________________________________________________________________________________

________________________________________________________________________________
______________________________________________________
CH 2: Attacks and monitoring
Monitoring is a necessary function of the auditing process through which subject
s are held
accountable for their actions and activities with regard to other subjects, obje
cts, or functions
on any given system.
A response by an IDS can be active, passive, or hybrid:
---Active response
Directly affects the malicious activity of network traffic or the host applicati
on
---Passive response
Does not affect the malicious activity but records information about the
issue and notifies the administrator
---Hybrid response
Stops unwanted activity, records information about the event, and possibly
even notifies the administrator.
Host based and Network BAsed IDS:
Read page 50..must read....

________________________________________________________________________________
________________________________________________________________________________
____________
CISSP CH 6
Humans are the weakest element in any system.
Job descriptions: defines what type of individual should be hired.
Elements in designing a job description:
-seperation of duties: task is divided between multiple individuals so that no o
ne is incharge of the whole task
-job responsibilities: specific tasks that employees shud perform on daily basis
.
-job rotation.:rotating employees among numerous job positions
Collusion: negative activity by 2 or more people resulting in fraud or theft.

Screening and BV checks: Important from hiring point of view.

Includes checking for criminal records, references, friends,etc..
Employee Agreements:
NDA(Non disclosure agreement)
NCA: Non compete agreement
Security Roles:
-Senior Manager

-Security Professional
-Data owner: Classifies information, labels data.
-Data custodian: Performs activities to fulfil the CIA triad. Performs backups,
validating data integrity, deploying sec sols and managing data storage.
-User: Person having access to the secured system. Principle of least privilege
shud be implemented
-Auditor: Tests and verifies that security policies are in place.
Componenets of Sec Policies:
- Standards: Tactical documents that provide steps/methods to acomplish goals.
-Baselines: Minimum level of securty that must be implemented.
-Guideleines: provide methodologies to implmeent standards and baselines
-Procedures: step by step how-to document that describes the exact actions to be
performed.
Types of Sec plans:
- Strategic Plans: Long term plan if updated and maintained. Provides a planning
horizon which also includes risk mgmt.
-Tactical Plan: Provides details to accomplish goals set by strategic plan. Usua
lly year long plans.
-Operational plan: short term plan based on strategic and tactical plans.
Security is a continuous process.
Types of Security Policies:
- Regulatory: Discusses the regulations that must be followed.
-Advisory: discusses behaviors and activities that are acceptable and defines co
nsequences of violation.
- Informative: Provides info or knowledge on a topic like mission statement, vis
ion statement, goals. It is nonenforceable.
RISK: Possibility of damage or destruction happening to assets
Risk Terms:
-Asset: anything of value to org and which shud be protected.
-Asset Valuation(AV): actual cost + nonmonetary expenses.
-Threats: a Potential danger to assets.
-intentional threat: caused by human or non human threat agents
-threat events: accidental exploitation of vulnerabilities
-Vulnerability: absence/weakness of safeguard/countermeasure. It is a flaw/looph
ole/error...
-Exposure: caused when vulnerability is exploited, thus causing exposure to othe
r elements.
-Realized Threat: an event that causes loss.
-Experienced Exposure: Exposure to realized threat.
-Risk: Assessment of possibility, probability or chance
-Safegaurds: Coutermeasure.
-Attack: Process of exploiting a vulnerability.
-Breach: bypass or thwart of security mechanism.
ASSETS are endangered by THREATS which exploits VULNERABILITIES which causes EXP
OSURE which is a RISK which can be mitigated by SAFEGUARDS which protect ASSETS
AV(Asset value)
EF(Exposure Factor) : PERCENTAGE of LOSS if a specific asset is violated by a re
alized risk
SLE(Single Loss Expentancy): AV * EF

ARO(Annualized Rate of Occurance): Expected freq at which a threat or risk will

occur
ALE(Annualized loss Expectancy): SLE * ARO = AV*EF*ARO
ACS(Annual Cost of Safeguard): calc as "Cost per year"
Value/benefit of safeguard: ALE1(Annual loss expectancy before safeguard was imp
lmeneted) - ALE2(Annual loss expectancy after safeguard was implemented) - ACS
Responses to RISK:
- Reduce: reducing or mitigating risk is done by implementing countermeasures.
- Assigining/Transferring risks: eg: insurance,etc.
-Accepting Risk: Risk is accepted if cost of safeguard greatly outweighs the cos
t of asset.Also means that the mgmt has accepted the consequences if risk is rea
lized.
-Reject/deny risk: done when a risk is concluded as "can never happen" or hoping
can never happen.
(The word realization/realized means to be performed in real time, evaluated/cal
cultaed at real time (realize k-maps in digital electronics))
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
__________________________________________________________________________
CISSP CH 7 : Systems Development Controls
-Virus
-Trojan Horse: story of troy in the war of trojan.
-Worms
Agents/Bots: intelligent code that performs actions on behalf of the user.
Agents are sent from user machine to remote device
Applets: Codes that are sent from remote device to user machine.
-The burden is shifted to user's machine.
-Client can process data rather than waiting for reponse from remote system.
-In a properly programmed applet, the web server does not receive any data provi
ded to the
applet as input, therefore maintaining the security and privacy of the user s fina
ncial data.
Two common types of applets:
- Java Applets: restriction to OS components can be done using SANDBOX.
-ActiveX controls: MS propreitary. No SANDBOX restrictions.
-CORBA(Common object request broker Architechture)
created by Object Management Group(OMG) so that the devlopers do not have to pos
sess any specific knowledge to interact with the server.
MS Component Modesl(COM/DCOM-Distributed Component Object Model): answer to CORB
A. Propreitary to MS.
DCOM was replaced by .NET.
ACID MODEL:
-Atomicity: all or nothing affair.
-Consistency: All transactions must begin operating in an environment that is co

