(My) CSSLP Notes – Secure Software Implementation

Note: This notes were strongly inspired by the following books: CSSLP Certification All in one and Official (ISC)2 Guide to the CSSLP CBK, Second Edition

Common Software Vulnerabilities and Controls

Some well-known and useful examples of vulnerability databases and CSSLP-logotracking systems:
  • National Vulnerability Database (NVD) -U.S. government repository of vulnerabilities and vulnerability management data.
  • US Computer Emergency Response Team (CERT) Vulnerability Notes Database – The CERT vulnerability analysis project aims at reducing security risks due to software vulnerabilities in both developed and deployed software.
  • Open Source Vulnerability Database – An independent and open source database that is created by and for the security community.
  • OWASP Top 10 – The OWASP Top 10 List, in addition to considering
    the most common application security issues from a weaknesses or
    vulnerabilities perspective, views application security issues from an
    organizational risks.
  • Common Weakness Enumeration (CWE) – Provides a common language for describing architectural, design or coding software security weaknesses.
  • Common Vulnerabilities and Exposures (CVE) – A dictionary of publicly known information security vulnerabilities and exposures. It is free for use and international in scope.

The most common software security vulnerabilities and risks

  • buffer overflow – is the condition that occurs when data that is being copied into the buffer (contiguous allocated storage space in memory) is more than what the buffer can handle.
    • stack overflow – buffer has been overflowed in the stack space.
      the data flows from one buffer space into another, causing the return address instruction pointer to be overwritten.
    • heap overflow – a heap overflows does not necessarily overflow but corrupts the heap memory space (buffer), overwriting variables and function pointers on the heap.
  • injection flows – occur when the user supplied data is not validated before being processed by an interpreter.
    • SQL injection
    • OS Command injection
    • LDAP injection
    • XML injection – software does not properly filter or quote special characters or reserved words that are used in XML, allowing an attacker to modify the syntax, contents or commands before execution.

  • cross-site scripting – A web application is said to be susceptible to XSS vulnerability when the user supplied input is sent back to the browser client without being properly validated and its content escaped.
    • Non-persistent (Reflected) – the user supplied input script that is injected (also referred to as payload) is not stored but merely included in the response from the web server, either in the results of a search or an error message.
    • Persistent (Stored) – the injected script is permanently stored on the target servers, either in a database, a message forum, a visitor log or an input field. Each time the victims visit the page that has the injected code stored in it or served to it from the web server, the payload script executes in the user’s browse

    • DOM based – the payload is executed in the victim’sbrowser as a result of DOM environment modifications on the client side. The HTTP response (or the web page) itself is not modified, but weaknesses in the client side allows the code contained in the web page client to be modified, so that the payload can be executed.

  • insecure direct object references – an unauthorized user or process can invoke the internal functionality of the software by manipulating parameters and other object values that directly reference this functionality.
  • security misconfiguration -Some of the common examples of security misconfigurations:
    • Missing software and operating system patches.
    • Lack of perimeter and host defensive controls such as firewalls,
    • Installation of software with default accounts and settings.
    • Installation of the administrative console with default configuration settings.
  • social engineering
    • Phishing
    • Pharming – scamming practice in which malicious code is installed on a system or server which misdirects users to fraudulent web sites without the user’s knowledge or consent.
    • Vishing – made up of two words, “voice” and “phishing” and is the criminal fraudulent activity in which an attacker steals sensitive information using deceptive social engineering techniques on VoIP networks.
    • SMSishing

Defensive Coding Practices

  • input validation – use blacklist or whitelist technique.
  • canonicalization (C14N) -process of converting data that has more than one possible representation to conform to a standard canonical form.
  • sanitization -process of converting something that is considered dangerous into its innocuous form. Both inputs and outputs can be sanitized.
    • stripping – removing harmful characters from user supplied input.
    • substitution – replacing user supplied input with safer alternatives.
    • literalization – using properties that render the user supplied input to be treated as a literal form.
  • error handling – error messages must be non-verbose and explicitly specified in the software. Redirect errors and exceptions to a custom and default error handling location.
  • cryptographic agility – ability to manage the specifics of the cryptographic functions that are embedded in code without recompiling, typically through a configuration file.
  • tokenization – process of replacing sensitive data with unique
    identification symbols that still retain the needed information about the data, without compromising its security.
  • anti-tampering – techniques assure integrity assurance and protection against unauthorized and malicious alterations of the software code and/or the data.
    • obfuscation.
    • code-signing.

Secure Software Processes

In addition to writing secure code, there are certain processes that must be conducted during the implementation phase that can assure the security of the software:
  • versioning
  • code analysis
    • static
    • dynamic
  • code/peer review

(My) CSSLP Notes – Secure Software Design

Note: This notes were strongly inspired by the following books: CSSLP Certification All in one and Official (ISC)2 Guide to the CSSLP CBK, Second Edition

Design Process

Attack Surface Evaluation

A software or application’s attack surface is the measure of its exposure of CSSLP-logobeing exploited by a threat agent i.e., weaknesses in its entry and exit points that a malicious attacker can exploit to his or her advantage.
The attack surface evaluation attempts to enumerate the list of features that
an attacker will try to exploit.

Threat Modeling

Threat modeling is the process used to identify and document all the threats to  system.

The threat modeling process have 3 phases:

  1. model the system for which you want to find the threats.
  2. find the threats.
    1. STRIDE model.
    2. attack trees – An attack tree is a hierarchical tree-like structure, which has either an attacker’s objective (e.g., gain administrative level privilege, determine application makeup and configuration, bypass authentication mechanisms, etc.) or a type of attack
      (e.g., buffer overflow, cross site scripting, etc.) at its root node.
  3. address each threat found in the previous step. Once identified,each threat must be evaluated according to the risk attached to it. There are several ways to quantitatively or qualitatively determine the risk ranking for a threat. These range from the simple, non-scientific, Delphi heuristic methodology to more statistically sound risk ranking using the probability of impact and the business impact.
  4. document and validate.

More details about threat modeling can be found here : Threat Modeling for mere mortals and (My) OWASP BeNeLux Days 2016 Notes – Training Day.

Design Considerations

This part is linked to the Secure Software Concepts and contains how the security software concepts can be applied to have a secured application.

  • confidentiality – use cryptographic and masking techniques
  • integrity – use hashing (or hash functions), referential integrity design (uses primary keys and related foreign keys in the database to assure data integrity), resource locking (when two concurrent operations are not allowed on the same object (say a record in the database), because one of the operations locks that record from allowing any changes to it, until it completes its operation, it is referred to as resource locking), and code signing.
  • availability – replication, fail-over and scalability techniques can be used to design the software for availability.
  • authentication – use multi-factor authentication and single sign on (SSO). Rely of already existing mechanism if possible (like the ones offered by the operating system).
  • authorization – rely of already existing mechanism if possible.
  • accounting (audit) – determine of what elements should be logged and under what circumstances.
Some of the common, insecure design issues observed in software are the
  • improper implementation of least privilege
  • software fails insecurely
  • authentication mechanisms are easily bypassed
  • security through obscurity
  • improper error handling
  • weak input validation

Architecture system with secured design principles:

  • good enough security – care should be taken to ensure that the security elements are in response with the actual risk associated with the potential vulnerability; do not over-engineer.
  • least privilege – use of accounts with non-administrative abilities.
    Modular programming is a software design technique in which the entire program is broken down into smaller sub-units or modules. Each module is discrete with unitary functionality and is said to be therefore cohesive, meaning each module is designed to perform one and only one logical operation.
  • separation of duties – the programmer should not be allowed to review his own code nor should a programmer have access to deploy code to the production environment.
  • defense in depth
    • use of input validation along with prepared statements or stored
      procedures, disallowing dynamic query constructions using user
      input to defend against injection attacks.
    • disallowing active scripting in conjunction with output encoding
      and input- or request-validation to defend against Cross-Site
      Scripting (XSS).
  • fail safe
    • the user is denied access by default and the account is locked out after the maximum number (clipping level) of access attempts is tried.
    • errors and exceptions are explicitly handled and the error messages are non-verbose in nature.
    •  not designing the software to ignore the error and resume next
  • economy of mechanism – trade-off that happens between the
    usability of the software and the security features that need to be designed and built in.
    • Unnecessary functionality or unneeded security mechanisms should be avoided.
    • Strive for simplicity.
    • Strive for operational ease of use.
  • complete mediation
  • open design – the inverse of the open design principle is security through obscurity, which means that the software employs protection mechanisms whose strength is dependent on the obscurity of the design.
  • least common mechanism – mechanisms common to more than one user or process are designed not to be shared. Design should compartmentalize or isolate the code (functions) by user roles, since this increases the security of the software by limiting the exposure.
  • psychological acceptance – security principle that states that security mechanisms should be designed to maximize usage, adoption, and automatic application.The security protection mechanisms:
    • are easy to use,
    • do not affect accessibility.
    • are transparent to the user.
  • weakest link – when designing software, careful attention must be
    given so that there are no exploitable components.
  • leverage existing components – reusing tested and proven, existing libraries and common components has good security benefits.

Securing commonly used architectures

  • mainframe architecture
  • distributed architecture
    • client/server
    • p2p
  • service oriented architecture
    • An ESB is a software architectural pattern that facilitates communication between mutually interacting software application.
    • web-services
      • SOAP
      • REST
  • rich internet aplications (RIA)

Service models:

  • Infrastructure as a Service (IaaS)  -infrastructural components such as networking equipment, storage, servers and virtual machines are provided as services and managed by the cloud service provider.
  • Platform as a Service (PaaS) -in addition to infrastructural components, platform components such as operating systems, middleware and runtime are also provided as services and managed by the cloud service provider.
  • Software as a Service (SaaS) – in addition to infrastructural and platform components, data hosting and software applications are provided as services and managed by the cloud service provider.

Digital Rights Management

The expression of rights is made possible by formal language, known as Rights Expression Language (REL). Some examples of REL include the following:
  • Open Digital Rights Language (ODRL)  – A generalized, open standard under development that expresses rights using XML.
  •  eXtensible rights Markup Language (XrML) – Another generalized REL that is more abstract than ODRL. XrML is more of a meta-language that can be used for developing other RELs.
  • Publishing Requirements for Industry Standard Metadata
    (PRISM) – Unlike ODRL and XrML, PRISM can be used to express
    rights specific to a task and is used for syndication of print media
    content such as newspapers and magazine.

Trusted computing:

  • Trusted Platform Module (TPM) – specification used in personal computers and other systems to ensure protection against disclosure of sensitive or private information as well as the implementation of the specification itself.
  • Trusted Computing Base (TCB) – the set of all hardware, firmware and software components that are critical to its security.

(My) CSSLP Notes – Secure Software Requirements

Note: This notes were strongly inspired by the following books: CSSLP Certification All in one and Official (ISC)2 Guide to the CSSLP CBK, Second Edition

 Policy Decomposition

CSSLP-logoThe policy decomposition is the process of breaking down high level policy requirements into security objectives and eventually protection needs and secure software requirements.

Policies involving protecting data could be decomposed in confidentiality requirements.

Policies involving protecting data from unauthorized alteration can be decomposed in integrity requirement.

Policies associated with determining access can be decomposed into availability requirements.

policy decomposition

Data Classification and Categorization

Data classification is a risk management tool, with the objective to reduce the costs associated with protecting data.

Types of data :

  • structured – the most common form of structured data is that stored in the DB; other forms of structured data, XML, JSON test files, log files.
  • unstructured – the rest of data that is not structured; data that is not easily parsed and parsed.

Data states :

  • data at rest.
  • data in transit – data being transmitted from one location to another.
  • date being created.
  • data being changed or deleted.

Data labeling

Data classification/labelling is the conscious effort to assign labels (a level of sensitivity) to information (data) assets, based on potential impact to confidentiality, integrity and availability (CIA).

The main objective of data classification is to lower the cost of data protection
and maximize the return on investment when data is protected.

