Download CISSP 第四版最新上课培训笔记(详细版)

文档下载 免费文档下载
http://www.51wendang.com/
本文档下载自文档下载网，内容可能不完整，您可以点击以下网址继续阅读或下载：
http://www.51wendang.com/doc/a88d861180e68ca5a0d13873
CISSP 第四版最新上课培训笔记(详细版)
CISSP 考试资料
Domain 1 -Information Systems Security and Risk Management
CIA -DAD
Confidentiality – Prevent Unauthorized Disclosure
Attacked by Hackers, Malware, Human Error, Social Engineering, Shoulder Surfing
Prevented by Identification, Authentication, Authorization Integrity – Prevent
Unauthorized Modification or Alteration of Data
Attacked by Message Modifications, Disabling Alerts on IDS’, Modifying Config Files
Prevented by Least Privilege, Separation of Duties, Rotation of Duties Availability
– Prevent disruption or Destruction of Service and Productivity
Attacked by Disasters, System Failure, DOS, Hardware Failure, Terrorist Attacks
Prevented by
ISO/IEC – 17799 British recommendations on Security Mgmt in an Organization (How
to secure assets)
27XXX is the new numbering convention, starting with 27001, and defines how to
implement.
文档下载 免费文档下载
http://www.51wendang.com/
Due
Care
–
take
steps
(countermeasures)
to
protect
assets
like
A-V
orhttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873 IDS
Due Diligence – Understanding and investigating the current threats and risks,
determines Liability and Responsibility Planning Horizon – period of time with which
long term goals should be completed.
Operational – Day to Day
Tactical – Mid-Term goals and Infrastructure to accomplish Strategic Goals Strategic
– Long Term Risk Management Program
Identify Risks to AssetsManage Risks
Analyze and Prioritize – Qualitative and QuantitativeResponse Planning
Monitoring and Control – Execute, Evaluate, and Document
Cost-Benefit Analysis – Annualized cost of safeguards to protect against threats
is compared with the expected cost of potential loss.
Security Definitions
Vulnerabilities – Weakness
Loss – Real or Perceived devaluationThreat – Potential Danger to an asset
Risk – Likelihood of threat agent using a vulnerabilityExposure – Being
ophttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873en to compromise
文档下载 免费文档下载
http://www.51wendang.com/
Event/Exploit – Instance of the loss being experienced
Control/Measure – Safeguard put in place to mitigate potential lossesNational
Institute of Standards and Technology – Special Publications NIST SP 800-30 Risk
Assessment
1. System Characterization 2. Threat ID
3. Vulnerability ID 4. Control Analysis
5. Likelihood Determination 6. Impact Analysis 7. Risk Determination
1
8. Control Recommendations 9. Results Documentation
Commercial Classifications
Confidential, Private, Sensitive, Public
Military Classifications
Top Secret, Secret, Confidential, Sensitive but Unclassified, Unclassified Data
Classification Procedure (by the owner)
Identify Data Custodian
Develop Classification CriteriaControls Per ClassDocument Exceptions
文档下载 免费文档下载
http://www.51wendang.com/
Process
for
transfer
of
Custody
of
DataDeclassification
ProceduresSecuhttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873rity
Awareness
Delphi Method – People may express their ideas anonymously Single Loss Expectancy
(SLE)
Asset Value (AV) x Exposure Factor (EF)= SLE
Annualized Loss Expectancy (ALE)
SLE x Annualized Rate of Occurrence (ARO) = ALE
ARO is 0 -1 as based on 0 = never happen, 1 = Always Happen Total Risk is the level
before a countermeasure is put into place
Threats
Vulnerability
Asset Value = Total Risk
Residual Risk is the level after a control is in place
Total Risk – Control Gap = Residual Risk 4 Ways to Deal with Risk (Risk Management
Options)
Enable Countermeasures to Reduce the Risk Transfer Risk to an Insurance Company Accept
the Risk by living with it Ignore it and Reject the Risk NIST SP 800-30 Control
Implementation
1. Prioritize Actions 2. Evaluate Options 3. Cost-Benefit Analysis 4. Select the
Controls
5.
Assign
Responsibility
Devehttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873lop
the
6.
Safeguard
7.
文档下载 免费文档下载
http://www.51wendang.com/
Implement the Controls
Laws, Regulations, and Best Practices are the drivers for creating a Security Policy.
NIST SP 800-12 Types of Policies
1. Program Policies – IT Mission Statement 2. Regulatory – driven by laws and
regulations
3. Advisory – You should follow these recommendations in your job
4. Informative – States position on how things are done, don’t negotiate with
Terrorists 5. Program -
2
6. Issue-Specific Policies – Email, Privacy, defines Role and Responsibilities
7. System-Specific Policy – Base security objectives for PC’s, more Computer
related Supporting Policies
Standard – Compulsory rules on hardware and softwareBaseline – Minimum level of
security required
Procedures – Step-by-Step actions to be taken to complete a taskGuidelines –
Recommended actions
Data
Owner
–
Member
of
Senior
responsiblehttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873
Mgmt
for
the
protection and use of certain information. Data Custodian – responsible for the
文档下载 免费文档下载
http://www.51wendang.com/
maintenance and protection of the data. (Usually IT) ISSO – Info Sys Security Officer
User – Primarily responsible, CXO Ultimately responsible Auditor -NIST SP 800-50
Knowledge Transfer (Security Awareness)
1. Awareness 2. Training 3. Education
Domain 2 – Access Control
3 Control Layers
Administrative Controls – Policies and Standards, People Mgmt, Employee Behavior,
Security Awareness training, Incident Response
TechnicalControls – passwords and authentication, AV Software, IDS, Firewalls,
Encryption, Load Balancing
Physical Controls – Protecting systems and buildings, locks and alarms, Backup Data
Offsite Storage, removing floppy drives Access Control Types
Preventative – Policies and Procedures, Guards, Man-Traps, Biometrics Detective –
IDS,
Audit
Logs,
Cameras
Cohttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873rrective -Patch
Deterrent – Cameras visable Recovery – Restore Backup
Compensation – Random Screening of Candidates Authentication Types
Type 1 – Something you know (Password)Type 2 – Something you have (Token)Type 3
– Something you are (Biometrics)
文档下载 免费文档下载
http://www.51wendang.com/
2 Factor is dominant process
3 Factor has all three – Password, SecureID, FingerprintBiometrics
Type 1 -False Rejection Rate (FRR = Negative) Type 2 -False Acceptance Rate (FAR =
Positive)
Crossover Error Rate – The point at which Type 1 FRR errors, and Type 2 FAR errors
are equal, and represents the best way of measuring biometrics effectiveness.
Signature Dynamics – the unique physical motion of signing your name.
Mutual Authentication (Subjects and Objects) – PKI based, certificates to verify
both identities with a standard 3rd party.
3
Password Attacks
Dictionary – Program with http://www.51wendang.com/doc/a88d861180e68ca5a0d13873a
list of passwords Brute Force – character combinations
Countermeasures – Encrypt transport of passwords, rotate passwords, Set Lockout
Thresholds Cognitive Passwords use Maiden Names, Pet’s Name, Favorite Color
Threshold (clipping level) of acceptable number of failed logins.
A digital signature uses a private key by encrypting a hash value. The act of
encrypting this hash value with a private key is called digitally signing a message.
SSO –
文档下载 免费文档下载
http://www.51wendang.com/
Scripts -process access to a resource to run the commands the user would have to run.
Bad – Hard to Maintain, Credentials in Script
LDAP Directory –
Kerberos – Authentication protocol using Symmetric DES and Tickets
Passwords can be used, but designed for Keys. Some require KDC authentication before
starting the Authentication process.
Kerberos uses Symmetric Encryption, 2 session keys exchanged between TGS, AS,
Resource, ahttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873nd Client. All
Encrypted. SSO -SESAME – Asymmetric, Secure European System for Apps in a
Multi-Vendor Environment
Extends Kerberos, adding PKI, Role Based Access Controls, delegation, and extensive
auditing. 2 Tickets, 1 for authenticating the subject, another containing access
rights
Uses Privilege Attribute Certificates (PAC) which contains the subjects identity,
access period, and lifetime of PAC. Access Control Model
TCSEC – Trusted Computer Systems Evaluation Criteria
Discretionary Access Control – DAC – Data owner determines access to resources,
mostly ACL’s, low level of security. Identity based control.
Mandatory Access Control – MAC – Security Clearance, access determined by system,
文档下载 免费文档下载
http://www.51wendang.com/
subject cannot grant someone access, Military. Each object would have a security label,
very inflexible.
NIST – Role-Based Access Control – RBAC (Non-Discretionary Access Control) –
Groups
of
http://www.51wendang.com/doc/a88d861180e68ca5a0d13873users
assigned
access rights to the role, not user. The security can be managed at the company’s
level, each user may be assigned more than 1 role or privilege. Lattice Based Access
Control – Govt systems, strict access, Subject has Secret Access, Upper Bound is
Secret, Lower Bound is Unclassified.
Compares roles, permissions, and clearance levels to create upper and lower bounds
of access Restricted access, sometimes Read-Only Rule Based (MAC) controls can be
seen in a Firewall.
Restricted Interfaces –
Menus and Shells – Limited Commands – Menu Windows Database Views – Rights based
information availability
Physically Constrained Interfaces – ATM’s and Numbers only
Access Control Matrix – Used to create the Access Control Lists for users, and
requires removal of ACL’s when employee leaves.
Capability Table – row in the matrix, a list of the objects that a subject is able
to accesshttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873. Bound to a SUBJECT.
Access Control List – is a column in the matrix, defines the rules of access, and
is bound to the OBJECT.
4
文档下载 免费文档下载
http://www.51wendang.com/
Content Based Access control defines the access based on the sensitivity of the data
Centralized Access Control Systems
RADIUS – Remote Access Dial-In User Service -Auth Server and Dynamic Password (Uses
UDP to communicate) PPP and SLIP connections and can only authenticate PAP, CHAP,
and EAP.
TACACS – Terminal Access Controller, Access Control System -Static Password TACACS
-Token Authentication, Cisco Proprietary
Diameter – Authenticates many different devices over many connections, particularly
new mobile access clients. Enables use of IPSec if Network Layer security is required.
Decentralized – For Peer networks, regional managers control better Triple AAA
Services
AuthenticationAuthorizationAccounting
Access Attacks
Degahttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873ussing
generates
a
coercive magnetic force that reduces the magnetic density of the storage to zero,
meaning it really erases the data through magnetic means.
Keyboard Monitoring would either send signals from the wire connected to the Keyboard,
software that collects keystrokes etc.
Rouge Infrastructure – WAP’s
文档下载 免费文档下载
http://www.51wendang.com/
Emanation Security (EMSEC) -TEMPEST (gov’t program name) controls against
electrical signals from being replayed. White noice, and Control Zones (building
materials that kill signals). Faraday cage = heavy metal casing protection. (Number
ONCE) An arbitrary number that is generated for security purposes such as an
initialization vector. A nonce is used only one time in any security session. Although
random and pseudo-random numbers theoretically produce unique numbers, there is the
possibility that the same number can be generated more than once. However, if a very
large,
true
random
used,http://www.51wendang.com/doc/a88d861180e68ca5a0d13873
number
the
is
chances
are
extremely small. A perfect nonce is the time of day; for example, 12.5 seconds past
5:13pm on 1/18/2012 can only occur once.
Domain 3 – Security Architecture and Design
Instruction Execution Cycle
Fetch – CPU presents address of the instruction to memory Execute – Instruction
is decoded and executed CPU States of Operation
Supervisor State
Kernal Mode Ring Zero
Program can access entire system
Both privilege and non-privilege instructions
Problem State
User Mode Ring Three
文档下载 免费文档下载
http://www.51wendang.com/
Only non-privileged instructions are executed Intended for Application use
Ring 0 = HardwareRing 1 = KernalRing 2 = Shell
5
Ring 3 = Applications
Modern OS’s use Ring 0 for OS kernel data, code, and device drivers. Ring 3 is for
applications.
Primary
Storage
is
memory
directly
addressable
by
the
CPU
(MEMORY)
Secondahttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873ry Storage is hard
disk, tape, thumb drives Volatile Memory = RAM
Non-Volatile Memory = ROM/EPROM
Cache Storage = Part of RAM, optimizes commands and pre-loads Virtual Storage =
Pagefile
Sequential Storage = Magnetic Tape, must be read through to find specific data.
