Wednesday, April 23, 2008

Centralized Remote Access

The main protocols that centralize the remote access are:

A good Centralized Remote Access must support the following protocols:
* Unix Login
* SecureID
* Novell NDS
* Microsoft domain authentication systems


Remote Authentication and Dial-In User Service.
Radius is a networking protocol that uses access servers to provide centralized management of access to large networks. RADIUS is commonly used by ISPs and corporations managing access to the internet or internal networks employing a variety of networking technologies, including modems, DSL, wireless and VPNs.
RFC: 2138
Port: 1813/udp
RADIUS uses a challenge/response method for authentication. It uses the MD-5 encryption method to encrypt password information.
The primary purpose of this data is that the user can be billed accordingly; the data is also commonly used for statistical purposes and for general network monitoring.
realms like:\


Terminal Access Controller Access Control System.
Multi-factor authentication.
Extended TACACS (XTACACS) adds more intelligence in the server.
TACACS+ adds encryption to all transmissions and a challenge/response option.
Unlike RADIUS, TACACS+ stores all server options and authentication information in a single file. Some improvements from RADIUS are:
* The shared secret key and accounting information are specified in the configuration file.
* Site-specific extensions are supported by customizable variable length parameter data.
* TCP ensures reliable delivery.


It builds on the strengths of RADIUS while improving encryption, authentication, authorization, accounting, and the ability to connect to multiple service providers.
Operates in a peer-to-peer operation instead of a client/server.
Is capable of supporting any number of connection, authentication, authorization, and account types.
Is made up of a base protocol and extension modules.

Network Media

The common problems on the Network Media are:
* Attenuation is signal degradation due to capacitance, conductance, and resistance over distance.
* Crosstalk occurs when the signal from one cable affects the signal on a nearby cable.
* Noise is erroneous signal that is present on the media.
* Eavesdropping is a security problem that happens when data signals are intercepted.

The most dangerous to the less dangerous mediums are:
* Wireless
* Coaxial
* Fiber optics

* Shielding
* Padding


Is highly susceptible to attenuation, crosstalk, and noise.
Is highly vulnerable to eavesdropping. You must encrypt wireless traffic to protect it from interception.


Is not suitable for ring or star topologies because the ends of the cable must be terminated.
Are rarely used in modern networks. Coaxial is difficult to install and maintain.
Types: 10Base5 (ThickNet) and 10Base2 or (ThinNet).

Twisted Pair

Shielded Twisted Pair (STP) has a grounded outer copper shield (or foil) around the bundle of twisted pairs or around each pair. This provides added protection against EMI.

Unshielded Twisted Pair (UTP) does not have a grounded outer copper shield. UTP cables are easier to work with and are less expensive than shielded cables.

Cat 2 is used with 4 megabit Ethernet.
Cat 3 is used with 10 megabit Ethernet or 16 megabit Token Ring.
Cat 4 is used with 16 megabits Token Ring or token bus.
Cat 5 is used with 100 megabit and 1 Gigabit Ethernet and ATM networking.
Cat 5e is similar to Cat 5 but provides better EMI protection. Cat 5e supports 1 and 10 Gigabit Ethernet (Gigabit connections require the use of all four twisted pairs).
Cat 6 is designed for high-bandwidth, broadband communications such as full-motion video.

Fiber Optic

It is made of plastic or glass.
* he core carries the signal. It is made of plastic or glass.
* The cladding maintains the signal in the center of the core as the cable bends.
* The sheathing protects the cladding and the core.

Fiber optic cables are classified as one of two types:

* Single mode cables use a single light ray. The core diameter is around 10 microns. Cable lengths can extend a great distance (less attenuation).
* Multi-mode cables use multiple light rays in a single cable. The core diameter is around 50 to 100 microns. Cable lengths are limited in distance (higher attenuation).

Fiber optic cables:

* Allow for very high speeds and high bandwidth.
* Are immune from crosstalk and noise.
* Allow for greater distances than wireless or other wired media.
* Require specialized equipment to tap, making eavesdropping difficult.

Sunday, April 13, 2008

Data classification

The reason to classify data is to organize it according to its sensitivity to loss or disclosure, indicating the level of confidentiality, integrity and availability required.

Data classification helps ensure that the data is protected in the most cost-effective manner.

The classification is different in every company, but in general there are two man groups:

Private Business

Normally the availability is the main thing, if the service is down, or if data becomes lost, implies a monetary loss and image loss.

Government and military

In Government and military, the confidentiality is the main thing, integrity is the second and availability (normally) is the less important. Because there are secrets to keep, and the money don't come from the data or a service.

The information can be:


Disclosure is not welcome, but it would not impact on the company.


If disclosed could reduce competitive edge.
(technical specifications of a product)


Disclosure seriously affect a company.
(trade secrets, code)
->Business & Military


Special precaution in the integrity.


If disclosed could cause serious damage or national security.
(military plans)

Top secret

If disclosed, it could cause grave damage to a national security
(spy satellite)

Sensitive but unclassified (SBU)

Minor secret.
(medical data)


Data not sensible or classified.

The sensitivity level:
1. Top secret
2. Secret
3. Confidential
4. SBU
5. Unclasified

Data Classification Procedures

1. Identify custodian responsible for maintaining data and its security level
2. Criteria how is classified
3. The owner set the classification
4. Security controls required
5. Document exceptions
6. Methods to transfer the custody to a different data owner
7. Procedures to declassifying the data
8. Security awareness program


Senior management, and other levels of management, understand the vision of the company, the business goals and objectives.
The next layer is functional management, who understand their departments and how security affects their department.
The next layers are operational management managers and staff, understand the techniques and procedures.