Data ownership:

  • Data Owner – (also called information owner or business owner) is a management employee responsible for ensuring that specific data is protected. Data owners determine data sensitivity labels and the frequency of data backup. The Data Owner is responsible for ensuring that data is protected. A user who “owns” data has read/write access to objects.
  • Data Custodian – provides hands-on protection of assets such as data. They perform data backups and restoration, patch systems, configure antivirus software, etc. The Custodians follow detailed orders; they do not make critical decisions on how data is protected.


Role and user definitions

  • objects – items that a user (subject) interacts with in the operation of a system.
  • subjects – an active entity on a data system. Most examples of subjects involve people accessing data files. However, running computer programs are subjects as well. A Dynamic Link Library file or a Perl script that updates database files with new information is also a subject.
  • actions – permitted events that a subject can perform on an associated object.
The subjects represent who, the objects represents what and actions represent the how of the subject-object-activity relationship. A subject-object matrix is used to identify allowable actions between subjects and objects based on use cases.
Once use cases are enumerated with subjects (roles) and the objects (components) are defined, a subject-object matrix can be developed. A subject-object matrix is a two-dimensional representation of roles and components.

Functional requirements

Functional requirements describe how the software is expected to function. They begin as business requirements and are translated into functional requirements.

Uses cases are a technique for determining functional requirements in developer-friendly terms. Use case modeling is meant to model only the most significant system behavior or the most complex ones and not all of it and so should not be considered as a substitute for requirements specification documentation.
 From use cases, misuse cases can be developed. Misuse cases, also known as abuse cases help identify security requirements by modeling negative scenarios.
Time of Check/Time of Use (TOCTOU) attacks are also called race conditions: an attacker attempts to alter a condition after it has been checked by the operating system, but before it is used. The term race condition comes from the idea of two events or signals that are racing to influence an activity.
Some of the common templates that can be used for use and misuse case
modeling are templates by Kulak and Guiney. On the tooling side you can take a look to Secure Quality Requirements Engineering (SQuaRE) methodology.

Requirements Traceability Matrix (RTM)

The RTM is a grid that assists the development team in tracking and managing requirements and implementation details.

A generic RTM is a table of information that lists the business requirements in the left most column, the functional requirements that address the business requirements are in the next column. Next to the functional requirements are the testing requirements. From a software assurance perspective, a generic RTM can be modified to include security requirements as well. This is a template example of RTM diagram: Requirements Traceability Matrix Template

(My) CSSLP Notes – Secure Software Concepts

Note: This notes were strongly inspired by the following book: CSSLP Certification All in one.

General Security Concepts


The security of IT systems can be defined using the following attributes:

  • confidentiality – how the system prevents the disclosure of information.
  • integrity – how the system protects data from the unauthorized access.
  • availability – access to the system by authorized personnel.
  • authentication – process of determining the identity of a user. Three methods can be used to authenticate a user:
    • something you know (ex: password, pin code)
    • something you have (ex: token, card)
    • something you are (ex: biometrics mechanisms)
  • authorization – process of applying access control rules to a user process to determine if a particular user process can access an object.
  • accounting (auditing) – records historical events on a system.
  • non-repudiation – preventing a subject from denying a previous action with an object in a system.

System principles

  • session management – design and implementation of controls to ensure that the communications channels are secured from unauthorized access and disruption of communications.
  • exception management – the process of handling any errors that could appear during the system execution.
  • configuration management – identification and management of the configuration items (initialization parameters, connection strings, paths, keys).

Secure design principles

  • good enough security – there is a trade off between security and other aspects associated with a system. The level of required security must be determined at design time.
  • least privilege – a subject should have only the necessary rights and privileges to perform a specific task.
  • separation of duties – for any given task, more than one individual needs to be involved.
  • defense in depth (layered security) – apply multiple dissimilar security defenses.
  • fail-safe – when a system experience a failure, it should fail to a safe state; all the attributes associated with the system security (confidentiality, integrity, availability) should be appropriately maintained.
  • economy of mechanism – keep the design of the system simple and less complex; reduce the number of dependencies and/or services that the system needs in order to operate.
  • complete mediation – checking permission each time subject requests access to objects.
  • open design – design is not a secret, implementation of safeguard is. (ex: cryptography algorithms are open but the keys used are secret)
  • least common mechanism – minimize the amount of mechanism common to more than one user and depended on by all users. Every shared mechanism (especially one involving shared variables) represents a potential information path between users and must be designed with great care to be sure it does not unintentionally compromise security.
  • psychological acceptability – accessibility to resources should not be inhibited by security mechanisms. If security mechanisms hinder the usability or accessibility of resources, then users may opt to turn off those mechanisms.
  • weakest link – attackers are more likely to attack a weak spot in a software system than to penetrate a heavily fortified component.
  • leverage existing components – component reuse have many advantages, including the increasing of efficiency and security. From the security point of view the component reuse is reducing the attack surface.
  • single point of failure – a system design should not be susceptible to a single point of failure.

Security Models

Access Control Models

Access controls define what actions a subject can perform on specific objects.

  • Bell-LaPadula confidentiality model – It is focused on maintaining the confidentiality of objects. Bell-LaPadula operates by observing two rules: the Simple Security Property and the * Security Property.
    • The Simple security property states that there is “no read up:” a subject at a specific classification level cannot read an object at a higher classification level.
    • The * Security Property is “no write down:”a subject at a higher classification level cannot write to a lower classification level.
  • Take-Grant  – systems specify the rights that a subject can transfer to a from another subject or object. The model is based on representation of the controls in forms of directed graphs with the vertices being the subjects and the objects. The edges between them represent the right between the subject and objects. The representation of rights takes the form of {t (take), g (grant), r (read), w (write)}.
  • Role-based Access control – users are assign a set of roles they may perform. The roles are associated to the access permissions necessary to perform the tasks.
  • MAC (Mandatory Access Control) Model – in MAC systems the owner or subject cannot determine whether access is to be granted to another subject; it is the job of the operating system to decide.
  • DAC (Discretionary Access Control) Model – in DAC systems the owner of an object can decide which other subjects may have access to the object what specific access they may have.

Integrity Models

  • Biba integrity model  – (sometimes referred as Bell-LaPadula upside down) was the first formal integrity model.  Biba is the model of choice when integrity protection is vital. The Biba model has two primary rules: the Simple Integrity Axiom and the * Integrity Axiom. 
    • The Simple Integrity Axiom is “no read down:”a subject at a specific classification level cannot read data at a lower classification. This protects integrity by preventing bad information from moving up from lower integrity levels.
    • The * Integrity Axiom is “no write up:”a subject at a specific classification level cannot write to data at a higher classification. This protects integrity by preventing bad information from moving up to higher integrity levels.
  • Clark-Wilson  –  (this is an informal model) that protects integrity by requiring subjects to access objects via programs. Because the programs have specific limitations to what they can and cannot do to objects, Clark-Wilson effectively limits the capabilities of the subject.Clark-Wilson uses two primary concepts to ensure that security policy is enforced; well-formed transactions and Separation of Duties.

Information Flow Models

Information in a system must be protected when at rest, in transit and in use.

  • The Chinese Wall model – designed to avoid conflicts of interest by prohibiting one person, such as a consultant, from accessing multiple conflict of interest categories (CoIs). The Chinese Wall model requires that CoIs be identified so that once a consultant gains access to one CoI, they cannot read or write to an opposing CoI.


