a quick guide to cissp certification

7/28/2019 A quick guide to CISSP certification

1/93

CISSPCISSP Exam Notes will help you pass CISSP exam

It is concise, to-the-point, and quick way to determine if

you are ready for the CISSP exam

Draft Version 43

Date of Publish: 19 September 2009

RAFEEQ UR REHMAN, CISSP

A quick guide to CISSP certification


2/93

Chapter One: Information Security and Risk Management

Copyright 2009 Rafeeq Rehman Page: 2 of 93

Copyright Notice

This book is copyright 2009 of Rafeeq Ur Rehman and Conformix Technologies Inc. No part

of this book can be distributed or reproduced in any form or shape without written permissionof the Author and the Publisher.

Disclaimer

The book is made available without any direct, indirect, or implied warranty of any kind,

including the correctness of material presented here. The author and the publisher of this book

are not responsible for any direct or indirect loss as a result of use of this book.

Trademarks and Service Marks

All references to trademarks and service marks used in this book are the property of respective

owners.

Published By

Rafeeq Rehman

ISBN13: 978-0-9724031-1-5

ISBN: 0-9724031-1-6

Web: http://www.cisspbook.com

Latest Edition of this book is always available on this web site.

Email: [email protected]


3/93



Table of Contents

1 Information Security and Risk Management .......................................................................... 101.1 Definitions ......................................................................................................................... 10

1.2 Introduction ....................................................................................................................... 111.3 Basic Principles ................................................................................................................. 121.4 Availability ........................................................................................................................ 14

1.4.1 Avoiding Single Points of Failure ............................................................................. 141.5 Data Classification ............................................................................................................ 141.6 Personnel Security ............................................................................................................ 151.7 Risk Management and Risk Lifecycle .............................................................................. 161.8 Security Policies and Standards security policy and standards .......................................171.9 Education and Awareness education and awareness ...................................................... 181.10 Roles and Responsibilities ................................................................................................ 181.11 Attacks and Vulnerabilities .............................................................................................. 181.12 Miscellaneous .................................................................................................................... 19

2 Access Control .......................................................................................................................... 212.1 Definitions ......................................................................................................................... 212.2 Access Control ................................................................................................................... 22

2.2.1 Access Control Types ................................................................................................. 252.3 Remote Authentication ..................................................................................................... 252.4 Biometrics ......................................................................................................................... 262.5 Passwords Security ........................................................................................................... 262.6 Identity Management and Directory Services ................................................................. 27

2.6.1 Kerberos ..................................................................................................................... 282.6.2 Light Weight Directory Access Protocol or LDAP .................................................... 292.6.3 OpenID ...................................................................................................................... 292.6.4 NTLM ......................................................................................................................... 30

2.6.5 Microsoft Active Directory Active Directory ............................................................ 302.7 Controlling Access in Networks ....................................................................................... 302.8 Types of Access Controls .................................................................................................. 312.9 Access Control Monitoring ............................................................................................... 312.10 Attacks and Vulnerabilities .............................................................................................. 31

3 Cryptography ............................................................................................................................ 333.1 Terminology ...................................................................................................................... 333.2 Introduction ...................................................................................................................... 343.3 Alogrithms ......................................................................................................................... 35

3.3.1 Digital Encryption Standard (DES) .......................................................................... 353.3.2 Triple Digital Encryption Standard (3DES) ............................................................. 353.3.3 Advanced Encryption Standard or AES AES ........................................................... 36

3.4 Public Key Cryptography .................................................................................................. 363.4.1 RSA Algorithm ........................................................................................................... 37

3.5 PGP .................................................................................................................................... 373.6 Hashing ............................................................................................................................. 373.7 Encrypting Data-At-Rest .................................................................................................. 383.8 Public Key Infrastructure (PKI) ....................................................................................... 38

3.8.1 Digital Certificates ..................................................................................................... 393.8.2 Certificate and Key Management Key Management ................................................ 41

3.9 Attacks and Vulnerabilities .............................................................................................. 42


4/93



3.10 Miscellaneous .................................................................................................................... 424 Physical Security ...................................................................................................................... 44

4.1 Definitions ......................................................................................................................... 444.2 Introduction ...................................................................................................................... 444.3 Physical Access Controls .................................................................................................. 454.4 Environmental Controls and HVAC ................................................................................. 46

4.5 Fire Control ....................................................................................................................... 474.6 Facility Design and Planning ............................................................................................ 484.7 Monitoring and Surveillance ............................................................................................ 494.8 Attacks and Vulnerabilities .............................................................................................. 494.9 Miscellaneous .................................................................................................................... 50

5 Security Architecture and Design ............................................................................................ 515.1 Definitions ......................................................................................................................... 515.2 Computer and System Architecture ................................................................................. 51

5.2.1 The Central Processing Unit - CPUCPU ................................................................... 515.3 Security Architecture ........................................................................................................ 535.4 Models for Access Control ................................................................................................ 535.5 Security Certification and Accreditation .......................................................................... 53

5.6 System Evaluation ............................................................................................................ 535.7 Attacks and Vulnerabilities .............................................................................................. 535.8 Miscellaneous .................................................................................................................... 53

6 Business Continuity and Disaster Recovery ............................................................................ 546.1 Definitions ......................................................................................................................... 546.2 Introduction ...................................................................................................................... 556.3 Business Impact Analysis (BIA) ....................................................................................... 556.4 Parts of Business Continuity Plan (BCP) ......................................................................... 566.5 Disaster Recovery Plan (DRP) .......................................................................................... 576.6 Data Center Recovery ....................................................................................................... 586.7 Attacks and Vulnerabilities .............................................................................................. 586.8 Miscellaneous .................................................................................................................... 59

7 Telecommunication and Network Security ............................................................................. 607.1 Definitions ......................................................................................................................... 607.2 ISO-OSI Network Model .................................................................................................. 607.3 TCP/IP Network Layers.................................................................................................... 62

7.3.1 Physical Layer ............................................................................................................ 627.3.2 Data Link Layer ......................................................................................................... 627.3.3 IP Layer ...................................................................................................................... 637.3.4 Transport Layer and TCP/UDP ................................................................................ 637.3.5 Application Layer ...................................................................................................... 64

7.4 Network Tiers and Defense-in-Depth defense in depth .................................................. 657.5 Network Services Security ................................................................................................ 65

7.5.1 Domain Name System or DNS.................................................................................. 657.5.2 Email .......................................................................................................................... 667.5.3 Web Servers ............................................................................................................... 667.5.4 Telnet ......................................................................................................................... 677.5.5 Secure Shell or SSH ................................................................................................... 677.5.6 FTP and SFTP ............................................................................................................ 677.5.7 TCP Wrappers ........................................................................................................... 677.5.8 Network Time Protocol or NTP ................................................................................ 67

7.6 Network Transport Level Security ................................................................................... 687.6.1 SSL/TLS SSL TLS ...................................................................................................... 68


5/93



7.6.2 IPSec and GRE Tunnels ............................................................................................ 687.6.3 Secure Shell (SSH) SSH ............................................................................................ 68

7.7 Firewalls ............................................................................................................................ 687.7.1 Application Layer Firewalls and Application Proxies .............................................. 687.7.2 Load Balancers .......................................................................................................... 68

7.8 Network Address Translation or NAT ............................................................................. 68

7.9 Remote Access and Virtual Private Networks VPN ......................................................... 687.10 Intrusion Detection Systems IDS ..................................................................................... 697.11 Commonly Used Ports and Protocols .............................................................................. 707.12 Cellular Networks ............................................................................................................. 70

7.12.1 CDMA ........................................................................................................................ 707.12.2 GPRS .......................................................................................................................... 707.12.3 GSM ........................................................................................................................... 707.12.4 3G Wireless ................................................................................................................ 707.12.5 EDGE ......................................................................................................................... 707.12.6 EVDO ......................................................................................................................... 70

7.13 Voice Over IP or VoIP ....................................................................................................... 707.14 Attacks and Vulnerabilities .............................................................................................. 70

7.15 Miscellaneous .................................................................................................................... 708 Application Security ..................................................................................................................71

8.1 Definitions ..........................................................................................................................718.2 Security of Web Based Applications ................................................................................ 72

8.2.1 Three-Tier Architecture ............................................................................................ 728.2.2 User Registration and CAPTCHA ............................................................................. 728.2.3 Use of SSL .................................................................................................................. 72

8.3 Securing Client/Server Applications ................................................................................ 728.4 Single Sign On (SSO) ........................................................................................................ 728.5 Cross Company Authentication (CCA)............................................................................. 728.6 Common Attacks on Web-Based Applications ................................................................ 728.7 Attacks and Vulnerabilities .............................................................................................. 72

8.8 Miscellaneous .................................................................................................................... 728.9 Introduction ...................................................................................................................... 728.10 Software Development Life Cycle (SDLC) ....................................................................... 738.11 Application Security Testing ............................................................................................ 748.12 Security of Web Based Applications ................................................................................ 74

8.12.1 Three-Tier Architecture ............................................................................................ 758.12.2 User Registration and CAPTCHA ............................................................................. 758.12.3 Web Server Security .................................................................................................. 758.12.4 Use of SSL .................................................................................................................. 75

8.13 Security Web Services ....................................................................................................... 758.14 AJAX and Web 2 Technologies ........................................................................................ 758.15 Securing Client/Server Applications ................................................................................ 758.16 Single Sign On (SSO SSO) ................................................................................................ 758.17 Cross Company Authentication (CCA CCA) .................................................................... 758.18 Common Application Attacks and Flaws ......................................................................... 758.19 Attacks and Vulnerabilities .............................................................................................. 768.20 Miscellaneous .................................................................................................................... 76

9 Operations Security .................................................................................................................. 779.1 Definitions ......................................................................................................................... 779.2 Introduction ...................................................................................................................... 779.3 Securing Server ................................................................................................................. 78


6/93



9.3.1 Securing Windows Servers........................................................................................ 789.3.2 Securing UNIX/Linux Servers .................................................................................. 789.3.3 Securing Mail Servers ............................................................................................... 789.3.4 Securing Web Servers ............................................................................................... 789.3.5 Creating Server Check Lists and Security Templates .............................................. 78

9.4 Securing Desktop .............................................................................................................. 78

9.5 Patch Management ........................................................................................................... 789.6 Vulnerability Testing ........................................................................................................ 789.7 Password Cracking ............................................................................................................ 789.8 Data Destruction ............................................................................................................... 789.9 Attacks and Vulnerabilities .............................................................................................. 789.10 Miscellaneous .................................................................................................................... 78

10 Legal, Regulations, Compliance and Investigation ............................................................. 8010.1 Definitions ........................................................................................................................ 8010.2 Computer Crimes .............................................................................................................. 82 10.3 Ethics ................................................................................................................................. 8210.4 Laws ................................................................................................................................... 8210.5 Incident Management ...................................................................................................... 83

10.6 Investigation and Forensics ............................................................................................. 8310.7 Attacks and Vulnerabilities .............................................................................................. 8310.8 Miscellaneous .................................................................................................................... 83

11 Commonly Used TCP and UDP Ports ..................................................................................... 8412 Glossary .................................................................................................................................... 8713 Index ......................................................................................................................................... 8914 Sample Questions ..................................................................................................................... 91

14.1 Introduction ...................................................................................................................... 9114.2 Questions .......................................................................................................................... 91


7/93



Preface, Acknowledgements andIntroduction

CISSP certification needs a lot of preparation and breadth of knowledge. This book will help you

assess your knowledge quickly to help you know if you are really prepared for the CISSP exam. If

you are an experienced information security professional, it also helps you refresh your

knowledge quickly.

Acknowledgements

I am thankful to all of my friends who shared their thoughts and gave feedback to prepare

manuscript for this book.

How to Read This Book

By this time, you may have noticed that this book is very short compared to other CISSP exam

preparation books. The objective is to save your time (and money) while preparing for the CISSP

exam. The book also gives you a chance to see how prepared you are for the CISSP examination

by going through the bulleted points.

This book provides a quick overview of each topic in CISSP certification exam. You should read

it when you start preparing for the examination. At this stage, it will give you an idea about your

current level of knowledge.

At the end of each chapter, you will see a number of links where you can find more detailed

information about the CISSP exam. While reading information from those resources, if you find

something new that is not in this book, just keep on adding your notes with the empty pages.

This way you will keep on creating your own notes as well.

By the time you have reached the end of this book, you will have a decent amount of knowledge

that you can quickly browse through.

Questions, Comments, Criticism, Appreciations

Please contact the Author, Rafeeq Ur Rehman, [email protected] any questionsor comments or provide any feedback that can be helpful in the next version of this book. All

types of critique is welcomed.
mailto:[email protected]:[email protected]:[email protected]:[email protected]


8/93



Support This Free Book Project By Your Advertisement

You can support this book by placing your advertisement in this book. For more information,

[email protected]. If you are a vendor of information security products, you will

reach the right audience and it will be the best use of your marketing dollars.
mailto:[email protected]:[email protected]:[email protected]:[email protected]


9/93



ADVERTISEMENT


10/93



Chapter One

1Information Security

and Risk

Management

1.1 DefinitionsConfidentiality of information prevents disclosure, unauthorized use of information.

Information should be made available who have a need-to-know.

Integrityensures that data is not modified in an un-authorized manner and it is consistent

Availability means that the data is available when it is needed by authorized persons or

processes.

Single Point of Failure is something that, if broken, can cause the whole system or process to

stop working.

Defense-In-Depth or DID means that there are multiple lines of defense to secure data


11/93



SLA or Service Level Agreement defines the minimum standard of a service provided to

customers.

Certification is the formal process of risk assessment for a system and documenting the risk

with due-diligence

Accreditation is a process where business owners formally accept risk associated with a

project or system. Accreditation happens after certification

Riskis likelihood of loss.

Safeguardor a control or a counter measure is measure to reduce risk.

Threatis an event that can cause harm to assets (natural or man-made)

Threat Agentis an entity that can cause harm to an asset, e.g. an Internet attacker.

Vulnerability is a weakness in a system or process that can be exploited by a threat agent to

get access to an asset.

Exposure Factor or EF is the percentage loss (in dollar) from a single incident.

Single Loss Expectancy or SLE is loss in term of dollar from a single successful incident.

SLE= EF x Asset Value

Annual Rate of Occurrence or ARO is an estimate of how many time an incident will occur

within a year that will cause loss.

Annual Loss Expectancy or ALE is the total estimated loss within a year. This estimate is

based upon SLE and ARO. ALE=SLE x ARO

1.2 Introduction1. Organizations need to have a program to manage information security risk

2. An organization need to have policies, standards, guidelines, and procedures to ensure

information security.

3. Policies are generic whereas standards are specific. So a policy may state that data must

be protected whereas a standard may have specific language about protecting data by

encryption with AES encryption.

4. Policies and Standards are mandatory, whereas guidelines are not.

5. Procedures are detailed processes to do certain tasks


12/93



6. Policies include controls framework and are very high level. Sample controls frameworks

are ISO 17799/ISO 27002.

7. ISO 17799 security controls framework is divided into 10 domains 1. These ten domains

are:

i. Organization of information security management

ii. Asset control

iii. Human resources

iv. Physical and environmental security

v. Telecommunications and operations

vi. Access control

vii. IT systems development and maintenance

viii. Incident management

ix. Business continuity and disaster recovery

x. Compliance

xi. An organization must also have a mission statement that shows the fundamental

principle of the organization.

8. An organization must also have a mission statement that shows the fundamental

principle of the organization.

9. SLA or Service Level Agreement defines the minimum standard of a service provided to

customers.

1.3 Basic Principles1. Risk management includes two major parts: risk assessment and risk mitigation.

2. Risk assessment is performed on different risk/attack scenarios keeping in view

vulnerabilities and controls.

3. Risk management consists of:

1 This book follows those ten domains, starting from this chapter


13/93



4. Mitigating the risk by using some safeguards and counter measures.

5. Transferring the risk to other entities, like buying insurance

6. Assuming the risk, if expenditure on mitigation or transfer is more than the risk itself.

7. Three basic principles of information security are Confidentiality, Integrity, and

Availability or C-I-A. It is also called information securitytriad.

8. Opposite to CIA is DAD which is Disclosure-Alteration-Destruction.

9. To achieve defense-in-depth, you need to do many things including:

a. Have multiple layers of network separated by firewalls.

b. Implement solutions from different vendors at different layers to ensure a

problem with one vendor does not impact all layers.

c. Incorporate security principles, policies, best practices, education, and awareness

programs

d. Implement monitoring systems including log monitoring, intrusion detection and

prevention, event correlation, and log retention.

e. Implement the principle of separation of duties such that one person is not able

to perform end-to-end tasks

f. Avoid single points of failure

g. Implement network segmentation to create choke points so that parts of network

can be quarantined if needed.

10.Data classification means that data should be categorized based upon level of sensitivity

and level of protection required for a particular of data. Sample classifications may

include confidential, protected, public etc.

11.A person must be in-charge of overall management of information security

12.Roles are responsibilities must be defined based upon the principle of separation of

duties

13.Organizations must implement a program for security certification and accreditation

(SC&A) to identify, document, and manage risk related to projects.

14.A network architecture should be created for defense-in-depth that implements multiple

lines of defense, also called network tiers


14/93



15. Information security practices should be integrated in human resources hiring and firing

processes

16.Senior management is responsible for creating information security program

17.

You should use multiple controls to protect data. These controls include:

a. Administrative controls such as security policies.

b. Technical controls such as encryption.

c. Physical controls such as key card access, security guards.

1.4 Availability1. Single points of failure affect availability and reliability of a system.

2. Highly Available (HA) systems dont have single points of failure

1.4.1 Avoiding Single Points of Failure1. Hardware: Dual power supplies, RAID including disk mirroring, fail-over clustering,

parity, multiple network adapters, hot swappable components

2. Software and Systems: failover clustering, multiple data centers

3. Network: multiple network paths, dynamic routing algorithms, dial backup, multiple

telecom providers, firewall clusters

4. Processes: Multiple vendors and service providers, multiple employees trained for each

job.

1.5 Data Classification1. Data classification is important to put appropriate security controls around data

depending upon its importance

2.

Data classification is based upon different criteria like: value of data, regulatoryrequirements, retention period.

3. Data value will be high if the data is related to company secrets, customer and employee

information, credit card and bank/financial information, health information, etc.

4. Different types of security controls are applied depending upon data classification.


15/93



5. Ideally, all data should be marked with its classification irrespective of how it is stored

(electronic, paper)

6. US government data classifications include (in order of sensitivity): Unclassified,

Sensitive but Unclassified, Confidential, Secret, and Top Secret.

7. Private organizations may define their own classification depending upon their own

requirements. Examples: restricted, confidential, internal user only, public, etc.

8. Data owner data owner is a an executive or senior management person who is officially

responsible and personally liable for the security of data.

9. A data custodian data custodian has the day to day responsibility of managing data. Data

custodians may network administrator, DBA, system administrator or other people in

similar role. The owner has the ultimate responsibility whereas the custodian has the

day-to-day responsibility to ensure security.

10.The owner performs data classification, create policy to protect data, and assign

custodians. Custodians on the other hand backup and restore data, perform encryption,

manage privileged user accounts, and so on.

11. Regular users who have access to data are responsible for following policies defined by

data owners.

12.Data classification must be reviewed at some defined intervals because it may change

over time depending upon changed risk posture to a company

13.During data classification process, factors like value of data, age of data, competitive

advantage, etc should be considered.

1.6 Personnel Security1. Where needed, hiring process should include drug testing, background checks, credit

history, and security clearance.

2. Minimum notice should be given to a candidate for drug test, preferably one to two days

only to get good results.

3. The new employee orientation process should include introduction to security policy

4. The HR policies should include accepted guidelines for computers and other company

resources.

5. Employee references and application data must be verified for new employees


16/93



6. If an employee is fired from company, the HR process must include notification to IT

staff to immediately disable user accounts and access to network. In other words, the HR

process must be tied to the identity management process.

7. Security badges and key card access must be used for employees with access to sensitive

locations, including data centers.

8. If an employee has knowledge of shared account/generic accounts, passwords for those

accounts must be changed when an employee leaves the company or moves to another

position in the company

9. Upon termination of employment, notice should be sent to other employees, vendors,

service providers, and so on.

10.It is accepted industry practice that company email is the property of a company. There

should be a policy to keep email of terminated employees for a certain period of time.

Incoming email for a terminated employee may be redirected to the manager for a

specified period of time to avoid missing email from vendors.

11. There should be a specific job description for each employee to ensure roles and

responsibilities understood by all.

12.Job rotation is a way to minimize risk related to collusion. In collusion, two or more

people work together to commit fraud.

13.The principle of separation of duties should be implemented to ensure a single person is

not able to control any process completely.

1.7 Risk Management and Risk Lifecycle1. Risk is a measure of a corporations tolerance to security events. It depends upon threat

vectors, vulnerabilities, and estimation of loss in number of dollars. In many places in

the text, the formula is: risk = threat x vulnerability. The author believes that this

formula does not show the complete picture because it does not take into account

expected loss2.

2. Risk goes through different stages in its life. Some stages are: identified, documented,

assessed, transferred, mitigated, closed

2 SMART (http://smart.conformix.com) is a system to manage information risk


17/93



3. Risk associated with a security issue may change over time. For example, new laws and

regulations, change in business practices, and new threats may change risk level.

4. After identification, risk can be controlled in three ways: it can be mitigated, assumed, or

transferred to other entities.

5. Risk controlling should be cost effective. This means that if a risk is worth $100, you

should spend less than $100 to control it.

6. An example of transferring risk is buying an insurance to an asset.

7. Risk can never be zero. However it can be mitigated to an acceptable level.

8. Quantitative risk analysis includes estimating risk in terms on number of dollars or

numbers.

9.

Qualitative risk analysis is usually in terms of ``High'', ``Medium'', and ``Low''. It doesnot deal with numbers and is more subjective than quantitative risk analysis.

10.Quantitative risk analysis may include complex formulas, needs data, and may take more

time to perform. On the other hand, qualitative risk analysis is more subjective, does not

include many calculations, and does not need that much data as the quantitative risk

analysis.

11. Compensation controls compensation controls are measures that you take to reduce risk.

12.Risk is never zero. There is always a residual risk even if good controls are implemented

13.OCTAVEis a risk assessment methodology.

1.8 Security Policies and Standards security policy andstandards

1. Policies3 are high level statements from senior management.

2. Standards define how the policies will be implemented.

3. Guidelines are not mandatory. These are used to help implement the informationsecurity policy.

4. Procedures are detailed, step-by-step processes to do certain tasks.

3 PolicyDOC (http://www.policydoc.com) is a policy and procedure management software.
http://www.policydoc.com/http://www.policydoc.com/http://www.policydoc.com/http://www.policydoc.com/


18/93



5. If a security policy can't be implemented for any reason, there must be an exception

process to the security policy

6. Since technologies keep on changing, security policies must be updated on regular basis

1.9 Education and Awareness education and awareness1. Security awareness program is important for overall information security management.

2. Awareness programs help in avoiding attacks related to social engineering, data leakage

by accident.

3. The programs need to be continuous in nature (not a one-time item).

4. Items like security policies, data destruction, importance of paper shredding, roles,

responsibilities, data classification, physical security, importance of key card access,

appropriate use of email and the Internet, should be covered in these programs.

5. Security newsletters, seminars, etc may be part of awareness programs.

1.10 Roles and Responsibilities1. Owner is an executive level person who is the ultimate responsible person to protect

information.

2. Custodian is appointed by the owner and has responsibility of securing information from

a day to day routine perspective.

3. Information Users are the end users of the information who are given access by the

custodian on the basis of need-to-know.

1.11 Attacks and VulnerabilitiesIn the absence of a well established information security and risk management program, the

organization may become vulnerable to a number of attacks as listed below.

1. Lack of education and awareness may result in successful social engineering attacks.

Social engineering is a type of attack where an attacker will try to get information by

social interaction like pretending to be a fellow company employee, using phone calls to

get information, etc.

2. If employees are not trained in data destruction \footnoteData destruction means

destroying data when no longer needed, e.g. shredding papers, degaussing disks,


19/93



shredding tapes, etc.data destruction, attacks like dumpster diving \footnoteIn dumpster

diving, attackers look into company dumpsters to find papers and other useful data

dumpster diving may result in data disclosure

3. Absence of data classification may confuse employees about which information is

sensitive and how it should be protected. As a result, employee may divulge sensitiveinformation.

4. Denial of Service (DoS) Denial of Serviceattacks cause availability issues. DoS attacks try

to make a system (web site, databases) unavailable to users causing in loss.

5. Distributed Denial of Service (DDoS) Distributed Denial of Service is a special type of

attack that Internet attackers launch against web sites. Typically, a large number of

hacked computers are used to launch attack against a web site. These attacks include

creating a large Internet traffic volume to the web site to bring it down or to make it very

difficult for the real users to access it.

6. Attackers, social engineering, unprotected files, insecure communication protocols, are

some examples of major threats to confidentiality of data

7. Natural disasters, power outages, system failures, denial of service attacks are major

threats to availability of data.

8. Usually software patches are used to fix vulnerabilities in software. Vulnerabilities

related to poor network design are difficult to fix until new network design is

implemented.

1.12 Miscellaneous1. Separation of duties help in safeguarding data from internal threats. Job rotation is

another way to combat internal threats.

2. People should also be considered as single point of failure if there is only one person to

do a certain business function.

3. Education and awareness may include publication of security newsletters, security

training, employee orientation, etc.

4. Baselines are minimum security processes implemented in an organization.


20/93




21/93

Chapter Two: Access Control


Chapter Two

2Access Control

Access controls domain scope is related to all of the following:

1. Authentication and authorization

2. User account provisioning, management, deletion

3. Password controls

4. Network access controls

2.1 DefinitionsAccounting is mechanism to calculate for how long a resource is used or for how long a

user has been logged in to a web site.

Identification is a process to ensure that an entity (person, program, computer) is what it

claims to be. In a typical scenario, an account is created after identification.

Authentication happens after identification. Typically it is a login process using

username/password. Other mechanisms like X.509 certificates, PINs, token, cards, etc can

also be used.

Authorization is used after authentication to grant a certain level of access based upon

authentication. For example, all authenticated users may not be allowed to alter

information. Only users in administrator group may alter/add/delete information.


22/93



SSO (Single Sign On) is a mechanism of getting access to multiple resources (systems,

applications, etc) by entering username/password only once.

Graded Authorization systems implement multiple levels of authorization. For example,

a person may be granted read-only access to a web account, read-only access plus view bills,

and all of the above plus make payments

Risk-based Authorization is used to grant access resources based upon risk level

associated with an account, account creation, or authentication method.

Cognitive Passwords are based upon some facts or something you remember, e.g.

mother's maiden name, color of your first car, etc.

Passphrase is a string that is longer than password and is used in place of password. The

actual password is generated by the application based upon passphrase. PGP is an example

of the application that uses passphrase.

2.2 Access Control1. Access controls are put in place to control and monitor flow or retrieval of information in

networks, databases, and other systems.

2. Username/password, certificates, group memberships, access lists are some mechanisms

for access control.

3. Access Controls are put in place to protect Availability, Confidentiality, and Integrity of

information.

4. Availability means that information must be available to users in timely manner.

5. Confidentiality means that information will be made available to only those entities

(people, systems, applications) who have a need to get that information.

6. Integrity means that information should be protected from unauthorized alteration.

7. Access can be controlled using many factors like physical access, logical access, access

based upon time of day, etc.

8. Access should always be granted on the basis of need-to-know.

9. When granting access, principle of least-privileges should be implemented. By thin

principle, a person should have no more privileges than needed to do his/her job.


23/93



10.Role-based access helps in granting access to a person based upon his/her role. If role of

a person changes, the access level also changes.

11. Role-based access helps in controlling access creep which results from employees

moving from one department to another and previous access is not fully revoked. In role-

based access, when a role changes, access for the previous role is automatically revoked.

12.A good practice of granting access is to always start with ``no access'' to a resource.

Example: while creating access list on a firewall, first deny everything and then open

ports on as-needed basis.

13.Authentication is based upon three items: Something you know, something you have, or

something you are.

14.Strong authentication happens when a system uses multiple mechanisms (know, have,

is).

15. Two factor authentication means you are using two out of three mechanisms (know,

have, is).

16.Pass phrases are longer strings than passwords. Typically a system will convert a

passphrase into a password for actual authentication.

17. Memory cards store information which is used for authentication. Smart cards are

capable of storing and processing information. Smart cards usually have integrated chips

on them. Some smart cards work on contact while others are contact-less.

18.RADIUS (Remote Authentication Dial-in User Service) and TACACS (Terminal Access

Controller Access Control System) are used for centralized access control.

19.Microsoft RAS is another centralized access control mechanism for remote users.

20.PAP (Password Authentication Protocol) and CHAP (Challenge Handshake

Authentication Protocol) are also used for remote as well as client-server access controls.

21.EAP (Extensible Authentication Protocol) is also used for access control for remote

users.

22.AAA (Authentication, Authorization, Accounting) is a name for process that does all

these three items.

23.Accounting is mechanism to calculate for how long a resource is used or for how long a

user has been logged in to a web site.


24/93



24.Always start with no access to a resource. Example: while creating access list on a

firewall, first deny everything and then open ports on as-needed basis.

25.Identification is a process to ensure that an entity (person, program, computer) is what it

claims to be. In a typical scenario, an account is created after identification.

26.Identity Management is a process of creating/modifying/deleting identities. It also

includes services for authentication and authorization.

27.LDAP (Lightweight Directory Access Protocol) is used to store and retrieve

authentication and authorization information. OpenLDAP is open source

implementation of LDAP.

28.There are other directory services as well, like Novell NDS, Oracle OID, etc.

29.Kerberos is an authentication and authorization mechanism used in many systems

including Microsoft Windows. In Greek mythology, Kerberos is name of a three headeddog.

30.SSO (Single Sign On) is a mechanism of getting access to multiple resources (systems,

applications, etc) by entering username/password only once.

31.Kerberos can be used for single sign on (SSO).

32.In Kerberos, KDC (Key Distribution Center which is a component of Kerberos) generates

tickets for principals.

33.Principals use tickets to get access to different resources in a Kerberos system.

34.Certificates with public/private encryption keys are used in Kerberos.

35.Authentication happens after identification. Typically it is a login process using

username/password. Other mechanisms like X.509 certificates, PINs, token, cards, etc

can also be used.

36.Authorization is used after authentication to grant a certain level of access based upon

authentication. For example, all authenticated users may not be allowed to alter

information. Only users in administrator group may alter/add/delete information.

37.Authentication is based upon three items: Something you know, something you have, or

something you are.

38.Strong authentication happens when a system uses multiple mechanisms (know, have,

is).


25/93



39.Two factor authentication means you are using two out of three mechanisms (know,

have, is).

40.Graded authorization means you give a lower level of access initially and if the person

needs more access, you ask for additional proof to grant more access.

41.Risk-based authorization means you provide access to entities based upon risk level

associated with the object and the security clearance of the person needing access.

42.Pass phrases are longer strings than passwords. Typically a system will convert a

passphrase into a password for actual authentication.

43.Memory cards store information which is used for authentication. Smart cards are

capable of storing and processing information. Smart cards usually have integrated

chips on them. Some smart cards work on contact while others are contact-less.

44.Memory and smart cards are vulnerable to attacks where an attacker can steelinformation by placing rogue card readers.

2.2.1 Access Control Types1. Discretionary access control (DAC) access based systems allow the owner of a resource to

decide who can access the resource.

2. Mandatory access control (MAC) based systems ensure that the operating system makes

a determination about who can access a resource.

3. Mandatory access controls systems assign sensitivity levels to different resources. If auser has permission equal to or higher of the sensitivity level, the user is allowed to

access the resource.

4. Role-based access control (RBAC) systems work on the basis of roles assigned to users.

Permissions to access a resource are granted to different roles instead of particular users.

The access to a resource is controlled by the system.

2.3 Remote Authentication1. RADIUS (Remote Authentication Dial-in User Service) RADIUS and TACACS (Terminal

Access Controller Access Control System) TACACS are two protocols used for centralized

access control.

2. Microsoft RAS is another centralized access control mechanism for remote users.


26/93



3. PAP (Password Authentication Protocol) PAP and CHAP (Challenge Handshake

Authentication Protocol) CHAP are also used for remote as well as client-server access

controls.

4. EAP (Extensible Authentication Protocol) EAP is also used for access control for remote

users.

5. AAA (Authentication, Authorization, Accounting) AAA is a name for process that does all

these three items.

2.4 Biometrics1. Biometrics (finger prints, retina and iris scans, facial recognition, hand geometry and

topography, voice print, signatures characteristics, etc) are also used for authentication.

Biometrics are used to authentication based upon what you are.

2. Biometric systems are not 100% accurate and can reject authorized individuals (Type I

errors) or allow unauthorized users (Type II errors).

3. Things to consider in biometric: processing speed, Crossover Error Rate (CER), cost,

sensitivity.

4. CER shows the point where Type I and Type II errors become equal. The lower CER, the

better the device is. To get CER, Type I and Type II errors are plotted against sensitivity.

The point where both curves cross shows CER.

5. Each authenticated entity must have unique credentials (e.g. unique username) for

accountability and logging.

2.5 Passwords Security1. Passwords are usually stored in directory services (like LDAP), database tables, or in flat

files. Passwords must be encrypted.

2. Many systems use passwords in one-way hash (e.g. MD5, SHA1, etc) forms. Hashed

passwords are better than encrypted because if someone finds encryption key, thatperson can decrypt passwords. However, there is no reverse process for hashed

passwords.

3. Passwords are vulnerable to attacks like brute force, dictionary attacks, social

engineering, password crackers, network traffic sniffing.


27/93



4. Password controls should be put in place. Password controls include password aging,

password expiration, disallowing dictionary words as passwords, enforcing a

combination of letter and numbers, password history so that old passwords cant be

reused, and so on.

5. Password aging forces user to change passwords within a certain period of time.

6. When a password is reset by a customer service representative, the user must be

enforced to change it at the first login.

7. If more than one person knows passwords, it is a bad sign for security.

8. One time use passwords (OTP) are created dynamically with the help of a token device.

The token device generates these based upon sequence number of time stamp.

9. Token devices are vulnerable if stolen and user ID (username) is not kept confidential.

10.Self-service password reset can be achieved in a number of ways, including:

a. Sending email to a pre-registered email address

b. Asking the user to answer to one or more questions that the user has already

stored on the web site

c. Sending a text message to a pre-registered cell phone

2.6 Identity Management and Directory Services1. Identity Management is a process of creating/modifying/deleting identities. It also

includes services for authentication and authorization.

2. LDAP (Lightweight Directory Access Protocol) is used to store and retrieve

authentication and authorization information.

3. OpenLDAP is open source implementation of LDAP.

4. There are other directory services as well, like Novell NDS, Oracle OID, etc.


28/93



2.6.1 Kerberos1. Kerberos4 is an authentication and authorization mechanism used in many systems

including Microsoft Windows. In Greek mythology, Kerberos is name of a three-headed

dog.

2. Kerberos was developed in MIT as part of project Athena.

3. Many systems including Windows 2000 and Windows 2003 use Kerberos.

4. Passwords are never sent over network during authentication process used in Kerberos.

5. Kerberos can be used for single sign on (SSO).

6. In Kerberos, KDC (Key Distribution Center which is a component of Kerberos) generates

tickets for principals'.

7. Principals use tickets to get access to different resources in a Kerberos system.

8. KDC provides authentication and key distribution. KDC is the center of trust in

Kerberos. Any compromise to KDC has the potential of compromise of the whole system.

9. Principals can be considered as clients' and they may be regular users, computers,

printers, and so on.

10.Kerberos is essentially a 3-party system where two principles authenticate to each other

using KDC.

11. Remember the following about the Kerberos system:

a. KDC runs Authentication Service (AS) and Ticket Granting Service (TGS)

b. When a user first time authenticates to Kerberos, KDC issues a Ticket Granting

Ticket (TGT).

c. A principal will keep TGT and will use to get a ticket from KDC when needed

d. The authenticator is part of ticket that contains identification information of a

user.

e. A Service Center (SS) is usually a principal that provides a service to a client.

12.A session key is used between two principals to secure data.

4 http://web.mit.edu/kerberos


29/93



13.KDC is a single point of failure in Kerberos.

14.Kerberos keys are vulnerable to memory attacks because these are stored in RAM by

principals.

15.

A secret key is established between a principal and the KDC. KDC and the principalstrust each other based upon that secret key.

16.KDC acts as a trusted party among different principals who don't trust each other

directly.

17.All tickets have time limit and protected from replay attacks and someone captures

network traffic.

18.Kerberos uses symmetric encryption (DES). Some extensions allow use of PKI and

certificates as well.

19.Kerberos is mutual authentication protocol where both parties taking part in a

conversation verify each other.

20.Recent updates to Kerberos has implemented stronger encryption to Kerberos, including

AES.

21.Kerberos time synchronization among principals and KDC to verify validity of tickets.

22.Use of protocols like NTP is needed to run Kerberos smoothly.

2.6.2 Light Weight Directory Access Protocol or LDAP1. One of more LDAP servers are used to store information about objects. Most of the

servers can synchronize their databases.

2. LDAP clients connect to directory servers for authentication and authorization purposes.

3. Authorization is performed based upon different attributes associated with an object.

2.6.3 OpenID1. OpenID5 is used mostly for authentication with web-based applications.

2. OpenID is a 3-party system: Identity Provider, Relying Party, and the User Agent (or web

browser)

5 http://www.openidbook.com for my other book on OpenID


30/93



2.6.4 NTLM1. NTLM or NT LAN Manager is a Microsoft protocol.

2. NTLM is a challenge-response protocol. It is an evolution of an older Microsoft protocol

known as LAN Manager.

3. NTLM has two versions: NTLMv1 and NTLMv2.

4. NTLM is an older protocol and is replaced by Kerberos in Windows 2000 onwards.

5. NTLM is still being used when a computer is not part of a Windows domain or where no

Windows domain exists. Examples: peer-to-peer networks like Windows workgroups in

small offices.

6. It can be used for authentication based upon IP addresses.

2.6.5 Microsoft Active Directory Active Directory1. Active Directory or AD is the directory service that comes with Microsoft Windows

servers and it is the main directory repository from Microsoft.

2. Active Directory implements the concept of forest in which there may be multiple

domains.

3. Each domain can contain multiple Organizational Units or OU. OU is used to group

objects and implements controls on the group.

4. Different types of trusts can be established among Active Directory domains.

2.7 Controlling Access in Networks1. To control access on network, it is advisable to segment network in different domains.

Example: administration domain should be separate from Internet.

2. Each domain should be separated by firewalls with only limited traffic to pass through.

3. Network should also have layers of security. Three layers between Internet and core

database computers are recommended.

4. Layers should be separated by firewalls.

5. While opening firewall ports, use individual IP addresses for source and destination

computers instead of network addresses.


31/93



2.8 Types of Access Controls1. One way to classify access controls is based upon how they are utilized. In this regard,

access controls may be preventive or detective in nature.

2.

Access controls may also be classified as physical, technical, and administrative.

3. Preventive access controls are used to stop an attacker from getting access to data or

system, such as passwords. Detective access controls are used to detect any violation

after the fact, such as log files.

4. Examples of physical access controls are security guards, locks, key card access, and so

on.

5. Example of technical access controls are passwords, firewalls, etc.

6.

Examples of administrative access controls are policies, security templates, backgroundchecks, etc.

2.9 Access Control Monitoring1. Access controls violations need to be monitored at multiple places. The controls should

be monitored at least at Network level, Operating Systems level, and applications level.

2. Access control monitoring is performed in many ways using logs, IDS/IPS, etc.

3.

In Microsoft Windows, event viewer shows failed logins.

4. In UNIX/Linux systems, Syslog can be used to monitor failed and successful logins.

5. The logs data must be stored on log servers instead of locally at each machine. The

reason is that if a system is compromised and log data is stored on the same system, the

attacker will remove that data to delete any footprints.

2.10 Attacks and Vulnerabilities1. Keyboard loggers are commonly used by attackers to steel username and password

information. Key loggers are software or other mechanisms that log keyboard

information without a user knowledge and send this information to an attacker.

2. Phishing attacks are also commonly used against popular attacks to get username and

password information. This is done by sending fake emails that look like official and

luring innocent users to click on links in the email to go to a rouge web site that looks like

an official company web site.


32/93



3. Password crackers are software that are used to crack password. These programs work

on common password vulnerabilities and dictionaries to crack passwords. For example, a

password cracker may get a UNIX password file and start password cracking by using

the same password as the username, first name, last name, and so on.

4. Memory and smart cards are vulnerable to attacks where an attacker can steelinformation by placing rogue card readers.


33/93

Chapter Three: Cryptography


Chapter Three

3Cryptography

3.1 TerminologyCryptography is field of science that deals with encryption.

Plaintextis converted to ciphertextas a result of encryption. Plaintext is intelligible data.

Plaintext is also called cleartext.

Akey is used to convert plaintext to ciphertext. Key is a string of characters and depending

upon type of encryption, it may have different lengths.

The opposite of encryption is decryption.

Cryptanalysis is the field of study to break encryption. It is used to decrypt data without the

keys.

If two parties were engaged in a communication and one of them denies of having the

communication, it is called repudiation. Encryption is also used to overcome this problem

by ensuring non-repudiation.

The work factor is the amount of time required to break encryption or other protective

measures.

In block-mode ciphers, data is broken into blocks for encryption.


34/93



In block-chaining ciphers, data is broken into block for encryption but parts of blocks

overlap.

In stream-ciphers, data is passed through the encryption mechanism as a stream of bits or

characters instead of breaking it into blocks.

Cryptographic Algorithms are used to convert plain text to cipher text and vice versa.

Link Encryption enables encrypting data on a communication link, like a computer network.

End-to-End Encryption encrypts date from source to the destination.

Substitution Cipher replaces character in the plain text with other characters or numbers. It

may also be done by shifting character right or left in the sequence.

Transposition Cipher uses permutation to convert plain text to cipher text.

Digital Signature is a mechanism to detect any unauthorized modification to text and non-

repudiation. It is not encryption.

3.2 Introduction1. Encryption is used for the many purposes, including:

a. Protection of confidentiality of data

b. Ensuring data integrity

c. Non repudiation

2. Typical key lengths are 64 bit, 128 bit, 256 bits, and so on.

3. Longer keys usually provide stronger encryption.

4. Encryption is performed using open or public algorithms as well as proprietary

algorithms

5. Open algorithms are considered as more standard and more secure.

6. For encryption to be reliable, the security of encrypted data should depend only on

secrecy of the encryption key and not on the process of encryption (encryption

algorithm).


35/93



3.3 Alogrithms1. There are two main types of algorithms: symmetric and asymmetric.

2. Symmetric encryption algorithms are also called private key or shared key

algorithms.

3. Symmetric algorithms use that same key for encryption and decryption. This key is also

called a shared key. DES, 3DES, AES, etc are examples of symmetric algorithms.

4. Asymmetric algorithms use two keys: public and private. Data encrypted by one key can

be decrypted only by the other key. RSA is an example of asymmetric algorithm.

5. Symmetric algorithms are usually faster than asymmetric algorithms as for as execution

time is concerned.

6.

In many cases, asymmetric algorithms are used to transfer shared key in the initial phaseof communication between two parties. After that shared key is used for encryption. This

is done to make the encryption faster.

3.3.1 Digital Encryption Standard (DES)1. Developed by IBM

2. Provides block mode symmetric encryption. A single key is used for both encryption and

decryption.

3.

Uses 56 bit key length with 8 parity bits making the key a total of 64 bit long.

4. It uses 16 rounds of substitutions and transpositions.

5. The detailed information is available athttp://www.itl.nist.gov/fipspubs/fip46-2.htm

6. Can be implemented in hardware and software and provides efficient encryption.

3.3.2 Triple Digital Encryption Standard (3DES6)1. More secure than simple DES algorithm. Written as 3DES or TDES.

2. It is symmetric encryption algorithm.

3. Uses three steps to encrypt data with effective key length of 192 bits (64x3). If parity bits

are taken off, the key length is 168 bits (56x3).

6 Standard document available athttp://csrc.nist.gov/publications/nistpubs/800-67/SP800-67.pdf
http://www.itl.nist.gov/fipspubs/fip46-2.htmhttp://www.itl.nist.gov/fipspubs/fip46-2.htmhttp://www.itl.nist.gov/fipspubs/fip46-2.htmhttp://csrc.nist.gov/publications/nistpubs/800-67/SP800-67.pdfhttp://csrc.nist.gov/publications/nistpubs/800-67/SP800-67.pdfhttp://csrc.nist.gov/publications/nistpubs/800-67/SP800-67.pdfhttp://csrc.nist.gov/publications/nistpubs/800-67/SP800-67.pdfhttp://www.itl.nist.gov/fipspubs/fip46-2.htm


36/93



4. Another algorithm, Advanced Encryption Standard (AES) is preferred now over 3DES.

3.3.3 Advanced Encryption Standard or AES AES1. AES is a US government standard for information encryption.

2. AES used Rijndael block cipher algorithm.

3. AES can have key length as 128, 192, or 256 bits.

4. It is fast and can be easily implemented in hardware.

5. Another characteristic of AES is that it is resistant against currently known attacks.

3.4 Public Key Cryptography1.

Public key cryptography is a mechanism where two keys are used for encryption anddecryption: A public key and a private key.

2. A person with the key pair (public and private) makes his/her public key available to

everyone while keeps the private key secret.

3. Data encrypted with public key can be decrypted by private key only and vice versa.

4. If a person Bob wants to send a secure data to another person Alice, Bob will use Alices

public key to encrypt the data. Now only Alice can decrypt it because only Alice has the

private key.

5. To ensure that the data is coming from Bob, Bob will use his private key to encrypt it.

When Alice receives it, she will use Bobs public key to decrypt it. If the decryption is

successful, it is guaranteed that Bob sent it because Bob is the only person who has the

private key. If someone else pretended to be Bob and sent a message to Alice, Alice will

not be able to decrypt the data using Bobs public key. Sometimes this is also called

signing the data and is used for non-repudiation.

6. Digital Signature may be added to a digital message (like email) to ensure the source of

message. Digital signature is usually hash code of the message which is encrypted using

senders private key. The recipient can decrypt the signature (get hash code), create anew hash code and compare the two. If both match, it ensure that the message was not

altered on its way and it was sent by the real sender.

7. In many cases both encryption and digital signature are used to:

a. Ensure confidentiality of data


37/93



b. Integrity of data (the data was not altered)

c. Non-repudiation (the data was sent by the real sender)

8. Many systems are developed using public key cryptography. The most commonly known

system is PGP (Pretty Good Privacy)

9. Key Rings are electronic storage of digital keys. In many cases, key rings are simple

files.

3.4.1 RSA Algorithm1. RSA is the most commonly used asymmetric algorithm in PKC Public Key Cryptography.

2. The name of the algorithm is composed of first characters of last names of its inventors

(Rivest, Shamir, Addleman).

3. The algorithm is based upon large prime numbers that are used to generate public and

private key pair.

4. The larger the prime numbers, the difficult it is to factor their product.

3.5 PGPPGP is now a standard encryption mechanism defined by Internet Engineering Task Force

(IETF) RFC 48807 and used a public/private key pair for data encryption.