The data owner is a member of senior management, he is responsible for negligent acts and decide the classification.

The data custodian maintain and protect the data, for ex. system administrator.

The data user, who routinely uses the data.

The chief information officer (CIO) should work with senior to define procedures.

Business managers determine the level of protection needed, and are involved in the selection of safeguards.

Auditor examines the practices.

Security professional, is responsible for security and carry out the senior manager's directives.

DoD Data Classification

- Top Secret
- Secret
- Confidential
- Unclassified

Data classification is done in mandatory access controls.

Wednesday, April 9, 2008

Policies, Procedures, Standards, Baselines and Guidelines

The senior manager has to protect the computers and information the most cost-effective manner possible by a Risk Management.
He defines the scope of security, what is expected from employees and the consequences of noncompliance will be.
A security program includes: Policies, Procedures, Standards, Baselines and Guidelines

The Policies are the strategy and procedures, standards, baselines and guidelines the tactics. Procedures are the lowest level in the policy chain

Security Policy

The policy provides the fundation, procedures, standards, baselines and guidelines are the security framework.

There are thre categories or types of policies:


Ensures that organization is following the standards by a specific industry or law.


Strongly suggest certain types of behaviors and activities.


Inform about some topics, is not enforceable policy but is to teach people.

The security policies are:

Organizational Security Policy

- How security progam will be set up.
- program's goals
- assigns responsibilities
- strategic and tactical value of security
- how enforcement should be carried.

Organizational security policy provides scope an direction for all future security activities within the organization and define the amount of risk the senior management is willing to accept.

Issue-specific policies

This policies are more detailed, because policies provide direction and structure for the staff.

For example: email security policy

System-specific policy

System policies includes: Computers, Networks, Application and Data.

- approved software list.
- how to configure firewalls.
- how databases have to be protected.
and o on.

More granularity is needed in this kind of policies.


Mandatory rules.
Standards and baselines achieve consistency in security implementation.


Provide the minimum security level necessary throughout the organization,
for ex: At all workstations of the company, at least C2 level is required.


Recommended actions and operations to the staff and users when a specific standard doesn't apply.
Guidelines are flexible.


Tasks detailed step by step to achieve certain goal.
Procedures spell out how the policy, standards, and guidelines will actually be implemented.

Tuesday, April 8, 2008

Risk Management

There are 3 steps in risk management:

1. Asset identification and Value Assignment
2. Quantitative/Qualitative Risk Analysis and assessment
3. Countermeasure and implementation

Asset identification and Value Assignment

Delphy technique consists in make a group, and anonimously, everybody put a value for some risks

Quantitative Risk Analysis

AV asset value
EF exposure factor
SLE single loss expectanci
ARO anualized rate of occurrence
ALE anualized loss expectancy
residual risk -> risk reduced by safeguards (risk never is reduced to 0)
total risk -> we have total risk if don't implement the safeguards.



Coefficients are in range 0-1 with 2 decimals.

Qualitative Risk Analysis

Some levels may be defined, like: dangerous, very dangerous, not dangerous.

Handling Risks

There are 4 options for each risk:

transfer the risk (ex. insurance)
reduce the risk (ex. countermeasures)
rejecting the risk (ex. ignore the risk)
accept the risk (ex. cost of countermeasures outweights the potential loss value AV)

Countermeasure costs:
Product cost
Design/planning cost
Implementation cost
Environment modifications
Compatibility with other countermeasures
Maintenance requirements
Testing requirements
Repair, replace, or update costs
Operating and support costs
Effects on productivity


Caesar Cipher is a substitution algorithm
Asymetric key are easy to distribute, this is a big advantage versus symetric ones.

online ppt

DES - Digital Encryption System

IMB developed DES on 1972, but never was approved by national security, but is a standard for unclassified government data.

Is a symetric private key algorithm that does 16 rounds of transpositions and substitutions.
blocksize 64bits, plain cyphertext.
keysize 56bit - 8bit of parity

Exists HW implementations of DES.

Double DES: key 112bits
Triple DES: very secure, encrypt first key, decrypt second key, encrypt first key.

El Gamal: Extends Diffie-Helman, enabling the encryption and the digital key management.

The only cipher system said to be unbreakable by brute force is one-time pad.

Electronic Code Book (ECB) is a cryptographic tool vulnerable to frequency analysis.
According to Bruce Schneier and Niels Ferguson, the best mode to select for a product would be CTR (counter) but failure to randomize the nonce, and preventing nonce reuse will decrease the security of CTR mode.

The running key cipher is based on modular arithmetic.

Cryptosystem attacks can be: timing, chosen plaintext an differential. But not Rubber hose which is used to attack the user and not the system.

Polyalphabetic ciphers are used for mitigating frequency analysis attack.

Change Control Management

Change control manager ensures that changes are authorized, documented, correct but NOT effective.

Code escrow

Source source code escrow protects against vendor bankruptcy.

X.509 certificate syntax

The current version of X.509 is 3, this are the fields:

1. version
2. serial number
3. signature algorithm ID
4. issuer name
5. validity period
6. subject (user) name
7. subject public key information
8. issuer unique identifier (version 2 and 3 only)
9. subject unique identifier (version 2 and 3 only)
10. extensions (version 3 only)
11. signature on the above fields

CISSP Exam can ask you about valid/invalid fields.

X.509 is supported by PEM, PKCS, S-HTTP, SSL, and other protocols

More info: