of the automated information system (AIS)
- Go the one secure state to other secure state.

* Non interference models
- is a research model
- the inputs (high-level actions) don't determine what outputs (low-level actions) can see.
- Restricted flows between inputs and outputs.
- Activities are separated in security levels to reduce leaks.
- Higher security level can not interfere in lowerlevel
- Lower level cannot get any information from higher level.

* Information flow models
- research model
- labeled with security classes
- it could flow upward or at the same level if allowed.
- similar than BLP

* Bell-LaPadula model (BLP)
- Confidentiality model
- Described in the orange book and TCSEC
- Is a state machine
- Mandatory access control
- The MAC is based on labeling both objects and (with classifications) and subjects (with their clearances)
- The system (Reference Monitor) only allows access if the clearance is equal to or higher than the classification.
- Uses latice and matrix.
- simple security -> read down -> subject of lower clearance cannot read an object of higher classification.
- *(star) property -> write/append up -> hight level subject cannot send missages to lower-level object.

* Biba
- Integrity model
- complement to BLP
- simple integrity -> subject read access to object only if subject level <= object level
(absurd but true)
- the integrity * property ->subject have write access to object only if subject level => object level
- no information from a subject can be passed on to an object in higher security level.

* Clark-Wilson
- Integrity by controlling changes
- Suitable for transaction systems
- CORBA is based on Clark-Wilson, it creates relations between objects.
- no changes by unauthorized subjects, no unauthorized changes by unauthorized subjects.
- subject-program-object binding.
- subject authentication and identification
- only a set of programs can access objects
- users can run only a set of programs
- External consistency -> The system is doing what is expected to do.
- Internal consistency -> The data being consistent and similar to real world.
- CDI -> Constrained data item -> integrity protected.
- UCDI -> Unconstrained data item -> data not controlled by Clark-Wilson.
- IVP -> Integrity verification procedure -> Procedure scanning, data and confirming its integrity.
- Transformation procedures -> Procedures allowed only to change a cconstrained data item.

* Access control matrix
- Users, groups and roles down the left hand side.
- All the resources a functions across the top.
- Subjects are listed in rows.
- Objects are listed in columns.

* Graham-Denning
- set of objects, set of subjects, set of rights.
- subjects have process and a domain
- Eight primitive protection:
1. Create object
2. Create subject
3. Delete object
4. Delete subject
5. Read access right
6. Grant access right
7. Delete access right
8. Transfer access right

* Brewer-Nash (chinese wall)
- Prevent conflict of interest.
- Access control rules change user behavior.

Security Frameworks

* ISO/IEC 17799:2005
Is a security best practices. It has a great scope: Business continuiti management, access control, system development security controls, physical and environmental security, civil laws compliance, RRHH security, Information security, comunications and operations management, assent management, security policy and incident management.

* ISO 27001
Information security management specification. Is a complement for the ISO 17799.
Defines an information security management system and creates a framework for the design implementation, management and maintenance of IS processes throughout an organization. Will replace the BS 7799.
Is not a code of practice as 17799, defines the information management system itself.

* BS 7799
Will be replaced by ISO 27001.


SEI-CMMI means: Software Engineering Institute's Capability Maturity Model Integration
SEI is an I+D center contracted to advance software engineering practices.
CMMI ratings help customers determine trustworthy and low-risk vendors of software products and services.
A CMMI level 5 means than organization can prove successful application of government and industry vest practices.

Common Criteria

Common criteria is an ISO standard product evaluation which includes ITSEC and TCSEC.
CC evaluates the protection profiles (PPs) and security targets.

Assurance levels:

EAL 1 Functionally tested, all the threats to security are not seen as serious.
EAL 2 Structurally tested, low to moderate level of independently guaranteed security..
EAL 3 Methodically tested and checked, moderate level of independently ensured security.
EAL 4 Methodically designed, tested and reviewed. Developers or users require a moderate to high level of independntly ensured security.
EAL 5 Semiformally designed and tested, the requirement is hight level of independently ensured security.
EAL 6 Semiformally verified, designed and tested, for hight risk situations.
EAL 7 Formally verified, designed and tested, for extremelly high risk situations.

Trusted Computer Security Evaluation Criteria

TCSEC only adress with confidenciality, and is published at the Orange Book.


A Verified protection
A1 Verified design

B Mandatory protection
B3 Labeled security
B2 Structured protection
B1 Labeled security

C Discretionary protection
C2 Discretionary protection
C1 Controlled access

D Minimal Security

Common criteria has replaced TCSEC and ITSEC.

Information TEchnology Security Evaluation Criteria

ITSEC is product or system evaluation criteria, is primarily used in Europe and addresses the CIA triad.
The target to be evaluated is the TOE (target of evaluation)
There are two ratings, functionality rating (F1 to F10) and assurance rating (E0 to E6)

Common criteria has replaced ITSEC and TCSEC.

Wednesday, April 23, 2008

Centralized Remote Access

The main protocols that centralize the remote access are:

A good Centralized Remote Access must support the following protocols:
* Unix Login
* SecureID
* Novell NDS
* Microsoft domain authentication systems


Remote Authentication and Dial-In User Service.
Radius is a networking protocol that uses access servers to provide centralized management of access to large networks. RADIUS is commonly used by ISPs and corporations managing access to the internet or internal networks employing a variety of networking technologies, including modems, DSL, wireless and VPNs.
RFC: 2138
Port: 1813/udp
RADIUS uses a challenge/response method for authentication. It uses the MD-5 encryption method to encrypt password information.
The primary purpose of this data is that the user can be billed accordingly; the data is also commonly used for statistical purposes and for general network monitoring.
realms like: somedomain.com\username@anotherdomain.com


Terminal Access Controller Access Control System.
Multi-factor authentication.
Extended TACACS (XTACACS) adds more intelligence in the server.
TACACS+ adds encryption to all transmissions and a challenge/response option.
Unlike RADIUS, TACACS+ stores all server options and authentication information in a single file. Some improvements from RADIUS are:
* The shared secret key and accounting information are specified in the configuration file.
* Site-specific extensions are supported by customizable variable length parameter data.
* TCP ensures reliable delivery.


It builds on the strengths of RADIUS while improving encryption, authentication, authorization, accounting, and the ability to connect to multiple service providers.
Operates in a peer-to-peer operation instead of a client/server.
Is capable of supporting any number of connection, authentication, authorization, and account types.
Is made up of a base protocol and extension modules.

Network Media

The common problems on the Network Media are:
* Attenuation is signal degradation due to capacitance, conductance, and resistance over distance.
* Crosstalk occurs when the signal from one cable affects the signal on a nearby cable.
* Noise is erroneous signal that is present on the media.
* Eavesdropping is a security problem that happens when data signals are intercepted.

The most dangerous to the less dangerous mediums are:
* Wireless
* Coaxial
* Fiber optics

* Shielding
* Padding


Is highly susceptible to attenuation, crosstalk, and noise.
Is highly vulnerable to eavesdropping. You must encrypt wireless traffic to protect it from interception.


Is not suitable for ring or star topologies because the ends of the cable must be terminated.
Are rarely used in modern networks. Coaxial is difficult to install and maintain.
Types: 10Base5 (ThickNet) and 10Base2 or (ThinNet).

Twisted Pair

Shielded Twisted Pair (STP) has a grounded outer copper shield (or foil) around the bundle of twisted pairs or around each pair. This provides added protection against EMI.

Unshielded Twisted Pair (UTP) does not have a grounded outer copper shield. UTP cables are easier to work with and are less expensive than shielded cables.

Cat 2 is used with 4 megabit Ethernet.
Cat 3 is used with 10 megabit Ethernet or 16 megabit Token Ring.
Cat 4 is used with 16 megabits Token Ring or token bus.
Cat 5 is used with 100 megabit and 1 Gigabit Ethernet and ATM networking.
Cat 5e is similar to Cat 5 but provides better EMI protection. Cat 5e supports 1 and 10 Gigabit Ethernet (Gigabit connections require the use of all four twisted pairs).
Cat 6 is designed for high-bandwidth, broadband communications such as full-motion video.

Fiber Optic

It is made of plastic or glass.
* he core carries the signal. It is made of plastic or glass.
* The cladding maintains the signal in the center of the core as the cable bends.
* The sheathing protects the cladding and the core.

Fiber optic cables are classified as one of two types:

* Single mode cables use a single light ray. The core diameter is around 10 microns. Cable lengths can extend a great distance (less attenuation).
* Multi-mode cables use multiple light rays in a single cable. The core diameter is around 50 to 100 microns. Cable lengths are limited in distance (higher attenuation).

Fiber optic cables:

* Allow for very high speeds and high bandwidth.
* Are immune from crosstalk and noise.
* Allow for greater distances than wireless or other wired media.
* Require specialized equipment to tap, making eavesdropping difficult.

Sunday, April 13, 2008

Data classification

The reason to classify data is to organize it according to its sensitivity to loss or disclosure, indicating the level of confidentiality, integrity and availability required.

Data classification helps ensure that the data is protected in the most cost-effective manner.

The classification is different in every company, but in general there are two man groups:

Private Business

Normally the availability is the main thing, if the service is down, or if data becomes lost, implies a monetary loss and image loss.

Government and military

In Government and military, the confidentiality is the main thing, integrity is the second and availability (normally) is the less important. Because there are secrets to keep, and the money don't come from the data or a service.

The information can be:


Disclosure is not welcome, but it would not impact on the company.


If disclosed could reduce competitive edge.
(technical specifications of a product)


Disclosure seriously affect a company.
(trade secrets, code)
->Business & Military


Special precaution in the integrity.


If disclosed could cause serious damage or national security.
(military plans)

Top secret

If disclosed, it could cause grave damage to a national security
(spy satellite)

Sensitive but unclassified (SBU)

Minor secret.
(medical data)


Data not sensible or classified.

The sensitivity level:
1. Top secret
2. Secret
3. Confidential
4. SBU
5. Unclasified

Data Classification Procedures

1. Identify custodian responsible for maintaining data and its security level
2. Criteria how is classified
3. The owner set the classification
4. Security controls required
5. Document exceptions
6. Methods to transfer the custody to a different data owner
7. Procedures to declassifying the data
8. Security awareness program


Senior management, and other levels of management, understand the vision of the company, the business goals and objectives.
The next layer is functional management, who understand their departments and how security affects their department.
The next layers are operational management managers and staff, understand the techniques and procedures.

The data owner is a member of senior management, he is responsible for negligent acts and decide the classification.

The data custodian maintain and protect the data, for ex. system administrator.

The data user, who routinely uses the data.

The chief information officer (CIO) should work with senior to define procedures.

Business managers determine the level of protection needed, and are involved in the selection of safeguards.

Auditor examines the practices.

Security professional, is responsible for security and carry out the senior manager's directives.

DoD Data Classification

- Top Secret
- Secret
- Confidential
- Unclassified

Data classification is done in mandatory access controls.

Wednesday, April 9, 2008

Policies, Procedures, Standards, Baselines and Guidelines

The senior manager has to protect the computers and information the most cost-effective manner possible by a Risk Management.
He defines the scope of security, what is expected from employees and the consequences of noncompliance will be.
A security program includes: Policies, Procedures, Standards, Baselines and Guidelines

The Policies are the strategy and procedures, standards, baselines and guidelines the tactics. Procedures are the lowest level in the policy chain

Security Policy

The policy provides the fundation, procedures, standards, baselines and guidelines are the security framework.

There are thre categories or types of policies:


Ensures that organization is following the standards by a specific industry or law.


Strongly suggest certain types of behaviors and activities.


Inform about some topics, is not enforceable policy but is to teach people.

The security policies are:

Organizational Security Policy

- How security progam will be set up.
- program's goals
- assigns responsibilities
- strategic and tactical value of security
- how enforcement should be carried.

Organizational security policy provides scope an direction for all future security activities within the organization and define the amount of risk the senior management is willing to accept.

Issue-specific policies

This policies are more detailed, because policies provide direction and structure for the staff.

For example: email security policy

System-specific policy

System policies includes: Computers, Networks, Application and Data.

- approved software list.
- how to configure firewalls.
- how databases have to be protected.
and o on.

More granularity is needed in this kind of policies.


Mandatory rules.
Standards and baselines achieve consistency in security implementation.


Provide the minimum security level necessary throughout the organization,
for ex: At all workstations of the company, at least C2 level is required.


Recommended actions and operations to the staff and users when a specific standard doesn't apply.
Guidelines are flexible.


Tasks detailed step by step to achieve certain goal.
Procedures spell out how the policy, standards, and guidelines will actually be implemented.

Tuesday, April 8, 2008

Risk Management

There are 3 steps in risk management:

1. Asset identification and Value Assignment
2. Quantitative/Qualitative Risk Analysis and assessment
3. Countermeasure and implementation

Asset identification and Value Assignment

Delphy technique consists in make a group, and anonimously, everybody put a value for some risks

Quantitative Risk Analysis

AV asset value
EF exposure factor
SLE single loss expectanci
ARO anualized rate of occurrence
ALE anualized loss expectancy
residual risk -> risk reduced by safeguards (risk never is reduced to 0)
total risk -> we have total risk if don't implement the safeguards.



Coefficients are in range 0-1 with 2 decimals.

Qualitative Risk Analysis

Some levels may be defined, like: dangerous, very dangerous, not dangerous.

Handling Risks

There are 4 options for each risk:

transfer the risk (ex. insurance)
reduce the risk (ex. countermeasures)
rejecting the risk (ex. ignore the risk)
accept the risk (ex. cost of countermeasures outweights the potential loss value AV)

Countermeasure costs:
Product cost
Design/planning cost
Implementation cost
Environment modifications
Compatibility with other countermeasures
Maintenance requirements
Testing requirements
Repair, replace, or update costs
Operating and support costs
Effects on productivity


Caesar Cipher is a substitution algorithm
Asymetric key are easy to distribute, this is a big advantage versus symetric ones.

online ppt

DES - Digital Encryption System

IMB developed DES on 1972, but never was approved by national security, but is a standard for unclassified government data.

Is a symetric private key algorithm that does 16 rounds of transpositions and substitutions.
blocksize 64bits, plain cyphertext.
keysize 56bit - 8bit of parity

Exists HW implementations of DES.

Double DES: key 112bits
Triple DES: very secure, encrypt first key, decrypt second key, encrypt first key.

El Gamal: Extends Diffie-Helman, enabling the encryption and the digital key management.

The only cipher system said to be unbreakable by brute force is one-time pad.

Electronic Code Book (ECB) is a cryptographic tool vulnerable to frequency analysis.
According to Bruce Schneier and Niels Ferguson, the best mode to select for a product would be CTR (counter) but failure to randomize the nonce, and preventing nonce reuse will decrease the security of CTR mode.

The running key cipher is based on modular arithmetic.

Cryptosystem attacks can be: timing, chosen plaintext an differential. But not Rubber hose which is used to attack the user and not the system.

Polyalphabetic ciphers are used for mitigating frequency analysis attack.

Change Control Management

Change control manager ensures that changes are authorized, documented, correct but NOT effective.

Code escrow

Source source code escrow protects against vendor bankruptcy.

X.509 certificate syntax

The current version of X.509 is 3, this are the fields:

1. version
2. serial number
3. signature algorithm ID
4. issuer name
5. validity period
6. subject (user) name
7. subject public key information
8. issuer unique identifier (version 2 and 3 only)
9. subject unique identifier (version 2 and 3 only)
10. extensions (version 3 only)
11. signature on the above fields

CISSP Exam can ask you about valid/invalid fields.

X.509 is supported by PEM, PKCS, S-HTTP, SSL, and other protocols

More info:

Wednesday, February 20, 2008

Security Management Introduction

The responsibilities of a Security Manager:

* What data is valuable, and needs to be protected.
* Ho is responsible for protecting it.
* Define actions for the employees, and consequences for non compliance.
* What type of role security will play in the organization.