Memory Mapping – only trusted processes can access RAM directly, everything else
requires mapping. Software does not use physical addresses, it uses virtual or logical
memory. System Self Protection – Memory Segmentation
Process IsolationSecurity DomainsVirtual MachinesProcess (Applications run as
Processes) – has its own virtual memory space, can contain many threads of code,
each thread has a kernel and user mode stack. Threads are the smallest sets of code
文档下载 免费文档下载
http://www.51wendang.com/
that can be scheduled by the CPU.
Process Isolation – Preserves objects integrity and subjects adherence to access
controls,
prevents
the
actions
of
one
object
imhttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873pacting another.
Encapsulation of Objects, Time multiplexing, Naming distinctions, and Virtual
Mapping
Multi-Threading – can process code and tasks with the same program at the same
timeMulti-Tasking – 2 or more programs running at a time
Multi-Programming – Interleaved execution of 2 or more programsMulti-Processing –
more than 1 CPUTrusted Computing Base (TCB) – total combination of protection
mechanisms within a computer system. TCB includes hardware, software, and firmware,
and not all have to be trusted. The Security Perimeter separates the TCM and non-TCB
objects, and ensures that interfaces do not leak information.
Reference Monitor controls all access from Subjects to Objects
The Security Kernel is made up of components in the system that enforce the rules
of the Reference Monitor.
Security Kernel must provide isolation for the processes carrying out the refence
monitor cohttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873ncept, and it must
be
tamperproof.
The Reference Monitor must be invoked for every access attempt, and must be small
文档下载 免费文档下载
http://www.51wendang.com/
enough to be able to be tested and
verified
Single State Machine – All users have full access. (System High mode of Operation)
Multi-State Machine – processes data at two or more security levels, without risk
to each other. Data can be classified, and doesn’trequire full access to all users.
(Multi-level mode of Operation)
Security Models
State Machine – for each possible initial state, there is an execution sequence for
each possible state transformation. No
matter what state it is flowing through, it will be secure.
Information Flow – Restricts information from flowing in ways that would go against
the security policy
Bell-LaPadula – outlines how to keep a secure state in every transaction by only
allowing
subjects’
certain
accehttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873ss rights. Clearance and
classification scheme uses a lattice structure with upper and lower access rights.
“Any
executed activity will always result in a secure state”. B-L is a Confidentiality
model, and does not secure integrity or availability.
Simple Security Property – if you have Read access, you can read at your level and
文档下载 免费文档下载
http://www.51wendang.com/
below, but not above. Star Property – if you have Write access, you can write at
your level, you can write to a higher level
without compromise, but cannot write lower.
6
Strong Star Property – if you have Read and Write, you can do both at your level,
but you cannot hop
levels either way.
No Read Up and No Write Down , RU and WD
Biba – Integrity Model, no subject can depend on a less trusted object, based on
a lattice of integrity levels
No Write Up, No Read Down, WU, RD
Simple
Integrity
–
says
that
if
you
Read
access,http://www.51wendang.com/doc/a88d861180e68ca5a0d13873 you can read data at
your level of accuracy, and higher
levels, but lower levels will reduce accuracy.
Integrity Star – if you have Write, you can Write at your level and you can write
to a lower level, but not
above or you would contaminate it.
文档下载 免费文档下载
http://www.51wendang.com/
Integrity defined by 3 goals
Data protected from change by unauthorized users
Data protected from unauthorized change by authorized users Data is internally and
externally consistent
Clark-Wilson – Access Triple – Prevents Auth users from mistakes, Un-Auth from
entering Data, and maintain internal and external consistency
All 3 goals of Data Integrity through software engineering controls, well-formed
transactions constrain user to ensure consistency. Objects are broken into Programs
and Data, main features of Separation of Duties, access through programs, and strict
auditing.
Subjects
use
programs,
and
ohttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873bjects
programs
are
ensure
accessed
correctly. Programmatic controls.
Constrained Data Item (CDI) – data item whose integrity is to be preserved Integrity
Verification Procedure (IVP) – confirms that CDI’s have integrity
Transformation Procedure (TP) – transforms a CDI from one integrity state to another.
Non-Interference – State Machine approach where actions are controlled based on what
users are in what domain. Actions of Group A are not seen by Group B.
Access Control Matrix – PROFILE BASED, data on subjects in rows, objects in columns.
OS’s use this in ACL’s, and give subject access based on its relationship to the
object
Brewer and Nash – Chinese Wall, this model protects users from accessing data that
could be seen as a conflict of interest (like competitor data). Dynamically changes
文档下载 免费文档下载
http://www.51wendang.com/
with previous access, and what should not be known.
TCSEC
–
Trusted
Computer
System
Evaluation
Criteria
–
Orange
Boohttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873k, based on Bell-LaPadula
model and Confidentiality
A: Verified Protection
A1
B: Mandatory Protection (Security Labels)
B3 – Trusted Recovery, security controls are always active, and monitor and notify
security administrator (role
defined)
B2 – Structured Protection, device labels, separation of operator and admin
functionsB1 – Process isolation, design specs are verified, Device Labeling
C: Discretionary Protection
C2 – Object Reuse, must have protected audit trail, minimum level of host for a
FirewallC1 – Separation of Users and Data, cooperative users at same sensitivity
D: Minimal Security ITSEC – Information Technology Security Evaluation Criteria –
covers C-I-A completely
F1-10 for functionality
文档下载 免费文档下载
http://www.51wendang.com/
E0-6 for assurance and is a measurement of correctness and effectiveness Common
Criteria
–
ISO
-Combines
TCSEC,
ITSEC,
Canadian
CTCPEC,
http://www.51wendang.com/doc/a88d861180e68ca5a0d13873and Federal Criteria
Protection Profile (PP) – defines security requirements and protections needed
Target of Evaluation (TOE) – Product proposed to provide a needed security solution.
7
Security Target (ST) – Vendor writes details of security functions and assurance
mechanisms that meet the needed solution.
(This is how we deal with security)
Certification is the technical evaluation of the security components of a product
Accreditation is the formal acceptance of the products overall security by a
Designated Approving Authority (DAA).
Threats to Systems
Covert Channels – Sending info in an unauthorized way
Covert Timing Channel – process relays info to another by modulating its use of
systems resources Covert Storage Channel – process writes data to a storage location,
and another lower process reads it.
Back
Door
–
previously
called
http://www.51wendang.com/doc/a88d861180e68ca5a0d13873Maintenance Hook, or Trap
文档下载 免费文档下载
http://www.51wendang.com/
Door, usually intentional, can be inserted via a Trojan Horse via a Rootkit
Asynchronous Attacks – Use time between events in a sequence to gain access
TOC/TOU -Time of Check/Time of Use – Attack takes place after the systems check the
file, but before it is in use (I.E.
autoexec.bat processes line by line commands)
Race Conditions – 2 processes race to carry out conflicting actions at the same time,
giving access before the system can
enable its protections Application based attacks
Code Injection – place SQL code into input buffers
Buffer Overflow – if application does not check the amount of information being
inputted, the data could overwrite other
memory segments. Insufficient parameter checking.
Domain 4 (8) -Application and Systems Development
Application Security
1.
Use
Devices
such
as
Firewalls,
Routers,
ACLs,
http://www.51wendang.com/doc/a88d861180e68ca5a0d13873IDS, and Bastion Hosts -Feel
like it is secure 2. Design and develop software with security in mind Software
Development Methods
Waterfall
文档下载 免费文档下载
http://www.51wendang.com/
Each phase is documented and completed before the next tasks Not good scalability,
longer term, not designed for short turn around
Prototyping
4 PhasesConcept
Design and Implement initial prototypeRefine until acceptable
Complete and release final version
Spiral
Combo of Waterfall and Prototyping Initial version is Prototype
Versioning later is similar to Waterfall
Evaluate at each milestone, each phase includes a risk assessment review
Clean Room
Focus on Defect Prevention rather than removalDesign time longer, less time for
testingSavings over long term
Extreme
Small teams of devs, with changing requirements
Systematic
and
regular
testing,
non-requested
文档下载 免费文档下载
http://www.51wendang.com/
functionahttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873lities not created
Verification – does it meet the specifications
Validation – does it meet real world requirements
8
Change Control Procedure
Request for change with Change Control BoardAnalyze request
Record change requestSubmit change for approvalDevelop the change
Re-code segments of the product
Link these changes in the code to the formal change control requestSubmit software
for testing and quality approvalMake version changesReport changes to mgmt
Capability Maturity Model (CMM)
Level 1 – Initiating – few processes defined
Level 2 – Repeatable – basic project management and repeatable developmentLevel
3 – Defined – Procedures defined and standardized
Level 4 – Managed – Monitor and control own processes, quantitatively
understoodLevel 5 – Optimizing – Continuous process improvement, with quantitative
feedback
Object Oriehttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873nted Programming
文档下载 免费文档下载
http://www.51wendang.com/
Faster, highly modular
The data structure of an object includes both data and functions, and can inherit
properties of other objects Objects are members of classes that define attributes
and characteristics of the objects within them Objects can inherit attributes from
the class type
Abstraction – ability to suppress unnecessary detail so that properties can be
examined and reviewedPolymorphism – different objects respond to the same command,
input, or message, in different ways.
Polyinstantiation – defer inference, basically, when a lower level security entity
requests secure information, wrong information isput in its place to prevent
understanding of the real purpose or information.
Cohesive Module can perform a single task with little or no help from other modules.
(Highly Cohesive, low coupling = good)
Coupling
is
a
measure
of
interconnection
among
modules
inhttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873 an application. The lower
the coupling, the better the software designbecause it promotes modules being
independent.
Relational DB – tables with columns and rows (attributes and tuples)
Components –Data Definition Language (DDL) – defines the schema
Data Manipulation Language (DML) – manipulates the data within the DBData Control
Language (DCL) – defines the internal organization of the DBAd-Hoc Query Language
文档下载 免费文档下载
http://www.51wendang.com/
(QL) – for users to access the dataHierarchical DB – Logical Tree Structure,
branches and leaves for data fields
Distributed DB – Stored across systems in different places and are logically
connected File – collection of records of the same type, like a table Base Relation
– Table stored in the DB
View – Virtual relation between subjects and objects
Primary Key – field that links all the data within a record to a corresponding value
Foreign
Key
–
an
attribute
of
one
table
thttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873hat is the primary key of
another table Data Dictionary – 52 tables, index info, users and permissions
Schema – each relationship within the DB is described by the schemaMeta-Data – Data
used to describe the DB and the data within it.DBMS – management software for making
changes to the DBDB ACID Test – Protects DB Integrity
9
Atomicity – all changes take effect or none do
Consistency -transaction is allowed only if it follows integrity constraints.
Isolation – results of the transaction are not visible until the transaction is
completeDurability – Results of transaction are permanent
Online Transaction Processor (OLTP)
Everything must be committed before the transaction will complete.
文档下载 免费文档下载
http://www.51wendang.com/
Concurrency – Double Update occurs when 2 programs access the same element at the
same time. DEAD LOCK can occur, with both waiting for the other to release resources,
causing Deniahttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873l of Service, or
loss of data integrity Rollback – changes are cancelled
Commit
–
completed
transaction
executes
all
changes
successfully
Checkpoint/Savepoint – periodically saving data Adding to DB Security, you can add
a Trusted Front End
Aggregation – the combined information has new info that is greater than the
individual parts Inference -act of combining information from separate sources to
deduce other info
Counter -Cell Suppression to hide specific data
Partitioning the DB into parts, that makes it more difficult to find info
Noise and Perturbation is used hoping to confuse and frustrate an attackerDB Access
Control
Content-Dependent – Control Access based on content
Context-Dependent – Access based on time of day, what application requested etc.
Entity Integrity – Primary Key must be a unique value, cannot be null
Referential
Integrity
–
Relationship
bethttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873ween 2 entities requires
that they both exist DB Normalization is achieved when redundancies and
inconsistencies are removed
文档下载 免费文档下载
http://www.51wendang.com/
Data Warehouse – Mulitple DB’s combined with the purpose of a fuller extent of
information retrieval and analysis. Related
information is selected and summarized before presented to the user. Needs greater
security with so much in one place. Usually for strategic long-term use.
Data Mart – smaller and more focused data for a specific group, usually a tactical
and immediate business need.
Data Mining – process of analyzing a DB using tools that look for trends or anomalies.
Creates Meta-Data that can identify patterns and relationship between data sets.
Can test for inference vulnerabilities. Used for Intrusion Detection Fraud Detection
Auditing Artificial Intelligence
Program containing a KB and set of algorithms and rules, used to infer new facts.
Data is chttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873ollected from human
experts and used for problem solving
Expert Systems emulates human knowledge and will try to formulate an answer, even
without all the necessary
information.
Inference Engines and “if-then” Rule-based programs are used by Expert Systems to
resolve problems with human
logic
文档下载 免费文档下载
http://www.51wendang.com/
Will use the Rule-Based program to find patterns, then uses human logic to determine
answers, often referred to
as Fuzzy Logic (like a spell-check application) Artificial Neural Networks
10
Ability to remember and learn from new experiences Ability to generalize
They try to replicate the functions of neurons to solve problems in a new way Limited
by the experiences they can have
Distributed Computing Environment (DCE uses Universal Unique Identifiers UUID’s)
Object Management Architecture (OMA) provides a high-level overview of a complete
distributhttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873ed
environment.
Data processingtakes places on different systems.
ORB -Object Request Broker manages all communication between components, and allows
them to interact. ORB worksindependently from the Objects, allowing greater
interoperability. ORB’s are locators and middleware in the environment.Distributed
Communication Standards, COM, DCOM, and Enterprise Java Beans
CORBA – Common Object Request Broker Architecture is a standard developed by the
Object Management Group (OMG)allowing different Apps written in different languages
Standard APIs for systems to use to communicate to different ORBsCOM – Architecture
allows for simple inter-process communication between objects, only on a single
system.
DCOM – Distributed, works as middleware for distributed processing. Has a library
文档下载 免费文档下载
http://www.51wendang.com/
that handles sessions, synchronization,
buffering, fault ID, handling, and data format translation.
Linking throhttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873ugh COM – Object
Linking and Embedding (OLE) – allows objects to be embedded in documents. It
uses Globally Unique Identifiers (GUIDs) to keep track of different objects. Mobile
Code and Active Content
Java Applets, Javascript, ActiveX controls, macros, and email attachments
ActiveX is an extension of Object Linking and Embedding, Relies on Digital Certs and
Trusting Cert Authorities using
Authenticode. User decides trust level based on where it is from.
Java creates the virtual Sandbox to operate in, and locks out functions in the user’s
computer.
Java Bytecode usually used for Internal Apps and has full machine control Java VM
runs a virtual machine and talks to the OS Detecting Malicious Code
File size increase Many disk accesses
Updated or modified timestamps Decrease in disk space
Calculations of checksums on system files Strange App activity
://www.51wendang.com/doc/a88d861180e68ca5a0d13873rWorms – reproduce on their own
without file replication to migrate Logic Bomb will trigger code execution after
文档下载 免费文档下载
http://www.51wendang.com/
period of time or an action
Trojan Horse is disguised as another program and contains hidden code to create
zombie’s and other access Smurf – ICMP ECHO broadcast sent to network with a spoofed
address, all systems respond. (DOS) Fraggle – uses UDP instead of ICMP
Teardrop Attack sends runt packets through different networks, and reconnects packets
in a way that they cannot be re-assembled and systems will lockup (DOS)
DDOS – Distributed Denial of Service using Masters and Zombies, and Handler systems.
Also known as Tribal, trin00, and TFN.
Counters – Drop all ICMP from Internet,
Drop broadcasts
Ingress Filtering doesn’t allow Internal Source addresses from outside
Egress Filtering doesn’t allow packets to leave with External Source Addresses
Timing Ahttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873ttacks
Kick legitimate user off a line and take over session NAK/ACK -remove FIN command
and continue session
Domain 5 – Cryptography Cryptography Goals
11
Confidentiality – Unauthorized parties cannot accessAuthenticity – Validation of
文档下载 免费文档下载
http://www.51wendang.com/
the sourceIntegrity – not modified
Non-Repudiation – sender cannot deny sending the message
Cryptography Definitions
Cryptography – science of hiding meanings in communication
Cryptanalysis – studying and breaking the secrecy of encryption algorithms
Cryptosystem – mechanism that carries out the encryption process
Work Factor – amount of time and resources put forth to decode an encrypted message
Block Cipher – Breaks the plaintext into blocks and encrypts each with the same
algorithm Cipher – Cryptographic transformation operates on the characters or bites
Ciphertext or Cryptogram – unintelligible message
Clustehttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873ring
–
plaintext
message generates identical ciphertext using the same algorithm but different keys
Codes – A cryptographic transformation that operates at the word or phrase level
Cryptographic Algorithm – Step-by-step procedure used to encipher plaintext and
decipher ciphertext Cryptology – encompasses cryptography and cryptanalysis
Cryptosystem – set of transformations from message space to ciphertext space
Decipher -to undo cipherment process
Encipher – to make a message unintelligible to all except the recipient
End-to-end encryption – Encrypted information that is sent from sender to receiver
History of Cryptography Symmetric Ciphers
文档下载 免费文档下载
http://www.51wendang.com/
Hieroglyphics
2000 B.C. and first known.
Use of non-standard hieroglyphs
Hebrews flipped the alphabet, and call this method ATBASH
Scytale
Was
used
by
the
Spartans
in
400
B.C.
–
wrap
message
around
wooden
dowehttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873l Diameter and length are
the keys to the cipher.
Caesar cipher
Monoalphabetic substitution – only used one alphabetSpecifically -Involved shifting
the alphabet three lettersKnown as C3 (Caesar shift 3 places)Vigenere Cipher
A polyalphbetic substitution using 2 or more cipher alphabets Keyword text added to
create a different letter CISSP with Keyword of Intense
C I= K,I N= V Exclusive Or
Boolean OperationIndicated by XOR
Indicated by symbol ?
Easily implemented in hardware0 0=0, 0 1=1, 1 1=0, 1 1=0
文档下载 免费文档下载
http://www.51wendang.com/
Input A Input B Output T 0 0 0 0 1 1 1 0 1
12
1 1 0
XOR operated on the bit level
XOR the plain text (byte level) with the keystream sourceCan be reversed by simple
XOR of output plus keystream.
Vernam Cipher -One time pad, random set of non-repeating characters from a Book or
Running Key Cipher
Using text from a bhttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873ook as the
key and performing modulo26 addition on it. Would use specific line and page number
Running Key Cipher – Book Number, page number, line number, word number
Concealment Cipher – Every x number of letters is the message
Steganography – hide a text message in another format like images
Key Components
Keys are Just a string of bits, values at 2^n power Encryption and Decryption
Bit-wise operations
文档下载 免费文档下载
http://www.51wendang.com/
XOR, shift left/right, substitutions/permutations
Modern arithmetic values
Add, divide, etc.
Algorithm is the set of mathematical rules that determine how enciphering and
deciphering text.
Keyspace is the range of values that can be used to construct a new key, the longer
the key space, the hardware to find.Pseudo-Randomized Generation of bits (PRG)
Encryption Attacks
Brute
Force
–
the
hardest
and
longest,
but
will
alwhttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873ays find a way
Frequency Analysis – common pattern of message, sentences and words are used to help
break the code. “Hi, the, and,
thanks”
Cipher Types
Tranposition – permutation is used, meaning letter and bits are scrambled
Symmetric Block – message is divided into (64 bit) blocks, and put through an “S”
box function (substitution box)
S-Boxes each do something different to the data, bits are substituted and transposed.
文档下载 免费文档下载
http://www.51wendang.com/
Operate on fixed size of blocks Usually implemented in software
Some block algorithms emulate a stream cipher
DES is the best known Block Cipher and uses 16 rounds of mathematical calculations
to maximize randomness by applying the aligorithm. Has a key length of 56 bit
parity bits that are added at a rate of 7 bits of data,
8
1 parity bit.
Symmetric Stream – treats message as a stream of bits and performs functions on
indihttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873vidual bits or bytes.
Uses RC4 DES – Data Encryption Standard -Derived in 1972 as derivation of Lucifer
algorithm developed by Horst Fiestel at IBM
Patented in 1974 -Block Cipher Cryptographic System Commercial and non-classified
systems
DES describes the Data Encryption Algorithm DEA
Federal Information Processing Standard FIPS adopted DES in 1977
Re-certified in 1993 by National Institute of Standards and Technology but will be
replaced by AES Advanced Encryption
Standard by Rijndael.
DES uses 64 bit block size and 56 bit key, begins with 64 bit key and strips 8 parity
bits DEA is 16 round cryptosystem designed for implementation in hardware
13
文档下载 免费文档下载
http://www.51wendang.com/
56 bit key = 256 or 70 quadrillion possible keys 8 Substitution-Boxes
Triple DES – three encryptions using DEA are now being used until AES is adopted
DES
uses
confusion
and
diffusion
as
suggested
by
Clhttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873aude Shannon
Confusion conceals statistical connection
Accomplished through s-boxes
Diffusion spread the influence of plaintext character over many ciphertext characters
Accomplished through p-boxes
DES Operates in four modes
Block Modes
Electronic Code Book (ECB)
Native encryption mode
Same ciphertext from same plaintext always, provides the recipe of substitutions and
permutations that
will be performed
Data within a file does not have to be encrypted in a certain order.
文档下载 免费文档下载
http://www.51wendang.com/
Used for small amounts of data, like challenge-response, key management tasks. Also
used to encrypt PINs in ATM machines.
Cipher Block Chaining (CBC) – Will propagate errors if caused at the beginning due
to the reuse of materials for
new randomness
Each block of text, the key, and the value based on the previous block is processed
http://www.51wendang.com/doc/a88d861180e68ca5a0d13873in the algorithm and
applied to the next block of text. Streamed Block Modes
Cipher Feedback (CFB) – Will propagate errors if caused at the beginning due to the
reuse of materials for new
randomness
The previously generated ciphertext from the last encrypted block of data is inputted
into the algorithm
to generate random values.
These random values are processed with the current block of plaintext to create
ciphertext. This mode is used when encrypting individual characters is required.
Output Feedback (OFB)
Functioning like a stream cipher by generating a stream of random binary bits to be
文档下载 免费文档下载
http://www.51wendang.com/
combined with the
plaintext to create ciphertext.
The ciphertext is fed back to the algorithm to form a portion of the next input to
encrypt the next stream
of bits.
Triple DES
Double
encryption
is
subject
to
man
in
the
middle
attachttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873k Can be done several
different ways:
DES – EDE3 (encrypt key 1, decrypt with key 2, encrypt key 1)
DES – EEE2 (encrypt key 1, encrypt output with key 2, encrypt output with key 1 again)
DES – EEE3 (encrypt with key 1, encrypt output with key 2, encrypt output with key
3) -most secure Advanced Encryption Standard (AES)
Block Cipher that will replace DES
Anticipated that Triple DES will remain approved for Government Use AES announced
by NIST in January 1997 to find replacement for DES IDEA Cipher -International Data
Encryption Algorithm
64 bit block, 8 rounds, and 128 bit keysUsed in PGP
文档下载 免费文档下载
http://www.51wendang.com/
14
Much more difficult than DES
RC4 – Only Symmetric Stream Cipher most commonly used, and on test.
Public Key Cryptography/Asymmetric
Employee private and public key
Public made available to anyone wanting to encrypt a message Private key is
uhttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873sed to decrypt
Public Key cannot decrypt the message it encrypted
Ideally private key cannot be derived from the public key
The other can decrypt a message encrypted by one of the keys Private key is kept private
Possible through the application of one-way functions. Easy to compute in one
direction but difficult to compute the other
way
In order to be useful should have a trap door, a secret mechanism that enables you
to accomplish the reverse function in a
one way function
1,000 to 10,000 times slower than secret key encryption Hybrids use public key to
文档下载 免费文档下载
http://www.51wendang.com/
encrypt the symmetric key
Diffie-Hellman
First asymmetric algorithm
No data encryption or digital signatures
Lack of autnetication, but can be countered with digital signaturesExchange secret
keys over insecure medium without exposing keysWithout additional session keyKey
Exchhttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873ange
Session
Keys
–
Hybrid with Private Key Symmetric
Secret Symmetric Key used to encrypt messagesOnly good for 1 sessionRSA
Rivest, Shamir and Addleman, often used in SSL
Mathematical function that is easier to compute in one direction than the other
(broken glass example) Trapdoor is a secret mechanism that enables the decryptor to
reverse the function with a small piece of
information provided.
Based on difficulty of factoring a number which is the product of two large prime
numbers, may be 200 digits each. Can be used for Encryption, key exchange, and digital
signatures El Gamal
Extended
Diffie-Hellman
randomization errors
to
include
signatures
and
encryptionSlow
and
has
文档下载 免费文档下载
http://www.51wendang.com/
Elliptic Curve Cryptography
Elliptic curve discrete logarithm are hard to compute than general discrete logarithm,
uses points on an Ellipse. Smaller key size same level of security
http://www.51wendang.com/doc/a88d861180e68ca5a0d13873Elliptic curve key of 160
bits = RSA of 1024 bits
Suited to smart cards and wireless devices (less memory and processing and very
efficient). Used in devices with
limited processing power.
Logical maximum number of users is up to 1,000, used in smaller networks.Digital
signatures, encryption and key management Knapsack -Merkle-Hellman
Early Asymmetric algorithm, broken quickly in 1970’s
15
Having set of items with fixed weights
Determining which items can be added in order to obtain a given total weight
Illustrated using Super increasing weights (all weights greater than sum of previous)
Asymmetric Key 512 bits 1792 bits 2304 bits
MD5
文档下载 免费文档下载
http://www.51wendang.com/
Symmetric Key 64 bits 112 bits 128 bits
Developed by Ronald Rivest in 1991
Produces 128 bit message digest RFC 1321
(All
MD
algorithms
create
a
128-bit
message
digest
value)://www.51wendang.com/doc/a88d861180e68ca5a0d13873
Message Authentication Code (MAC same as HMAC – “HashedMAC”)
Message Digest combines the hash function with a shared secret keyWeakest form of
authentication
MAC can be based on DES-CBC mode
Symmetric key is required to compute MACDoes not provide Non-Repudiation
Purpose of Digital Signatures -To detect unauthorized modifications and to
authenticate identity and non-repudiation.
Generates block of data smaller than the original data One way hash functions
One way hash produces fixed size output (message digest) No two messages will have
same digest
Since it is one way, there is no getting original file from hash, comparable to a
CRC check Message digest should be calculated using all of original files data
After message digest is calculated it is encrypted with sender’s private key
文档下载 免费文档下载
http://www.51wendang.com/
Receiver
decrypts
using
senders
public
key,
if
it
opens
then
it
is
http://www.51wendang.com/doc/a88d861180e68ca5a0d13873from the sender.
Then receiver computes message digest of sent file, if hash is the same it has not
been modified
Digital Signature Standard (DSS)
Provides Integrity, Authentication, and Non-Repudiation
Message can be encrypted, providing ConfidentialityMessage can be hashed, for
Integrity
Message
can
be
digitally
signed,
for
Authentication,
Integrity,
and
Non-RepudiationMessage can be encrypted and digitally signed, for ALL.
SHA is used for the message digest then processed by DSA to verify the signature
(Authentication and Non-Repudiation).
Message digest is used instead of the longer message because faster.
Private Key is used for signing, public key for signature verification
Enables use of RSA digital signature algorithm or DSA –Digital Signature Algorithm
(based on El Gamal) or can use RSA, or
ECDSA for the digital signature
SHA-1http://www.51wendang.com/doc/a88d861180e68ca5a0d13873 -Secure Hash Algorithm
produces 160 bit digest if message is less than 2^64 bits. (NIST) (Revision of SHA)
文档下载 免费文档下载
http://www.51wendang.com/
It is computationally infeasible to find message from message digest
It is computationally infeasible to find two different messages with same message
digestPadding bits are added to message to make it a multiple of 512
Message -> SHA Algorithm -> 160-bit Hash -> DSA Algorithm -> Digitally Signed Message
SHA-2 = 256, SHA-3 = 384, SHA-4 = 448Birthday Attack
You in a room with better than 50/50 chance of another person having your birthday?
Need 253 people You in a room with better than 50/50 chance of two people having the
same birthday? Need 23 people
16
Key Management – Need an automated way of distributing keys
Key control Key storage
Key retirement/destruction Key Change Key Generation Key theft
Frequency of key use
Limit lifethttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873ime, and don’t
have multiple backups of keys which weakens its ability to prevent compromise Split
functions with different Keys Keep Keys apart from each other Key Recovery
Copy of private/public key pair encrypted with public keySecurely kept and decrypted
when needed
文档下载 免费文档下载
http://www.51wendang.com/
Private Key broken down into pieces, and split between different people
Public
Key
Infrastructure
-(PKI)
-Integration
of
digital
signatures
and
certificates.
Digital Certificates and signatures are based on X.509 Version 3 Standard
Include Cert Version, Serial Number, Signature Algorithm, Issuer, Validity, Public
Key Version, CRL Distribution
Points
Certificate Authorities (CA)
Issues Digital Certs, keeps Public Keys in Directory, and signs them with its Private
Key, and includes the Digital Cert
of the CA
Public CA’s operate on the Internet
Private
CA’s
are
andhttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873
internal
based
on
internal
Directory Services
Registrations Authorities (RA)– Takes load off CA to handle registration, accepts
and authorizes requests for certification revocation
Policies and procedures
文档下载 免费文档下载
http://www.51wendang.com/
Certificate Revocation and CRL (lists) – All the public keys that are no longer valid
Non-repudiation support Timestamping
Lightweight
Directory
Access
Protocol
Security
Enabled
Applications
Cross
Certification Public Key Certification Systems
A source could post a public key under the name of another individual
Digital certificates counter this attack, a certificate can bind individuals to their
keyA Certificate Authority (CA) acts as a notary to bind the key to the personCA must
be cross-certified by another CAReceiving and confirming a Cert
1. Sender signs message digest (MD) and sends cert containing the Public Key 2.
Receiver runs cert through hash algorithm
3. Rechttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873eiver decrypts has in
cert to confirm Trusted CA signed it 4. Receiver compares results to confirm no
modification 5. Public Key extracted
6. Receiver runs message through hashing algorithm to calculate a new hash
7. Receiver decrypts original hash (in digital signature format) with Public Key in
Cert. 8. Receiver compares MD’s to confirm Integrity is not compromised PKI
Authentication Steps
17
1. 2. 3. 4. Sender asks Directory for Receiver’s Public Key
文档下载 免费文档下载
http://www.51wendang.com/
Sender generates Session key, encrypts it with Receiver’s Public Key Receiver
requests and validates Sender’s Public Key from the Directory They have exchanged,
and verified their Public Keys
Encryption Layers
Link Encryption – Payload, headers, and trailers are encrypted. Usually provided
as a service, each hop has to decrypt,making each hop vulnerable.
End-To-End
Encryption
–
Headers,
addresses,
trahttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873iler
routing,
info
are
and
not
encrypted. Payload only encrypted. (IPSECTunnel Mode)E-mail Security
Non-repudiation
Confidentiality of messagesAuthentication of SourceVerification of delivery
Labeling of sensitive materialControl Access
Privacy Enhanced Mail (PEM)
Compliant with Public Key Cryptography Standards (PKCS)Developed by consortium of
Microsoft, Sun, and NovellTriple DES-EDE – Symmetric EncryptionMD2 and MD5 Message
Digest
RSA Public Key – signatures and key distributionX.509 Certificates and formal CA
Message Security Protocol (MSP)
Developed by NSA to provide Secure email exchangeMilitary’s PEM they based on another
frameworkPretty Good Privacy -PGP
文档下载 免费文档下载
http://www.51wendang.com/
Free email security by Phil ZimmermanSymmetric Cipher using IDEA
RSA is used for signatures and key distributionNo CA, uses “web of trust”Users can
certify each otherKeys are kept in a key-ring file
Shttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873ecure Multipurpose Internet
Mail Extensions (S/MIME)
Adds secure services to messages in MIME formatProvides authentication through
digital signaturesFollows Public Key Cryptography Standards (PKCS)Uses X.509
Signatures
Application Layer Protocol, standard used for attachmentsIntegrity, Confidentiality,
and AuthenticationSteps Include
Sender
Calculates hash on message
Encrypts message with Session KeyEncrypts hash with Private Key
Encrypts Session Key with receiver’s Public Key
Receiver
Decrypts Session Key with Private Key
18
文档下载 免费文档下载
http://www.51wendang.com/
Decrypts hash value with sender’s Public KeyDecrypts Message
Calculates hash value and compare for validity
Secure Hypertext Transport Protocol (S-HTTP)
Protects each message, not the communication channel
Hypertext Transport Protocol plus SSL (HTTPS) – Protects entire communication
chanhttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873nel
Secure Sockets Layer (SSL)
Originally developed by Netscape Uses PKI
Server Authenticates to Client with Certificate, which can be checked by the Client
to see if signing CA is on the trusted list,
optionally the Client can authenticate to Server
Client computes hash of cert, and compares MD of cert by decrypting using the CA’s
Public Key Creates a Session Key (Symmetric)
Client Encrypts Session Key with Server’s Public Key and returns it Server Decrypts
with Private Key Works at the Transport Layer SSL and Transport Layer Security (TLS)
1. Client Initiates
2. Server responds with Cert
文档下载 免费文档下载
http://www.51wendang.com/
3. Client verifies, and may send its own cert
4. Client sends the server a random Master Key encrypted with the Server’s Public
Key
5. Client and Server use the sharerd Master Key to create a session key to
encrypt/decrypt
the
data
over
the
secure
chahttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873nnel. Domain Name Service
Security (DNSSEC)
DNS Server distributes Keys
Secure Distributed Name Services
Secure Shell (SSH)
Tunnels terminal access functions between 2 computers. (Telnet, RMON)Client to Server
AuthenticationComprised of
Transport Layer ProtocolUser Authentication ProtocolConnection Protocol
SET – Secure Electronic Transaction
Visa and Mastercard developed in 1997 to replace SSLEncrypts the payment information
and cardholder’s dataDES – Symmetric Encryption
RSA Public Key – signatures and key distributionComponents
Merchant, Acquirer (Financial Institution), Payment Gateway (Can be acquirer) IPSec
文档下载 免费文档下载
http://www.51wendang.com/
Provides encryption, access control, and non-repudiation over IP.Two Main Protocols
are
Authentication Header (AH) – integrity, authentication and non-repudiation (MAC)
Computes
an
Integrity
Check
Value
(ICV)
–
over
thhttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873e entire IP packet except
the header. MD5 and SHA-1 used with Symmetric Keys
Encapsulating
Security
Payload
(ESP)
–
adds
encryption
and
therefore
confidentiality to the AH baseline
19
Encryption Algorithms include DES, 3DES, RC5, IDEA, CAST, Blowfish
Security Association is required between two parties – one way connection -Comprised
of Security Parameter Index – (SPI) – 32 bit identifier
Bi-directional communication requires two Security Associations
In VPN implementation IPSec can operate in transport or tunnel mode
Tunnel mode – data and original IP header encrypted, new header is added Transport
mode – data encrypted, header not New header has address of VPN gateway MD5 and SHA
are used for integrity
Security Associations (SA) defines parameters for one active connection
Security Parameter Index (SPI) points to the correct SA
文档下载 免费文档下载
http://www.51wendang.com/
SPI holds SA inhttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873formation and
it is put into the header so that both sides know what parameters to use for
communication
IKE – Internet Key Exchange is the default used for key management with IPSEC
IKE is set of three protocols:
Oakley – modes of operation needed to establish secure connection, negotiates key
information using Diffie-Hellman algorithm
Internet Security and Key Management Protocol (ISAKMP) –phases for establishing
relationship, which algorithms
Secure Key Exchange Mechanism – (SKEME) – secure exchange mechanism
Cryptographic Attacks
Brute Force Attack -try every possible combination
Known Plain Text – attacker has copy of plain text and the associated ciphertext
of several messages
Chosen Plain Text – chosen plain text is encrypted. The attacker has the plaintext
and ciphertext and can choose the plaintext that gets encrypted.
Adaptivehttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873 Chosen Plain Text –
selection of plain text is altered based on previous results
文档下载 免费文档下载
http://www.51wendang.com/
Ciphertext Only – only ciphertext is known. The attacker has the ciphertext of
several messages. Each of the messages has been encrypted using the same encryption
algorithm.
Chosen Ciphertext – Portions of the cipher text are selected for trial decryption
while having access to plain text. The attacker can choose the ciphertext to be
decrypted and has access to the resulting decrypted plaintext.
Adaptive Chosen Ciphertext -Chosen cipher text are selected for trial decryption
where selection is based on previous results
Replay Attack – Attacker obtains a set of credentials and sends them to an
authentication service. (Counter -Timestamps and Sequence Numbers)
Birthday Attack – the probability of two different messages having same message
digest
or
finding
two
different
messages
that
have
the
same
message
digeshttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873t
Meet in the Middle – For attacking double encryption from each end and comparing
in the middle Man in the Middle – intercepting messages and forwarding on modified
versions
Differential Cryptanalysis – Private key cryptography looking at text pairs after
encryption looking for differences Linear Cryptanalysis – using plain text and
cipher text to generate a linear approximation of a portion of the key Differential
Linear Cryptanalysis – using both linear and differential approaches Factoring –
using mathematics to determine the prime factors of large numbers Statistical –
exploiting the lack of randomness in key generation AES – 128bit key WEP uses RC4
X-Or X.509 X.500 X.400 X.25
文档下载 免费文档下载
http://www.51wendang.com/
Digital Certificates
Directory Access Protocol Electronic Messaging
Frame Relay Communications Protocol
20
Domain 6 (8) – Business Continuity and Disaster Recovery Planning
Making the http://www.51wendang.com/doc/a88d861180e68ca5a0d13873plans for recovery
and putting them into action to recover with as little impact on the business as
possible. Business Continuity ensures the business can continue in an emergency and
Disaster Recovery address the procedures to be followed to recover as quickly as
possible during and after the loss. Business Continuity Planning Process includes:
Scope and Plan Initiation
Business Impact Analysis (BIA)
Business Continuity Plan developmentDisaster Recovery Planning Process includes:
DRP planning processTesting the DRP
Disaster Recovery Procedures
Roles and Responsibilities
BCP is enterprise wide, requires involvement from many personnel enterprise wide
文档下载 免费文档下载
http://www.51wendang.com/
Senior Management’s Role
Has ultimate responsibility for all phases of the planSenior Management support is
criticalSet
the
business
continuity
functionsAllocate
planPrioritize
critical
resources
personnhttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873elApprove
business
and
the
BCPReview test results
Ensure Maintenance of the current planDrive all phases of the planManage the Budget
BCP Committee – Responsible to create, implement and test the plan
Execute the BIA
Coordinate with department representatives
Made up of Senior Management Business Units Information Systems Security
Administrator Liability
Executives can be held liable to ensure that BCP AND DRP are developed and put into
place, subject to civil lawsuit 65% of companies would go out of business if closed
for one week
Securities and Exchange Act of 1934 – All public companies are required to keep
records and safeguard systems. $10,000
fine and 5 years in prison for failure.
Seven Step Process (NIST SP 800-34) – Major Elements of BCP include
文档下载 免费文档下载
http://www.51wendang.com/
Scope Plan Initiation
BIA
–
Quantitative
and
Qualitative
impact
information
BCP
Development
Conthttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873ingency Plan Structure
-3 Phases Following a Disruption
Notification and Activation of recovery personnel
Recovery – Operations of personnel to restore IT operations Reconstitution –
outline of actions to get back to normal Quantitative Loss Criteria
Incurring financial loss from loss of revenue or capital expenditure
21
Unemployment compensation
Additional operational expenses incurred due to disruptive event
Training of new employees
Incurring financial loss from resolution of violated contract
Failing to meet contractual obligations, delivery of product etc.
Incurring financial loss from regulatory compliance
Qualitative Loss Criteria
Loss of competitive edge
文档下载 免费文档下载
http://www.51wendang.com/
Patented process destroyed
Loss of public confidence
Increased advertising to re-build customer base
Incurring
public
embarrassmentBhttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873usiness
Impact Analysis -Four Steps
Gathering assessment materialPerform the assessment
Analyze the compiled informationDocument the results
Disaster Recovery Planning
Comprehensive statement of actions to be taken before, during, and after, a disruptive
event causes loss of Information
Systems.
Primary objective is to provide an alternate site and return to primary site in a
minimal time frame Goals and Objectives of DRP (DRP assumes BIA has been done, now
focusing on the steps needed to protect the business.)
Provide an organized way to make decisions if a disruptive event occurs Reduce
confusion and enhance the ability to deal with crisis Planning and development must
occur before the disaster
文档下载 免费文档下载
http://www.51wendang.com/
Objectives:
Protect the company from major computer services failureMinimize the risk from delays
in providing services
Guarantee
reliability
of
standbhttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873y
systems
through
testing
Minimize decision making required by personnel during a disasterShould Include:
People, Facilities, Utilities, Hardware, Vendor assistance, Software, Supplies,
Recovery and Emergency Procedures,
Critical Documentation/Backups
Roles for each accomplishment should be assigned. Alternate Facilities and
Restoration
Subscription Service
Third
party
commercial
services
provide
alternate
backup
and
processing
facilitiesMost common of the implementations.Three Basic Forms:
Hot Site
Fully configured facility with electrical power, Heating Ventilation and Air
Conditioning (HVAC) File and print servers and workstations Applications are
installed on the servers Workstations are kept up to date
文档下载 免费文档下载
http://www.51wendang.com/
Allows walk in with a data restoration and begin full operations in short time
Remote
journaling
–
mirroring
transaction
processing
over
highttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873h-speed connections may
eliminate back up time.
Advantages:
22
24/7 availability Exclusivity of use
Immediately available
Supports short and long term outages
Disadvantages:
Most expensive
Requires constant maintenance of hardware, software, data and applications Adds
administrative overhead and can be a strain on resources Service provider may oversell
processing capabilities
Security of hot site, primary site security must be duplicated
Warm Site
Cross between hot and cold sites
文档下载 免费文档下载
http://www.51wendang.com/
Facility with electrical power, Heating Ventilation and Air Conditioning (HVAC) File
and print servers may not have workstations, software may not be installed External
communications should be installed
Advantages:
Cost – much less than hot
Location
–
since
less
control
required
sites
can
be
more
flexible
Resourceshttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873 – resource drain
is much lower than hot site
Disadvantages:
Difference in time required to be up and running
Cold Site
Least ready of all three, but most common
Facility with electrical power, Heating Ventilation and Air Conditioning (HVAC) Ready
for equipment but no computer hardware on site. Communications links may or may not
be ready
Not considered adequate because of length of time for recovery
Advantages:
Cost
文档下载 免费文档下载
http://www.51wendang.com/
Disadvantages:
False sense of security
Multiple Centers
Processing spread over multiple centers, creating distributed redundancy. Can be
in-house or through reciprocalagreement.
Cost is contained, but same issues as Mutual Aid Agreements (reciprocal agreement)
Service Bureaus
Contract with service bureau to provide all alternate backup processing.Advantage
– quick response
Disadvhttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873antage
–
cost,
resource contention during disaster
In-house or external supply of hardware replacements
Vendors
resupply
hardware
or
internal
stockpiling
of
critical
components.Subscription service with vendor for overnight shippingMay be OK for Warm
site but not Hot site
Transaction
Redundancy
Implementations
-Fault
tolerance
and
redundancy
in
Transaction processing
Electronic Vaulting – transfer of backup date to off-site location. Batch process
文档下载 免费文档下载
http://www.51wendang.com/
through communication lines Remote Journaling – parallel processing of transactions
at remote site. Live data is posted as it occurs
Database Shadowing – live processing of remote journaling but creates more
redundancy by duplicating the database sets
The Five Disaster Recovery Plan Types (Types of Drills)
Checklist -Preliminary step to real test, distribute plan for review by business unit
managers
Structured
walk
throhttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873ugh
-Business Unit Managers walk through the test plan. Each step is walked through and
marked as
performed.
23
Simulation -All personnel with DR responsibilities will meet and go through a practice
session, and enact recovery procedures but no alternate processing
Parallel -Full test of recovery plan using all personnel. Primary processing does
not stop. Ensures processing will run at
alternate site. Most common type of recovery plan testing.
Full-Interruption -Disaster is replicated to the point of ceasing normal operations.
Plan is implemented as if it were a
文档下载 免费文档下载
http://www.51wendang.com/
disaster. Can cause its own disaster, but it is the best way to test completely
Domain 7 -Telecommunications and Network Security OSI – Open Systems Interconnect
Model
Security: Confidentiality,
Responsible for all application-to-authentication, data integrity, non-application
communicathttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873ions.
User
repudiation
information maintained at this layer is user data.
Layer 7
Application
Technology: Gateways, Browser, File Transfers
Protocols: FTP, SMB, TELNET, TFTP, SMTP, HTTP, NNTP, CDP, GOPHER, SNMP, NDS, AFP,
SAP, NCP, SET Security: Confidentiality, Responsible for the formatting of the
Authentication, Encryption
data so that it is suitable for
presentation. Responsible for character Technology: Gateway, File Encryption
conversion (ASCII/EBCDIC),
and compression, Formatting and Encryption/Decryption, Compression, and Virtual
Terminal Emulation. User Layer 6 Presentation
文档下载 免费文档下载
http://www.51wendang.com/
Encoding
information maintained at this layer is Protocols: ASCII, EBCDIC, POSTSCRIPT, called
messages.
JPEG, MPEG, GIF
File Transfers, Email, Gateways, Browser
Security: None
Responsible
for
the
setup
of
the
links,
http://www.51wendang.com/doc/a88d861180e68ca5a0d13873the
maintaining
link,
and
the
of
link
tear-Technology: Gateways, Duplexing, down between applications.
Layer 5 Session
recovery services
Protocols: Remote Procedure Calls (RPC) and SQL, RADIUS, DNS, ASP, NFS
Security: Confidentiality, Responsible for the guaranteed delivery authentication,
integrity
of user information. It is also responsible for error detection, correction, and flow
Layer 4
Transport
文档下载 免费文档下载
http://www.51wendang.com/
Technology: Gateways, Packet control. User information at this layer is Sequencing,
Ports used to
called datagrams.
communicate with higher levels,
Protocols that “carry” the data to the destination
24
Segmenting and reassembling data Protocols: TCP, UDP, SSL, SSH-2, SPX, NetBios, ATP
Security: Confidentiality
authentication, data integrity Technology: Virtual circuits (ATM), Routers and
Routing
process,
Fragmentation
of
dissimhttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873ilar frame types.
Protocols: IP, IPX, ICMP, OSPF, IGRP, EIGRP, RIP, BOOTP, DHCP, ISIS, ZIP, DDP, X.25
Layer 3 Network
Responsible for the routing of user data from one node to another through the network
including the path selection. Logical addresses are used at this layer. User
information maintained at this layer is called packets.
Security: Confidentiality, Technology: Bridges, Switches
Layer 2
文档下载 免费文档下载
http://www.51wendang.com/
Data Link
Protocols: L2F, PPTP, L2TP, PPP, SLIP, ARP, RARP, SLARP, IARP, SNAP, BAP, CHAP, LCP,
LZS, MLP, Frame Relay, Annex A, Annex D, HDLC, BPDU, LAPD, ISL, MAC, Ethernet, Token
Ring, FDDI
Responsible for the physical addressing of the network via MAC addresses.
There are two sublevels to the Data-Link layer. MAC and LLC. The Data-Link layer has
error detection, frame ordering, and flow control. User information
maintained
at
this
layer
is
called
frhttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873ames.
Security: Confidentiality
Technology: ISDN, Hubs, Repeaters, Cables
Layer 1
Physical
Protocols: 10BaseT, 100BaseT,
1000BaseT, 10Base2, 10Base5, OC-3, OC-12, DS1, DS3, E1, E3, ATM, BRI, PRI, X.23
Responsible for the physical
transmission of the binary digits through the physical medium. This layer includes
文档下载 免费文档下载
http://www.51wendang.com/
things such as the physical cables,
interfaces, and data rate specifications. User information maintained at this layer
is called bits (the 1s and 0s).
Data encapsulation is the process in which information from one packet is wrapped
around or attached to the data of another packet. In the OSI model, each layer
encapsulates the layer immediately above it.
OSI Security -6 Security Services -A security service is a collection of security
mechanisms, files, and procedures that help protect the network.
Authentication
Accesshttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873
control
Data confidentiality Data integrity Non-repudiation
Logging and monitoring
25
OSI Security -8 Security Mechanisms -A security mechanism is a control that is
implemented in order to provide the 6 basic security services.
Encryption/Encipherment -CIA
Digital signature – Integrity, Authentication, and non-repudiation Access Control
– Security Labels, ACLs, capability and tables Data Integrity – Hashing and
Integrity Check Values (ICV) Authentication – Passwords and cryptographic methods
文档下载 免费文档下载
http://www.51wendang.com/
Traffic Padding – Adding bogus data to traffic to hide traffic patterns Routing
Control – Choosing a route so that only secure links are used
Notarization – Non-Repudiation, date, and time of activity, in the digital world,
the 3rd party signs the message’s hash with its Private key Attacks and Functions
by Layer
Layer3-IP
Teardrop
–
IP
packets
fragmenthttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873ed,
are
creating
a
negative fragment length when reconstructed. This could crash the IP stack.
Overlapping Fragment – Designed to pass by Packet Filters that only inspect the first
fragment of a packet, thereby letting the traffic through the filter.
IP Address Spoofing – takes advantage of the 3-way handshake allowing a spoofed
address to request an IP connection to a bogus host, which will cause it to wait for
the ACK to complete the connection, and leaves open the request, allowing for DOS
attacks.
Source Routing – Allows the source to determine the route, thereby passing from 1
connection to the other in a multi-homed (bastion) computer.
Smurf attack – Uses ICMP to send an echo request to a source address on the network,
using a broadcast, allowing for overrun of the buffer when all hosts reply to a single
source.
Fraggle attack – uses UDP to overwhelm the source address, like the Smurf.
Phttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873ing of Death – uses a packet
文档下载 免费文档下载
http://www.51wendang.com/
limit size beyond 65,536 to disrupt IP.
ICMP Redirect – allows an attacker to redirect the route, and send all traffic to
his machine before sending outbound, thereby hiding his “man-in-the-middle”
attack.
Ping Scanning – Find nodes that respond by beaming out pings Traceroute Exploit –
Can be used to map a network
Virtual Router Redundancy Protocol (VRRP) – creates a second router as the forwarder
in case of an outage.
Layer 4 – Transport
Port Scanning – Find TCP or UDP service advertisements
FIN Scanning – Sends FIN hoping to find a response and list of services, usually
only works on UNIX. NULL Scanning no flags are set on the TCP packet, and XMAS Scanning
all flags are lit.
Syn Scanning – just a portion of the handshake is started to find out the response
TCP
Sequence
Number
Attacks
–
Sequence
numbers
can
be
predicted
and
insertedhttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873 into the data stream,
helping to hijack the session.
Session Hijacking – Use of sequence numbers to insert data into the stream, and
possibly change it as in a man-in-the-middle attack.
SYN Flooding – DoS used to overload the target’s connections with too many random
文档下载 免费文档下载
http://www.51wendang.com/
IP addresses. Layer 5 – Session
Remote Procedure Calls – executing objects across hosts, the core service of which
is a port mapper
Common Object Request Broker Architecture (CORBA) and Distributed Component Object
Model (DCOM)
DNS is used at this level, and has weak authentication mechanisms
LDAP – based on X.500, back ends to LDAP are Network Information Service (NIS), and
Exchange Mail Services. NIS is a Network directory service created by Sun, usually
used in Unix environments. NIS
is a more secure implementation. AD uses LDAP as well,
but can protect authentication with Kerberos.
CIFS/SMB – Common Inthttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873ernet
File System/ Server Message Block is a file-sharing protocol in Windows. This is also
the basis for Samba, and is used as a file sharing systems with Challenge/Response
Authentication.
26
NFS – Network File Systems is a Client/Server file sharing system, and is used by
Unix and Windows and has beenrevised. It’s traffic is not encrypted by default.
Secure NFS – uses DES encrypted Time Stamps as authentication tokens.Layer 6 –
Presentation
SET – Secure Electronic Transaction
文档下载 免费文档下载
http://www.51wendang.com/
Originated by Visa and MasterCardBeing overtaken by SSL
SHTTP -Secure HTTP
Early standard for encrypting HTTP documentsAlso being overtaken by SSL
XXXXXXXXX
Layer 7 -Application
XXXXXXXXX
TCP/IP – Suite of Protocols
OSI TCP/IP Protocols Description
Application Consists of the applications and Presentation Application Layer
processes
thhttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873at
use
the
network.
Session Transport
Host to Host
TCP and Provides end-to-end data delivery UDP service to the Application Layer.
Defines the IP datagram and handles the Network Internet Layer
IP, ARP, routing of data across networks.
文档下载 免费文档下载
http://www.51wendang.com/
RARP, ICMP
Data link
Consists of routines for accessing physical networks and the electrical Network
Access
connection.
Physical
New Ports are registered with Internet Corporation for Assigned of Names and Numbers
(ICANN) Host-to-Host Transport Layer Protocols
TCP – Transmission Control Protocol
Connection Oriented Sequenced Packets
Acknowledgment is sent back for received packets If no acknowledgement then packet
is resent Packets are re-sequenced
Manageable data flow is maintained
27
UDP -Best effort
Doesn’t
care
about
orderConnectionless://www.51wendang.com/doc/a88d861180e68ca5a0d13873r
Less overhead and faster than TCP
sequence
文档下载 免费文档下载
http://www.51wendang.com/
Internet Layer Protocols
IP – Internet Protocol
All hosts on a network have an IP address
Each data packet is assigned the IP address of the sender and receiverIt provides
an ‘unreliable datagram service’.Provides:
No guarantees that the packet will be delivered
No guarantee that the packet will be delivered only once
No guarantee that it will be delivered in the order which it was sent
ARP – Address Resolution Protocol
Use the IP Address to get the MAC Address MAC address is 48 bitIP address is 32 bit
Only broadcast to network first time, otherwise stores IP and MAC info in table MAC
Addresses can only be Alphanumberic to the value of “F” RARP – Reverse Address
Resolution Protocol
Use the MAC Address to get the IP Address and broadcasts to find it RARP Server tells
diskless machines IP Address://www.51wendang.com/doc/a88d861180e68ca5a0d13873ar
BOOTP was created after RARP and contains more info such as IP, Gateway, and DNS IP
ICMP – Internet Control Message Protocol
Management Protocol and messaging service provider for IP.
文档下载 免费文档下载
http://www.51wendang.com/
Sends messages between network devices regarding the health of the network.Ping is
ICMP packet
Ping checks if a host is up and operational
TCP/IP Does not define Physical Standards it uses existing ones
Other TCP/IP Protocols
Telnet – Terminal Emulation (No File Transfer)
FTP – File Transfer Protocol – (Cannot execute files)
TFTP – Trivial FTP – no directory browsing capabilities, no authentication (it is
unsecure), can only send and receive files.
Some sites choose not to implement TFTP due to the inherent security risks. TFTP is
an UDP-based file transfer program that provides no security.
NFS – Network File SharingSMTP – Delivers emails
LDP – Lihttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873ne Printer Daemon
–LPR
enables
print
spoolingX-Windows
–
for
writing
graphical
interface
applicationsSNMP – Simple Network Management Protocol
Provides for the collection of network information by polling the devices on the
network from a management station.
Sends SNMP traps (notifications) to a MIB Management Information Base
文档下载 免费文档下载
http://www.51wendang.com/
Bootstrap (BootP) protocol – Diskless boot up. BootP server hears the request and
looks up the client’s MAC address in its BootP file. It’s an Internet layer protocol.
28
LAN Cabling Types:
Twisted Pair Cable
Relatively slow speed
Two insulated wires can be shielded (STP) or unshielded (UTP) UTP is a four-pair medium
comes in several categories
UTP can be easily tapped by eavesdroppers than the other cable types.
Category based on how tightly wound the wires are, tighter the wind the higher the
rating
and
resistance
to
inthttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873erference.
Cat 1 UTP– was used for telephone lines not good for data. Cat 2 UTP –upto 4MBps
Cat 3 UTP – Used for 10BaseT networks up to 10 MBps Cat 4 UTP – Used in Token Ring
Networks up to 16 MBps
Cat 5 UTP -Current UTP standard for new installations up to 100 MBps Cat 6 UTP –upto
155MBps Cat 7 UTP –upto 1GBps Coaxial Cable
Hollow outer conductor surrounds inner wire conductor. Currently two types in LANs
文档下载 免费文档下载
http://www.51wendang.com/
50-ohm Cable for digital signaling
75-ohm Cable for analog signaling and high speed digital signaling
Coax is more expensive but is more resistant to Electromagnetic Interference (EMI).
Used rarely except in Broadband communications Comes in two types:
Thinnet – (RG58)
Thicknet – (RG8 or RG11)
Two common types of coaxial transmission methods:
Baseband – The cable carries a single channel
Broadband
–
cable
carries
several
chanhttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873nels such as data, voice,
audio, and video Fiber Optic Cable
Conducts modulated light transmission
Light waves are faster and travel greater distancesDifficult to tapResistant to EMI
Usually connects backbones in larger networks
Can be used to connect workstations to the network.Expensive to install and to
terminate.
LAN Transmission Protocols:
文档下载 免费文档下载
http://www.51wendang.com/
Rules for communication between computers on a LAN
Formatting of the data frame, the timing and sequencing of packet delivery, and
resolution of error states.Carrier Sense Multiple Access (CSMA)
Foundation of Ethernet Protocol.
Workstation continuously monitors the line waiting until it thinks it is free.
If the workstation doesn’t receive an acknowledgement from the destination to which
it sent the packet, it assumes a collision has occurred and it resends the packet.
Persistent
Carrier
-Uhttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873nless
Sense
receives
acknowledgement it will resend. Nonpersistent Carrier Sense – waits random amount
of time and resends.
CSMA/CA -Carrier Sense Multiple Access Collision Avoidance – Workstations connected
to two coax cables, one to send
and one to receive data.
29
CSMA/CD -Carrier Sense Multiple Access Collision Detection – Ethernet. If the host
detects another signal while transmitting it will send a jam signal causing all nodes
to stop sending data. Nodes wait to resend. Designed to avoid collisions.
Polling – a primary workstation polls another at a predetermined time to determine
文档下载 免费文档下载
http://www.51wendang.com/
if it has data to transmit. Primary must give permission to others to transmit.
Usually IBM Mainframes for SDLC and HDLC
Token passing
Token Ring, FDDI and ARCnet
Cannot transmit without the token, and token is a 24bit control frame.Each station
can
hold
token
for
maximum
predehttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873termined amount of time
LAN Transmission Methods -refer to the way packets are sent on the network
Unicast – from single source to single destination
Multicast -source copied and sent to multiple destinations Broadcast -source copied
and sent to all nodes on the network
Five common LAN Topologies -defines the manner in which the network devices are
organized to facilitate communications.
Bus
All transmissions travel full length of the cable and received by all other
stations.Single point of failure in the cable.
If one of the links between any of the computers is broken, the network is
down.Primarily Ethernet.
文档下载 免费文档下载
http://www.51wendang.com/
These networks were originally designed to work with more sporadic traffic.
Ring
Unidirectional transmission links form closed loop.Token Ring and FDDI.
Similar to the Star topology, however there’s a device called a Multistation
http://www.51wendang.com/doc/a88d861180e68ca5a0d13873Access Unit (MAU).MAU works
the same as a hub, but with Token Ring networks instead of Ethernet networks.These
networks were originally designed to serve large, bandwidth-consuming applications.
Star
Nodes connected to a central LAN or a junction box called a hub or a concentrator
at the center of the network.Ads: reliability
Ring and Bus often use Star as physical connection.
Tree – branches can have multiple nodes.
Mesh – all nodes connected to every other node.LAN Media Access Methods (Physical
and Data Link Layers) -control the use of a network.
ARCnet
Early LAN technologies
Uses token passing in a Star topology on coax cable.