nsistent with
all of the database s rules (for example, all records have a unique primary key).
-Isolation:If a database receives two SQL transactions that modify the same data
, one transaction
must be completed in its entirety before the other transaction is allowed to mod
ify the same
data.
-Durability: Database transactions must be durable. That is, once they are commi
tted to the
database, they must be preserved. Databases ensure durability through the use of
backup
mechanisms, such as transaction logs.
Concurrency, or edit control: Allows only one authorized user to modify data. Co
ncurrency uses a lock feature to allow an authorized user to make changes but deny
other users. When the transaction/modification is complete, unlock feature is m
ade available so that other user can modify if needed.
OBDC:Open Database Connectivity (ODBC) is a database feature that allows applica
tions to communicate
with different types of databases without having to be directly programmed for i
nteraction
with every type of database. ODBC acts as a proxy between applications and backend database
drivers, giving application programmers greater freedom in creating solutions wi
thout having to
worry about the back-end database system
Aggregation: combine records in database to generate meaningful info.
ex:sum(), count(), min(), max(), avg()
Inference Attack: deriving info indirectly from database:
ex: tom only has access to only total salaries paid to all employees. But if joh
n resigns, he can derive what salary he used to get.Or if Tim joins the company,
Tom can derive his salary from the amount added to total salary.
datawarehouse: large database.
data dictionary: info about the data stored in database including usage, format,
relationship,etc..
Data mining: process of analysing data stored in data warehouses for potential c
orelated info, historical trends, etc.
ex: mining would include finding ou peak business hours, which month there is in
crease in product demand in a year.
Expert systems: omputers in collaboration with database making logical decisions
based on artifial inteligence.
ex: weather forecasts, volvanic eruptions predictions, etc.
In neural networks, chains of computational units are used in an attempt to imit
ate the biological
reasoning process of the human mind. In an expert system, a series of rules is s
tored in a knowledge base, whereas in a neural network, a long chain of computat
ional decisions that
feed into each other and eventually sum to produce the desired output is set up.
A decision support system (DSS) is a knowledge-based application that analyzes b
usiness data
and presents it in such a way as to make business decisions easier for users. It

is considered more.
of an informational application than an operational application. Often a DSS is
employed by knowledge workers (such as help desk or customer support personnel)
and by sales services (such as phone operators).
NIDES: NextGeneration Intrusion Detection Expert System dev by Philip Porras.
Avoiding system failure:
-Limit Checks:Limit checks ensure that data does not exceed the maximum
allowable values, data type, etc.
The fail-secure or fail-safe failure state puts the system into a high level of
security (and possibly even
disables it entirely) until an administrator can diagnose the problem and restor
e the system
to normal operation.
ex: if biometric device fails, employees will have to wait until it is fixed.
-The fail-open state allows users to bypass failed security controls, erring on
the side of permissiveness.
ex: if biometric device's power is lost, employees may be allowed to enter the p
remises without fingerprint scan.
First-generation languages (1GL) include all machine languages.
 Second-generation languages (2GL) include all assembly languages.
 Third-generation languages (3GL) include all compiled languages.
 Fourth-generation languages (4GL) attempt to approximate natural languages and
include the SQL used by database.
 Fifth-generation languages (5GL) allow programmers to create code using visual i
nterfaces.
Message: used for giving input.
Method: response to that input.
Behavior: output exhibited by object.
Cohesive An object is highly cohesive if it can perform a task with little or no
help from others.
Coupling Coupling is the level of interaction between objects.
###Conceptual definition : is a very high-level statement of purpose and should
not be longer than one or two paragraphs.
###Functional Requirements Determination: after agreeing upon the conceptual def
n, list of what is required to realize a concept is developed.
### Protection Specifications Development: includes security parameters to prote
ct development phase.
###Design Review
Once the functional and protection specifications are complete, let the system d
esigners do
their thing! In this often-lengthy process, the designers determine exactly how
the various
parts of the system will interoperate and how the modular system structure will
be laid out.
Also, during this phase, the design management team commonly sets specific tasks
for various
teams and lays out initial timelines for the completion of coding milestones.
###Code Review Walk-Through: developers start writing code, project managers rev
iew the same.

###System test review: testing system for errors:

LIFE CYCLE MODELS:
In the 1970s and 1980s, pioneers like Winston Royce and Barry Boehm proposed sev
eral software development life cycle (SDLC) models to help guide
the practice toward formalized processes. In 1991, the Software Engineering Inst
itute(SEI) introduced
the SOFTWARE """Capability Maturity Model"""(SW-CMM), which described the proces
s organizations undertake as they move toward incorporating solid engineering pr
inciples into their software development
processes.
-Waterfall model
-Spiral model
-Stages of CMM:
Level 1: Initial: hard working people working in a disorganized fashion
Level 2: Repeatable: Reusablity of code is introduced.
Level 3: Defined: documentation is introdiced.SEI defines the key process areas
for this
level as Organization Process Focus, Organization Process Definition, Training P
rogram, Integrated
Software Management, Software Product Engineering, Intergroup Coordination, and
Peer Reviews.
Level 4: Managed: More proactive than level 3.SEI defines the key process areas
for this level as Quantitative Process Management
and Software Quality Management.
Level 5: Optimizing: In the optimized organization, a process of continuous impr
ovement
occurs.SEI defines the key
process areas for this level as Defect Prevention, Technology Change Management,
and Process
Change Management.
IDEAL MODEL for Software dev:
Initiating: business reasons are outlined, support is built and infra is put in
place.
Diagnosing: engineers analyze the current state of the organization
and make general recommendations for change.
Establishing:the organization takes the general recommendations
from the diagnosing phase and develops a specific plan of action that helps achi
eve
those changes.
Acting: stop talking, start walking phase.
Learning: the organization must continuously
analyze their efforts to determine whether they ve achieved the desired goals and,
when necessary,
propose new actions to put the organization back on course.
A Gantt chart is a type of bar chart that shows the interrelationships over time
between
projects and schedules.
Program Evaluation Review Technique (PERT) is a project-scheduling tool used to
judge the
size of a software product in development and calculate the Standard Deviation (
SD) for risk
assessment. PERT relates the estimated lowest possible size, the most likely siz
e, and the highest
possible size of each component.

The change control process has three basic components:

#####Request control The request control process provides an organized framework
within which
users can request modifications, managers can conduct cost/benefit analysis, and
developers
can prioritize tasks.
#####Change control The change control process is used by developers to re-creat
e the situation
encountered by the user and analyze the appropriate changes to remedy the situat
ion. It also provides an organized framework within which multiple developers ca
n create and test a solution
prior to rolling it out into a production environment.
######Release control Once the changes are finalized, they must be approved for
release through
the release control procedure. An essential step of the release control process
is to doublecheck
and ensure that any code inserted as a programming aid during the change process
(such
as debugging code and/or back doors) is removed before releasing the new softwar
e to production.
Configuration mgmt: used to control the versions of software:
######Configuration identification: administrators
document the configuration of covered software products throughout the organizat
ion.
#######Configuration control: ensures that changes to software versions
are made in accordance with the change control and configuration management po
licies.
Updates can be made only from authorized distributions in accordance with those
policies.
?#######Configuration status accounting :Formalized procedures are used to keep
track of all authorized
changes that take place.
Configuration Audit A periodic #######configuration audit should be conducted to
ensure that the
actual production environment is consistent with the accounting records and that
no unauthorized
configuration changes have taken place.
White Box testing: examines internal logical structures of code.
Black box testing: Examines from user point by providing variety of input
Gray box: combines the above for software validation.
Protection rings:
Level 0: OS itself: contains security kernel. Contains the reference monitor wh
ich offers multilevel security.
The DoD set forth the
following three requirements for an operational reference monitor:
 It must be tamperproof.
 It must always be invoked.
 It must be small enough to be subject to analysis and tests, the completeness of
which can
be assured.
Level 1 and 2 : device drivers and high level OS interfaces.
Level 3: Security layer where user apps and prosesses reside.
SLA:

 System uptime (as a percentage of overall operating time)

 Maximum consecutive downtime (in seconds/minutes/and so on)
 Peak load
 Average load
 Responsibility for diagnostics
 Failover time (if redundancy is in place)
________________________________________
__________________________________________
__________________________________________
________________________________________
_______________________________________
Chapter 8: Malicious code and application attack
________________________________________
__________________________________________
__________________________________________
________________________________________
_______________________________________
CH 13: Principles of Security Models
-Security Models provide a way to plan , design, create and implement security p
olicies.
-Trusted computing base
(TCB) is a combination of hardware, software, and
controls that works together to form a trusted base to enforce your security pol
icy
for TCB to communicate with the rest of the system, it must create secure
channels, also called
trusted paths.
---The part of the TCB that validates access to every resource prior to granting
access requests is called the reference monitor.
---Users are subjects and the system is objects.
---The reference monitor stands between every subject and object,
verifying that a requesting subject s credentials meet the object s access requireme
nts.
---The reference monitor may be a conceptual part of the TCB; it doesn t need to
be an actual, stand-alone or independent working system component.
---The collection of components in the TCB that work together to implement refer
ence monitor functions is called the
"security kernel".