Risk Management


  • risk – possibility of suffering harm or loss
  • residual risk – risk that remains after a control was added to mitigate the initial risk.
  • total risk – the sum of all risks associated with an asset.
  • asset – resource an organization needs to conduct his business.
  • threat – circumstance or event with the potential to cause harm to an asset.
  • vulnerability – any characteristic if an asset that can be exploited by a threat to cause harm.
  • attack – attempting to use a vulnerability.
  • impact – loss resulting when a threat exploits a vulnerability.
  • mitigate – action taken to reduce the likelihood of a threat.
  • control – measure taken to detect, prevent or mitigate the risk associated with a threat.
  • risk assessment – process of identifying risks and mitigating actions.
  • qualitative risk assessment – subjectively determining the impact of an event that effects assets.
  • quantitative risk assessment –  objectively determining the impact of an event that effects assets.
  • single loss expectation (SLE) – linked to the quantitative risk assessment, it represents the monetary loss or impact of each occurrence of a threat.
    • SLE = asset value * exposure factor
  • exposure factor – linked to the quantitative risk assessment, is a measure of the magnitude of a loss.
  • annualized rate of occurrence (ARO) – linked to the quantitative risk assessment, is the frequency with an event is expected to occur on an annualized basis.
    • ARO = number of events / number of years
  • annualized loss of expectancy (ALE) – linked to the quantitative risk assessment, it represents how much an event is expected to cost per year.
    • ALE = SLE * ARO

Types of risks:

  • Business Risks:
    • fraud
    • regulatory
    • treasury management
    • revenue management
    • contract management
  • Technology Risks:
    • security
    • privacy
    • change management

Types of controls

Controls can be classified on types of actions they perform. Three classes of controls exist:

  • administrative
  • technical
  • physical

For each of these classes, there are four types of controls:

  • preventive (deterrent) – used to prevent the vulnerability
  • detective – used to detect the presence of an attack.
  • corrective (recovery) – correct a system after a vulnerability is exploited and an impact has occurred; backups are  a common form of corrective controls.
  • compensation – designed to act when a primary set of controls has failed.

Risk management models

General risk management model

The steps contained in a general risk management model:

  1. Asset identification – identify and clarify all the assets, systems and processes that need to be protected.
  2. Threat assessment – identify the threats and vulnerabilities associated with each asset.
  3. Impact determination and qualification
  4. Control design and evaluation – determine which controls to put in place to mitigate the risks.
  5. Residual risk management – evaluate residual risks to identify where additional controls are needed.

Risk management model proposed by Software Engineering Institute

SEI model steps :

  1. Identity – enumerate potential risks.
  2. Analyze – convert the risk data gather into information that can be used to make decisions.
  3. Plan – decide the actions to take to mitigate them.
  4. Track – monitor the risks and mitigations plans.
  5. Control – make corrections for deviations from the risk mitigation plan.

Security Policies and Regulations

One of the most difficult aspects of prosecution of computer crimes is attribution. Meeting the burden of proof requirement in criminal proceedings, beyond a reasonable doubt, can be difficult given an attacker can often spoof the source of the crime or can leverage different systems under someone else’s control.

Intellectual property

Intellectual property is protected by the U.S law under one of four classifications:

  • patents – Patents provide a monopoly to the patent holder on the right to use, make, or sell an invention for a period of time in exchange for the patent holder’s making the invention public.
  • trademarks – Trademarks are associated with marketing: the purpose is to allow for the creation of a brand that distinguishes the source of products or services.
  • copyrights – represents a type of intellectual property that protects the form of expression in artistic, musical, or literary works, and is typically denoted by the circle c symbol. Software is typically covered by copyright as if it were a literary work. Two important limitations on the exclusivity of the copyright holder’s monopoly exist: the doctrines of first sale and fair use. The first sale doctrine allows a legitimate purchaser of copyrighted material to sell it to another person. If the purchasers of a CD later decide that they no longer cared to own the CD, the first sale doctrine gives them the legal right to sell the copyrighted material even though they are not the copyright holders.
  • trade secrets – business-proprietary information that is important to an organization’s ability to compete. Software source code or firmware code are examples of computer-related objects that an organization may protect as trade secrets.

Privacy and data protection laws

Privacy and data protection laws are enacted to protect information collected and maintained on individuals from unauthorized disclosure or misuse.