Ethernet – 802.3
文档下载 免费文档下载
http://www.51wendang.com/
Ethernet – uses CSMA/CD – Designed for sporadic traffic
Ethernet defines a bus topology with three different cabling standards
Thinnet
–
10Base2
–
coax
with
segments
up
to
185
meters.http://www.51wendang.com/doc/a88d861180e68ca5a0d13873 Thicknet – 10BaseS
– coax with segments up to 500 meters.
UTP – Unshielded Twisted Pair – all devices connected to a hub or switch 10BaseT
10 Mbps, 100BaseT 100 Mbps and 1000BaseT 1 GBps
Token Ring – 802.5
Second to Ethernet
All end stations connected to a Multistation Access Unit (MSAU)One station is
designated as the Active Monitor
If a transmitting station fails, the Active monitor will remove the token and generate
a new one.
Fiber Distributed Data Interface – FDDI
Dual token ring LAN at 100 MBps on Fiber
30
Dual counter rotating rings only one active at a time Operates over long distances
with minimal interference Predictable delays, deterministic
文档下载 免费文档下载
http://www.51wendang.com/
Permits several tokens to be present at a time Expensive and requires expertise
Copper Distributed Data Interface (CDDI) – can be used with UTP cable but subject
to interference and lenghttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873th
issues associated with Copper.
LAN Devices
Repeaters – amplify signal, no added intelligence, no filtering – Physical Layer
(1)
Hubs – used to connect multiple LAN devices, no added intelligence – Physical Layer
(1)
Bridges – Amplify signal, add some intelligence. A bridge forwards the data to all
other network segments if the Media Access Control (MAC) or hardware address of the
destination computer is not on the local network segment. Automatically forwards all
broadcast traffic. Does not use IP address because IP is contained in the Network
Layer (3) – Data Link Layer (2)
Switches – Will only send data to the port where the destination MAC address is,
not to all ports. Primarily operate at theData Link Layer (2), although extremely
fast layer 3 devices combining switching and routing are being used.
Routers – router opens packet and looks at either the MAC or IP address
onlyhttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873 forwards to the network
that it is destined.Operates at Network Layer (3)
Gateways – primarily software, can be multi-protocol, can examine entire packet.
文档下载 免费文档下载
http://www.51wendang.com/
Asynchronous Transfer Mode (ATM) Switches – Used in WANs and CANs. Use cell relay
technology.
LAN Extenders – remote access multi layer switch connected to host router, filters
based on MAC address or Network Layerprotocol, not capable of firewalling.Firewalls
Packet Filtering Firewall -First Generation
Screening Router
Operates at Network and Transport levelExamines Source and Destination IP AddressCan
deny based on ACLsCan specify Port
Application Level Firewall -Second Generation
Proxy Server also called an Application Layer Gateway
Copies each packet from one network to the otherMasks the origin of the data
Operates at layer 7 (Application Layer)
Reduces
Network
performance
sincehttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873 it has to analyze each
packet and decide what to do with it.Stateful Inspection Firewalls – Third Generation
Packets Analyzed at all OSI layersQueued at the network level
Faster than Application level Gateway
文档下载 免费文档下载
http://www.51wendang.com/
Dynamic Packet Filtering Firewalls – Fourth Generation
Network Layer
Allows modification of security rules Mostly used for UDP
Remembers all of the UDP packets that have crossed the network’s perimeter, and
decides whether to enable packets to pass through the firewall. Circuit-Level
Firewall/Proxy
Network Layer functions SOCKS Server
31
Circuit level proxy server Network Layer
Doesn’t look as deeply into the packet as an application-level proxy Make decisions
based on address, port, and protocol Requires SOCKS client on all machines Used to
manage outbound Internet access Overhead intensive
Kernel Firewall – Fifth Generation
://www.51wendang.com/doc/a88d861180e68ca5a0d13873parFunction integrated into the
OS, Linux and FreeBSD are the most common types
Firewall Architectures and Placement
Packet Filtering Routers
Sits between trusted and untrusted networks Uses ACLs
文档下载 免费文档下载
http://www.51wendang.com/
ACLs can be manually intensive to maintain Lacks strong user authentication ACLs can
degrade performance Minimal Auditing
Screened Host Firewall
Employs packet filtering and Bastion Host Provides network layer (packet filtering)
and application layer (proxy) services
Penetration requires getting by external routers (packet filtering) and Bastion Host
(proxy). Dual Homed Host Firewall Contains two NICs
One connected to the local “trusted” network
Blocks or filters traffic between the two.IP forwarding is disabled
Untrusted Trusted Untrusted Multihomed Trusted Untrusted network
Trusted network
32
Screened
Subnet
Firewall
One
ohttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873f the most secure
Two packet filtering routers and a Bastion Host Provides network layer (packet
filtering) and application layer (proxy) services Provides DMZ
Complex configuration
Untrusted network
文档下载 免费文档下载
http://www.51wendang.com/
Remote Access Types – Many common with WAN protocols
Asynchronous Dial up Access
How most people access Internet
Use existing public switched phone network to access ISP
Trusted network
ISDN -Integrated Services Digital Network
Carries voice and data over telephone networks Two Interface Types
BRI – Basic Rate Interface composed of two B channels and one D Channel
PRI – Primary Rate Interface composed of a single 64 KBps D channel plus 23(T1) or
30 (E1) channels xDSL -Digital Subscriber Line -Uses existing twisted pair telephone
lines.
Cable Modems
High
speed
access
from
the
cable
company
Users
share
the
Coax
connhttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873ection
Throughput varies depending on number of users
Considered insecure because local segment is not filtered or firewalled, (but then,
why wouldn’t you have a Host based Firewall?) Secure Remote Access Methods
文档下载 免费文档下载
http://www.51wendang.com/
Restricted Address
Filtering by source IP address
Node authentication not user authentication
Caller ID
Caller ID checks incoming number against approved listVery commonly used, hard to
defeatHard to administer for traveling usersCall Back
Caller supplies password or identifier and hangs upSystem dials back number listed
for the userHard to administer for traveling usersRemote Identification and
Authentication
Verify who is remotely communication.Identification -Who
Authentication – Verify and Trust
33
Connectivity Protocols -Several protocols assume access from outside the LAN, this
connectivity
uses
modems
and
dial-uhttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873p devices.
SLIP -Serial Line Internet Protocol, replaced by PPP, it is asynchronous serial
connections. Unlike PPP it doesn’t have header and data compression, error
correction, support different authentication methods, encapsulate other protocol
other than IP, and support other types of connections other than asynchronous.
文档下载 免费文档下载
http://www.51wendang.com/
PPP -it encapsulates over a serial line for dial-up connectivity. Authenticated using
PAP, CHAP, EAP. Authentication Protocols
PAP -Password Authentication Protocol used by remote users, authenticates after PPP
is established, credentials are sent in clear text, vulnerable to sniffing,
man-in-the-middle and attacks.
CHAP -Authentication protocol that sends a challenge response, credential have
encrypted values, periodically sends a challenge to protect man-in-the-middle
attacks, password is not sent over the wire.
EAP
-Extensive
Authentication
Protocols:
enables
pohttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873ssibilities
more
to
get
different types of identifications and authorization information from users. EAP
Tunneling Protocols
VPN -provide remote access to an organization's network via the Internet. VPNs sends
data over the Internet through secure (encrypted) "tunnels." It is encrypted using
PPTP, IPsec and L2TP. Each frame is wrapped and encapsulated within a second frame.
L2TP: (layer 2) Layer Two Tunneling Protocol -A secure protocol used for connecting
Virtual Private Networks over public lines (Internet).
PPTP -(layer 2) point-to-point tunneling protocol.
IPsec -(layer 3) Internet Protocol Security. IPSec uses encryption technology to
provide data confidentiality, integrity, and authenticity between participating
peers in a private network. IPSec provides two choices of security services
文档下载 免费文档下载
http://www.51wendang.com/
Authentication Header (AH), which essentially allows authentication of the sender
of data
Encahttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873psulating
Security
Payload (ESP), which supports both authentication of the sender and encryption of
data.
S/WAN -Secure Wide Area Network, a project involving RSA Data Security. The goal is
to ensure interoperability between all their IPSEC implementations to let all the
customers communicate with each other securely. Firewall to firewall, uses IKE.
Remote Access Methods and Technology
Remote access covers several technologies to give access to a LAN. Most of the time
an ISP is the gateway to the network. Remote access, in many organizations, offers
work from home opportunities. Remote access is usually done through a Network Access
Server (NAS/client side). The NAS (authenticate and authorize) will then use PPTP
or L2TP to establish the link.
Remote Network Access
The RAS (Remote Access Server/server side) can be configured to call back or accept
call
from
ID-caller
number.
Here
is
intricacy
to
chttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873onfigure a RAS modem/server
installed in a central point protected by firewall separating to internal network;
revised access right and users yearly; remote access policy enforced; use VPN (it’s
encrypted) avoid war-dialer using over three or four rings before answering phone.
NAT Options
Static NAT – Each internal system has a corresponding external routable IP address
文档下载 免费文档下载
http://www.51wendang.com/
Hiding NAT – All systems share the same external routable IP Fiber Distributed Data
Interface (FDDI)
Dual rings fault tolerance (if first ring fails, the secondary ring begins
working)Sometimes uses second ring for improved performanceCDDI – Copper
implementation
Synchronous Optical Network (SONET) -High-speed fiber-optic network constructed in
rings so data can be re-routed in the event of a fiber cut.
Backbone Carrier Network – Defines transmission rates, signal formats and optical
interfaces.
Defines
how
Telco’s
transmithttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873
digital voice and data over Optical Networks
34
Layer 1 Technology – Frame Relay, ATM, and SMDS can run over SONETMany channels
multiplexed together
Channel Service Unit (CSU)/Data Service Unit (DSU) – used to terminate the physical
interface on a DTE device such as a terminal. Required for digital equipment to be
connected to a Telco network.
WAN Technologies
Rules for communicating between computers on a WANCommunications between large
disparate networks.Private Circuit Technologies
文档下载 免费文档下载
http://www.51wendang.com/
Evolved before packet switching networks. Dedicated analog or digital point-to-point
connection. Serial Line
Internet Protocol (SLIP), Point-to Point protocol (PPP), ISDN, xDSL.
Dedicated Line – indefinitely and continuously reserve for transmissions.Leased
Line – Type of dedicated line leased from carrier.
Types and Speeds of Leased Lines
Digital Signal http://www.51wendang.com/doc/a88d861180e68ca5a0d13873Level 0 –
DS-0 – single channel at 64KBps on a T1
Digital Signal Level 1 – DS-1 – 1.544 MBps in US on a T1 and 2.108 MBps in Europe
on a E1 Digital Signal Level 3 – DS-3 – 44.736 MBps on a T3
T1 – Transmits DS-1 data at 1.544 MBps on telephone switching network T3 – Transmits
DS-3 data at 44.736 MBps on telephone switching network E1 – predominately used in
Europe carries data at 2.108 MBps E3 -predominately used in Europe carries data at
34.368 MBps
Circuit Switching – Usually Voice or Video, works well as a stream
Virtual Connection that acts like a dedicated linkFixed Delays – IE ISDN, POTS
Packet Switching – Data Applications, will not setup a dedicated link, but can use
many
Packets can take many pathsSupports bursty trafficVariable Delays
文档下载 免费文档下载
http://www.51wendang.com/
X.25 (Data Link Layer)
st
1Packet-Switch Protocol, slower than Frame Relay due to error detection levels
requirhttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873ed. LAPB for error
correction.
Frame Relay (Data Link Layer)
Faster WAN Packet Switching, simple framing, no error correction
Permanent Virtual Circuit (PVC) – Built for dedicated circuit and bandwidth Switched
Virtual Circuit (SVC) – Dynamically built when needed
Committed Information Rate (CIR) – Customer pays monthly for a specific level of
bandwith, minimum
was CIR.
2 Types of equipment – Data Terminal Equipment (DTE) and Data Circuit Terminating
Equipment (DCE)
Switched Multimegabit Data Service (SMDS)
High speed access, connectionless, and can provide Bandwidth on demand.