1. Free version of PGP is available fromhttp://www.gnupg.org

2. PGP can be used for multiple purposes including file and disk encryption, secure email,

digital signatures and so on.

3.6 Hashing1. Hashing is a used to ensure integrity of data. It is not used for encryption.

2. There are many popular hashing algorithms including MD5 (Message Digest 5), SHA-1

(Secure Hash Algorithm), etc.

3. MD5 produces 128 hash code and was developed by Ron Rivest. MD5 is IETF standard

defined by RFC 13218.

7 http://www.ietf.org/rfc/rfc4880.txt
http://www.gnupg.org/http://www.gnupg.org/http://www.gnupg.org/http://www.gnupg.org/


38/93



4. MD4 is older than MD5 and is not used much.

5. SHA-1 produces 160 bit hash code and was developed by NIST.

6. Output of a hash function is the same, no matter how long the input data is.

7. CRC or Cyclic Redundancy Check is a type of hash.

8. Message Authentication Code or MAC is a checksum calculated for a message before

sending it out. MAC is then calculated at the recipient side to ensure that the message is

not changes on its way.

9. Hashed Message Authentication Code or HMAC uses a key to generate MAC.

3.7 Encrypting Data-At-Rest1. Data needs to be encrypted when it is in transit (on the network) and when it is at rest

or stored on disk.

2. Data is stored on disk usually in two broad categories: flat files or databases.

3.8 Public Key Infrastructure (PKI)1. PKI is a framework with many components including but not limited to X.509 standard,

cryptography, trusted parties, certificate authority, key management, etc.

2. Both symmetric and asymmetric encryption algorithms are used in PKI. Note that public

key cryptography uses only asymmetric algorithms like RSA.

3. PKI is a framework and not a particular technology or product.

4. Each entity (persons, servers) participating in PKI has an X.509 certificate.

5. A certificate authority (CA) issues and signs certificates to entities (or subjects) in PKI.

6. CA is a trusted third party. By signing a certificate, it ensures that the certificate is valid.

Signed certificates can't be modified.

7. When an entity needs to verify a certificate authenticity, it will decrypt signature hash of

a certificate using public key from CA and match it with the actual hash of the public key

in the certificate.

8 http://www.faqs.org/rfcs/rfc1321.html


39/93



8. Certificates can also be validates using On-line Certificate Status Protocol (OSCP) OSCP

which checks the validity of a certificate using CRLs

9. Two or more CA can trust each other by the process of cross certification cross

certification

10.PKI is used for many purposes including authentication, non-repudiation, access control,

two factor authentication, etc.

11.A certificate authority is an integral and central part for PKI.

12.Major functions of PKI are confidentiality, integrity, and authentication.

13.PKI is useful when two parties don't know (or trust) each other but trust a Trusted Third

Party.

3.8.1 Digital Certificates1. Digital certificate, also called X.509 certificates are used to package public key associated

with an entity (person, server, device)

2. Digital certificates are used for multiple purposes. A sample certificate is shown in Figure

below.

Figure: X.509 Certificate general information

3. Figure show the same certificate. The General' TAB in Figure shows the general

information about the certificate. The Detail TAB in Figure shows detail about the same

certificate in Firefox web browser. When you are looking at a real certificate, you can

scroll down to see more information as well.

Figure : X.509 Certificate detail

4. Digital certificate is a file that follows the X.509 standard. A certificate is usually signed

by a certificate authority (CA)

5. A certificate may contain many fields, including, but not limited to:

a. Certificate issuer information

b. Version number


40/93



c. Serial number

d. Signature algorithm

e. Issuer name

f. Issue date and Expiration date

g. Public key

h. Name of owner/entity

6. The certificate shown in Figures are self-signed certificates. Anybody can create self-

signed certificates. However, they don't provide the trusted third party (certificate

authority) assuring.

7. The certificate shown in Figures are examples of certificates signed by a certificate

authority. In Figure, you can see the certificate is signed by Verisign (certificate

authority) and is issued to google.com

X.509 Certificate general information, issued by a certificate authority

8. Figures xxx xxx show ``General'' and ``Detail'' parts of the same certificate as viewed in

Firefox web browser.

X.509 Certificate detail, issued by a certificate authority

9. Certificates are most commonly used by web sites to ensure authenticity of a web site. In

the browser, you can click on the security lock button to view certificate detail.

10.Certificates are also used for secure email transfer from sender to recipient.

11. Certificate Revocation List or CRL is published by certificate authority to publish list of

certificates that are revoked.

12.Certificates may be revoked before expiration date for a number of reasons, including

compromise of private keys. CRL is a means for informing the certificate consumers that

a certificate is not valid. CRL contains serial number of revoked certificates.

13.The URL for the location of CRL is included in the certificate itself.

14.Registration Authority or RA registration authority is a broker between the certificate

owner and the certificate authority. RA gets user information, verifies it, and then sends

it to CA to issue certificate. In most cases RA and CA roles are combined in a single

entity. A certificate has public key of the owner. The owner keeps the private key


41/93



15. Certificates are used for many purposes including authentication, mutual authorization,

secure web traffic, secure email, and so on.

16.Digital certificates can be stored in multiple file formats including:

a.

Base-64 or DER encoded files ending with .CER

b. PKCS-7 files ending with .P7B

c. PKCS-12 files ending with .PFX

17.When exporting certificates to a file, the file can be password protected.

3.8.2 Certificate and Key Management Key Management1. Security of keys used for encryption/decryption is essential for modern cryptography

because encryption algorithms are open and well-known.

2. Key management includes many tasks, including:

a. Key generation

b. Delivery and distribution of key to key owner in a secure way

c. Storing keys in a secure way

d. Using keys in a secure way

e. Destroying keys when no longer needed

f. Recovering keys from backup store or archive

3. Keys can be delivered by courier, secure servers, or some other mechanism that ensures

that only the owner of a key receives it.

4. There are many automated key delivery systems. for example, Kerberos uses key

distribution center or KDC to distribute keys.

5. In many modern communication protocols, keys are changed automatically and very

frequently

6. An organization should always maintain backup copy of keys, also called a key escrow,

in case a key is lost. If a key is needed for data decryption and becomes unavailable, there

is no way to recover the data.


42/93



7. NIST (National Institute of Standards and Technology\footnote\urlhttp://www.nist.gov)

has published a standard for key escrow known as Escrowed Encryption Standard or

ESS.

8. In ESS, a key is split into two (or more parts) that are kept by different parties.

9. Keys length should be determined depending upon the sensitivity of the data encrypted

by the key, the frequency of key usage.

10.Hardware Security Module or HSM is a hardware module used to generate and store

keys. HSM provides a very high level of security in key management.

11. In many cases a backend directory like LDAP or Active Directory is used for storing keys

and certificates.

12.Key Encryption Key or KEK is a key used to encrypt other keys.

3.9 Attacks and Vulnerabilities1. Man in the middle attacks may happen if a trusted third party, like CA, is not used in

encryption.

2. Brute force att

a quick guide to cissp certification

Documents