Several important pieces of privacy and data protection legislation include :

  • U.S. Federal Privacy Act of 1974 – protects records and information maintained by U.S. government agencies about U.S. citizens and lawful permanent residents.
  •  U.S. Health Insurance Portability and Accountability Act (HIPAA) of 1996 – seeks to guard protected health information from unauthorized use or disclosure.
  • Payment Card Industry Data Security Standard (PCI-DSS) – the goal is to ensure better protection of card holder data through mandating security policy, security devices, control techniques and monitoring of systems and networks.
  • U.S. Gramm-Lech-Bliley Financial Services Modernization Act (GLBA) – requires financial institutions to protect the confidentiality and integrity of consumer financial information.
  • U.S. Sarbanes-Oxley Act of 2002 (SOX) – the primary goal of SOX is to ensure adequate financial disclosure and financial auditor independence.

Secure Software Architecture – Security Frameworks

  • COBIT (Control Objectives for Information and Related Technology)– assist management in bringing the gap between control requirements, technological issues and business risks.
  • COSO (Committee of Sponsoring Organizations of the Treadway Commission) – COSO has established a Enterprise Risk Management -Integrated Framework against which companies and organizations may assess their control systems.
  • ITIL (Information Technology Infrastructure Library) – describes a set of practices focusing on aligning IT services with business needs.
  • SABSA (Sherwood Applied Business Security Architecture) – framework and methodology for developing risk-driven enterprise information security architecture.
  • CMMI (Capability Maturity Model Integration) – process metric model that rates the process maturity of an organization on a 1 to 5 scale.
  • OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation) – suite of tools, techniques and methods for risk-based information security assessment.


Software Development Methodologies

Secure Development Lifecycle Components

  • software team awareness and education – all team members should have appropriate training. The key element of team awareness and education is to ensure that all the members are properly equipped with the correct knowledge.
  • gates and security requirements – the term gates it signifies a condition that one must pass through. To pass the security gate a review of the appropriate security requirements is conducted.
  • threat modeling – design technique used to communicate information associated with a threat throughout the development team (for more infos’ you could check my other ticket : threat modeling for mere mortals).
  • fuzzing – a test technique where the tester applies a series of inputs to an interface in an automated fashion and examines the output for undesired behaviors.
  • security reviews – process to ensure that the security-related steps are being carried out and not being short-circuited.

Software Development Models

  • waterfall model – is a linear application development model that uses rigid phases; when one phase ends, the next begins.
  • spiral model – repeats steps of a project, starting with modest goals, and expanding outwards in ever wider spirals (called rounds). Each round of the spiral constitutes a project, and each round may follow traditional software development methodology such as Modified Waterfall. A risk analysis is performed each round.
  • prototype model – working model of software with some limited functionality. Prototyping is used to allow the users evaluate developer proposals and try them out before implementation.
  • agile model
    • Scrum  – contain small teams of developers, called the Scrum Team. They are supported by a Scrum Master, a senior member of the organization who acts like a coach for the team. Finally, the Product Owner is the voice of the business unit.
    • Extreme Programming (XP) – method that uses pairs of programmers who work off a detailed specification.

Microsoft Security Development Lifecycle

SDL is software development process designed ti enable development teams to build more secure software and address security compliance requirements.

SDC is build around the following three elements:

  • (security) by design – the security thinking is incorporated as part of design process.
  • (security) by default – the default configuration of the software is by design as secure as possible.
  • (security) in deployment – security and privacy elements are properly understood and managed through the deployment process.

SDL components:

  • training   security training for all personnel, targeted to their responsibility associated with the development effort.
  • requirements
    • establishment of the security and privacy requirements for the software.
    • creation of quality gates ans bug bars. Defining minimum acceptable levels of security and privacy quality at the start helps a team understand risks associated with security issues, identify and fix security bugs during development, and apply the standards throughout the entire project.Setting a meaningful bug bar involves clearly defining the severity thresholds of security vulnerabilities (for example, no known vulnerabilities in the application with a “critical” or “important” rating at time of release) and never relaxing it once it’s been set.
    • development of security and privacy risk assessment. Examining software design based on costs and regulatory requirements helps a team identify which portions of a project will require threat modeling and security design reviews before release and determine the Privacy Impact Rating of a feature, product, or service.
  • design – establish design requirements, perform attack/surface analysis/reduction and use threat modeling.
  • implementation – application of secure coding practices and the use of static program checkers to find common errors.
  • verification – perform dynamic analysis (tools that monitor application behavior for memory corruption, user privilege issues, and other critical security problems), fuzz testing and conduct attack surface review.
  • release – conduct final security review and create an incident response plan.
  • response – execute incident response plan.