Cell Switching
文档下载 免费文档下载
http://www.51wendang.com/
Asynchronous Transfer Mode (ATM)
High bandwidth, low delay
Uses switching and multiplexing
Uses 53 byte fixed size cells instead of framesCan allocate bandwidth on demand
Taking
place
of
FDDI
in
Campus
Backbone://www.51wendang.com/doc/a88d861180e68ca5a0d13873ar
Voice Over IP (VOIP)
Combines media types (voice, video, data, audio) into one IP packetProvides benefits
in cost, performance and interoperabilityVery new but far reaching potential
Packet Switched rather that Circuit, so there can be latencyQoS, 911 response time,
and Privacy question
35
Equipment
Call Server offers the functionality of call control and call signaling, known as
a IP PBX Gateway can connect to the IP network to a “non-IP” carrier network (ISDN
or PSTN)
Security Issues
Attack the OS
文档下载 免费文档下载
http://www.51wendang.com/
Attack the TCP and UDP ports
Attack the Infrastructure supporting it
DoS, Call Hijacking, Resource Exhaustion
Wireless Security
WAP – Wireless Application Protocol
Designed for mobile devices (PDA, Phones)
Set of protocols covering layers 7 to 3 of the OSI modelLess overhead than TCP/IP
Suite
of
Prhttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873otocols
for
specific use
Wireless Markup language (WML)
Wireless Application Environment (WAE)Wireless Session Protocol (WSP)
Wireless Transport Security Protocol (WTLS)Wireless Datagram Protocol (WDP)
For security WAP uses Wireless Transport Security Protocol (WTLS) – On the Internet,
WTLS needed to be SSL enabled
Three classes of security
Class 1 – Anonymous AuthenticationClass 2-Sever Authentication
文档下载 免费文档下载
http://www.51wendang.com/
Class 3 – Two way client and server authenticationSecurity vulnerability of WAP
Version 1
WAP GAP – where WTLS is decrypted and re-encrypted to SSL at the WAP gateway
IEEE – 802.11 Standards
Interface between clients and base station 802.11 Layers
The physical layer PHY can use:
DSSS -Direct Sequence Spread SpectrumFH – Frequency Hoping Spread SpectrumIR –
Infrared pulse modulation
MAC Layer – Medium Access Control
://www.51wendang.com/doc/a88d861180e68ca5a0d13873arSpecifies
CSMA/CA
Carrier
Sense Multiple Access Collision Avoidance
Provides
Data Transfer Association Re-association
Authentication -WEP Privacy -WEP
Power Management
Wired Equivalency Protocol (WEP) – 64 or 128-bit WEP and has been cracked
SSID -Service Set ID is required when wireless devices need to authenticate to AP.
The SSID provides authentication but can be shifted. There are two wireless methods
文档下载 免费文档下载
http://www.51wendang.com/
of authentication.
Open System Authentication (OSA) -OSA is not encrypted and data transmission is in
clear, no WEP key required Shared Key Authentication (SKA) -SKA encrypts only the
payload not the headers/trailer using WEP, which use symmetric algorithm RC4 40bit
or 104bit keys. WEP Key required, and has a Challenge Response function. The payload
is encrypted.
RC4 is a Stream Cipher – Initialization Vector portion of password is sent with clear
text.
://www.51wendang.com/doc/a88d861180e68ca5a0d13873par36
Suggested to go to WPA – Temporary solution, it changes the key value.
Countermeasures
Enable WEP at 128bits Change Default SSID Disable Broadcast SSID
Implement another layer of security, RADIUS or Kerberos Put AP in the middle of
building, or in the DMZ Implement VPNs
Assign Static IPs and disable DHCP
Cell Phone Cloning
Electronic Serial Number (ESN) – identifies the phone Mobile Information Number (MIN)
– is the phone number Voice encryption often uses RSA or ECC
Phone Cloning and Call selling is illegal in the US
文档下载 免费文档下载
http://www.51wendang.com/
Periodic pings identify where a user is located, thereby could find a fraudulent
caller
Domain 8 – Law, Investigations, and Ethics
Covers computer crimes, preserving evidence and conducting basic investigations.
Many computer crimes go unreported – difficult to estimate. CISSPs Shall…
1. 2. 3. 4. 5. 6. 7.://www.51wendang.com/doc/a88d861180e68ca5a0d13873par
Conduct themselves with the highest standards of ethical, moral and legal behavior
Not commit any unlawful or unethical act that may impact the reputation of the
profession Appropriately report unlawful behavior
Support efforts to promote prudent information security measures
Provide competent service to their employers and clients; avoid conflicts of interest
Execute responsibilities with the highest standards
Not misuse information in which they come into contact with during their duties
Internet Activities Board (IAB) -“Internet Activity Should be treated as a
privilege”
Unacceptable actions
Seek to gain unauthorized access to resources of the InternetDisrupt intended use
of the internetWaste resources
Compromise privacy of others
文档下载 免费文档下载
http://www.51wendang.com/
Involve negligence in conduct of Internet Experiments
Generally
Accepted
Systems
Security
(GAhttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873SSP)-Not
Principles
laws
but
accepted principles of the OECD
Computer security supports the business mission Computer security is integral to
sound management Computer security should be cost effective
System Owners have responsibility outside of their organization Computer security
requires
a
comprehensive
integrated
approach
Computer
security
should
be
periodically reassessed Computer security is constrained by societal factors Why
Crimes are Committed -M.O.M
Motive – Who commits these crimes and why, what do they get?
Opportunity – Where do opportunities exist, when would someone act on them? Means
– What has the capacity
37
Criminal Profiles
Hackers and CrackersCompetitorsFriendly Allies
Political opponents
Lack of Basic Protection
文档下载 免费文档下载
http://www.51wendang.com/
Lack of AwarenessInadequate SafeguardsInsufficient Staff
Lack of Incident Response Capability
Companies
http://www.51wendang.com/doc/a88d861180e68ca5a0d13873don’t
press
charges or show they were penetratedProblems Prosecuting
Cross-Jurisdictional ProblemsLack of understandingNew Types of CrimesIntangible
Evidence
Not viewed as a “serious” crimeAttack Types
Grudge
Disgruntled EmployeePolitical Reasons
Terrorist
Using technology to communicate and coordinate attacksCausing harm against another
Country (Patriot Act)
International WarfareFinancial
E-commerce and Banking
Loss of funds or financial information
Fun – Just to say you could do it Salami – Skimming
Data Diddling – altering data just before an online order is processed Password
文档下载 免费文档下载
http://www.51wendang.com/
Sniffing
Privilege Escalation – Setuid programs with bugs are ideal target, UNIX allows root
privileges. SU – substitute user command and assign root permissions Phone Phreakers
Red
box
-Simulates
the
sound
of
coins
being
dropped
into
a
payphohttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873ne.
Blue box -A device that simulates a tone that tricks the telephone company’s system
into thinking the user is authorized for long distance service, which enables him
to make the call. Black box -Manipulates the line voltage to receive a toll-free call.
Downstream liabilities -When companies come together to work in an integrated manner,
special care must be taken to ensure that each party promises to provide the necessary
level of protection, liability and responsibility needed which should be clearly
defined in the contracts that each party signs.
Due Care -Steps that are taken to show that a company has taken responsibility for
the activities that take place within thecorporation and have taken the necessary
steps to help protect the company, its resources and employees.
Due Diligence -Continual activities that make sure the protection mechanisms are
continually
maintained
and
operational.Pruhttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873dent man rule
-To perform duties that prudent people would exercise in similar circumstances.Common
Law System Categories – not to be confused with common law from court decisions
Criminal Law – Violates government laws for the protection of the people. Financial
penalties and imprisonment Civil Law (Tort Law) – wrong inflicted upon an individual
or organization results in damage or loss, no prison
文档下载 免费文档下载
http://www.51wendang.com/
38
Administrative Law – standards of performance and conduct, financial penalties and
imprisonment
Intellectual Property Law
Patent – Provides owner legally enforceable right to exclude others for specified
time (U.S. 17 years) Copyright – Protects original works of authorship, can be used
for software and databases
Trade Secret – Secures confidentiality of proprietary technical and business related
information
Company must meet requirements:
Invested
resources
devehttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873lop
to
the
information
Valuable to the business Valuable to competitor Non-obvious information
Trademark – establishes word, name, symbol, color or sounds used to identify and
distinguish goods Incident Handling should address
What constitutes an incident
How should an incident be reported To who should an incident be reported
When should management be informed of an incident What action should be taken if an
incident occurs Who should handle the response to the incident How much damage was
文档下载 免费文档下载
http://www.51wendang.com/
caused by the incident What data was damaged by the incident Are recovery procedures
required
What type of follow up or review is required Should additional safeguards be
implemented
Establish a Computer Incident Response Team (CIRT) or Computer Emergency Response
Team (CERT)
Incident Response, Collecting Evidence
Must be careful in gathering the evidence of crime.
Photohttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873graph the area before
going in to the scene or systemsDump and preserve memory contents
Power down and record the collection process and the chain of custodyGet HR involved
(disgruntled employees)
Send items to forensics -During the forensics portion an image of the disk must be
made (not copying files, topreserves all bits),
Look for hidden files, viruses, slack spaces, fat table.
Before the evidence can be presented in court it must be competent, relevant and
material.
Evidence can be obtained through “Exigent Circumstances” and must demonstrate
probable cause, and shouldshow criminal activity.Investigation
文档下载 免费文档下载
http://www.51wendang.com/
Also known as computer forensics – collecting information from and about computer
systems that is admissible in a court of law
Computer Forensic Issues
Compressed timeframe for investigation Information is intangible
Investigation
may
withhttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873
interfere
normal
business
operations May find difficulty in gathering evidence
Co-mingling of live production data and evidence Experts are required
Locations may be geographically in different jurisdictions
Differences in law and attitude
Many jurisdictions have expanded definitions of property to include electronic
information
Evidence
Gathering, control and preservation are critical
39
Subject to easy modification without a trace, must be carefully handled though its
life cycle.Chain of Custody -must be followed
Chain of Custody components:
文档下载 免费文档下载
http://www.51wendang.com/
Location of evidence Time evidence obtained
Identification of individual who discovered evidence Identification of individual
who obtained evidence
Identification of individual who controlled/maintained possession of evidence
Evidence Life Cycle
Discovery
and
recognitionProtectiohttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873nRecord
ingCollection
Collect all relevant storage media
Make image of hard disk before removing powerPrint out screen
Avoid degaussing equipment
Identification (tagging and marking) Preservation
Protect from magnetic erasureStore in proper environment
Transportation
Presentation in courtReturn to evidence owner
Evidence Admissibility -Evidence must meet stringent requirements.
文档下载 免费文档下载
http://www.51wendang.com/
Must be relevant, legally permissible, reliable, properly identified and preserved
Relevant – must be related to the crime, shows crime has been committedLegally
Permissible – obtained in lawful mannerReliable – not been tampered or modified
Properly Identified – identified without changing or damaging evidencePreservation
– not subject to damage or destruction
Make backups, write protect, take digital signatures of files or disk sectors
Types ofhttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873 Evidence
Best Evidence – Original or primary evidence rather than a copy Secondary evidence
– a copy of evidence, or description of contents
Direct Evidence – proves or disproves a specific act based on witness testimony using
five senses Conclusive Evidence – incontrovertible, overrides all evidence, cannot
be disproved Opinions Two Types:
Expert – may offer opinion based on expertise and facts Nonexpert – may testify
only to the facts
Circumstantial – inference on other information
Hearsay – not based on first-hand knowledge, not admissible in court, and often
computer generated reports fall under this rule. (No printouts) Exceptions to Hearsay
Rule -Made during the regular conduct of business with witnessesMade by a person with
knowledge of recordsMade by person with knowledge
Made at or near time of occurrence of actIn the custody of the witness on regular
文档下载 免费文档下载
http://www.51wendang.com/
basis
If phttp://www.51wendang.com/doc/a88d861180e68ca5a0d13873rinted in the normal
process of business activity, it could be used.
Enticement vs. Entrapment
Enticement occurs after individual has gained unlawful access to a system, then lured
to an attractive area “honey pot” in order to provide time to identify the individual
Entrapment encourages the commitment of a crime that the individual had no intention
of committing
40
文档下载网是专业的免费文档搜索与下载网站，提供行业资料，考试资料，教
学课件，学术论文，技术资料，研究报告，工作范文，资格考试，word 文档，
专业文献，应用文书，行业论文等文档搜索与文档下载，是您文档写作和查找
参考资料的必备网站。
文档下载 http://www.51wendang.com/
亿万文档资料，等你来发现