Information Security is NOT a technical issue. Is a management issue that may require technical solutions.

To Create Security -> Planed, Designed, Implemented and Maintained

Applied in Top-Down.

The security has to be in line of business objectives.

If the company is damaged by an attacker, the Security Manager will have the responsibility of giving explanatinons.

The best security practices implemented at some technical area are:
Policy, change control and configuration management, trainig and awareness.

Monday, February 11, 2008

CISSP 10 Domains Overview

Here you can see the main concepts of each domain.

Access Control Systems and Methodology

Mechanisms and methods used to enable administrators and managers to control what subjects can access.
* Identification, Authentication, Authorization, Monitoring.
* Access Control Administration.
* Categories and Controls.
* Control Threats and Measures.
* Dana ownership.
* Attacks to the Access Control.

Telecommunications and Network Security

Protocols and devices security.
* OSI.
* LAN, MAN (metropolitan) and WAN technologies.
* Internet, intranet, extranet.
* VPN's, routers, bridges and repeaters.
* topologies.
* Network Attacks.
* Network Security Concepts and Risks.
* Business Goals and Network Security.

Security Management Practices

Company assets to determine the level of protection required, in order to reducing threats and monetary loss.
* Data classification.
* Policies, procedures, standards and guidelines.
* Risk assessment and management.
* Personal security and awareness.

Applications and Systems Development Security

* Data mining and data warehousing.
* Development practices.
* System storage.
* Malicious code.
* Software Based Controls.
* Software Development Lifecyle and Principles.


Cryptographic technologies, and attacks to the cryptography.
* Basic Concepts and Algorithms.
* Symetric vs Asymetric algorithms.
* Signatures and Certification.
* Cryptanalysis.
* PKI.

Security Architecture and Models

Concepts, Principles and Standards for designing and implementing secure applications.
* SO states, kernel functions and memory mapping.
* Security models.
* TCSSE Trusted Computer Security Evaluations (evaluation criteria)
* Common Criteria and ITSEC
* Common flaws in applications and systems.
* Principles and Benefits
* Trusted Systems and Computing Base.
* System and Enterprise Architecture.

Operations Security

Controls over personnel, hardware, systems, auditing and monitoring.
* Administrative responsibilities to personnel and jobs.
* Maintenance concepts. (AV,FW,auditing)
* Preventive, corrective, and recovery controls.
* Standards.
* Media, Backups and Change Control Management.
* Controls Categories.

Business Continuity Planning and Disaster Recovery Planning

Preservation of business activities when faced with disruptions or disasters.
* Resource identification and value.
* Risk assessment.
* Crisis management.
* Response and Recovery Plans.
* Restoration Activities.
* Plan development, implementation and maintenance.

Laws Investigations and Ethics

* Laws, regulations and crimes.
* Licensing and software privacy.
* Export and import laws and issues.
* Evidence types and admissibility into court.
* Incident handling, and forensics.
* Major Legal Systems
* Common and Civil Law
* Regulations, Laws and Information Security

Physical Security

Threats, risks and contra measures to protect: facilities,hardware,data,media and personnel.
* Restricted areas, authorization methods and controls.
* Sensors and alarms.
* Intrusion detection.
* Fire detection, prevention and suppression.
* Fencing security guards, and security badge types.
* Layered Physical Defense and Entry Points.
* Site Location Principle.

How to study CISSP

CISSP Has many domains (10), but it has not much deepening at every domain,"inch deep and a mile wide"

so, is more important to know all domains than getting deeper in few domains.
In all certifications, the most important is to get testing exams, and secondary to study.
You must take notes about every domain, and don't loose much time with the domains where you work every day.
I don't recommend to read only a book, especially if it is not updated.

The exam:
* 250 questions 4 choices and only 1 correct
* 6h I'm slow with exams, and I did it in 5h20'
* 225 scored and 25 questions for research purpose.
* You have to score 700 points.

The trick is to learn concepts like word/phrase -> meaning then it will be easier, for example:
(ISC)2 -> International Information Systems Security Certification Consortium