(My) CEH cheat sheet

This is the small (and I hope) useful cheat sheet for the CEH V8 certification.

This is strongly inspired from the CEH Certified Ethical Hacker Bundle, Second Edition book.


“Bit flipping” is one form of an integrity attack. In bit flipping, the attacker isn’t interested in learning the entirety of the plaintext message.

There are three main phases to a pen test: preparation, assessment, and conclusion.

Black box testing, the ethical hacker has absolutely no knowledge of the TOE. It’s designed to simulate an outside, unknown attacker, takes the most amount of time to complete.

White box testing, pen testers have full knowledge of the network, system, and infrastructure they’re targeting.

Gray box testing, is also known as partial knowledge testing. What makes this different from black box testing is the assumed level of elevated privileges the tester has. Whereas black box testing is generally done from the network administration level, gray box testing assumes only that the attacker is an insider.

Attack Types

EC Council broadly defines four attack types categories:

  • Operating system attacks Generally speaking, these attacks target the common mistake many people make when installing operating systems— accepting and leaving all the defaults. Things like administrator accounts with no passwords, all ports left open, and guest accounts (the list could go on forever) are examples of settings the installer may forget about.
  • Application-level attacks These are attacks on the actual programming codes of an application. Although most people are very cognizant of securing their OS and network, it’s amazing how often they discount the applications running on their OS and network. Many applications on a network aren’t tested for vulnerabilities as part of their creation and, as such, have many vulnerabilities built into them. Applications on a network are a goldmine for most hackers.
  • Shrink-wrap code attacks These attacks take advantage of the built-in code and scripts most off-the-shelf applications come with. These scripts and code pieces are designed to make installation and administration easier, but can lead to vulnerabilities if not managed appropriately.
  • Misconfiguration attacks These attacks take advantage of systems that are, on purpose or by accident, not configured appropriately for security.

An asset is an item of economic value owned by an organization or an individual. Identification of assets within the risk analysis world is the first and most important step.

A threat is any agent, circumstance, or situation that could cause harm or loss to an IT asset.

A vulnerability is any weakness, such as a software flaw or logic design, that could be exploited by a threat to cause damage to an asset.

18 U.S.C § 1029 and 1030

Basically, the law gives the U.S. government the authority to prosecute criminals who traffic in, or use, counterfeit access devices. In short, the section criminalizes the misuse of any number of credentials, including pass- words, PIN numbers, token cards, credit card numbers, and the like.


Symmetric Encryption – The formula for calculating how many key pairs you will need is N (N – 1) / 2 where N is the number of nodes in the network

Symmetric algorithms:

  • DES A block cipher that uses a 56-bit key (with 8 bits reserved for parity); fixed blocked size.
  • 3DES A block cipher that uses a 168-bit key. 3DES (called triple DES) can use up to three keys in a multiple-encryption method.
  • AES (Advanced Encryption Standard) A block cipher that uses a key length of 128, 192, or 256 bits, and effectively replaces DES.
  • IDEA (International Data Encryption Algorithm) A block cipher that uses a 128-bit key.
  • Twofish A block cipher that uses a key size up to 256 bits.
  • Blowfish A fast block cipher, largely replaced by AES, using a 64-bit block size and a key from 32 to 448 bits.
  • RC (Rivest Cipher) Encompasses several versions from RC2 through RC6. A block cipher that uses a variable key length up to 2,040 bits. RC6, the latest version, uses 128-bit blocks, whereas RC5 uses variable block sizes (32, 64, or 128).

Asymmetric Encryption

Generally: public key = encrypt, private key = decrypt.

Asymmetric algorithms:

  • Diffie-Hellman Developed for use as a key exchange protocol, Diffie- Hellman is used in Secure Sockets Layer (SSL) and IPSec encryption.
  • Elliptic Curve Cryptosystem (ECC) Uses points on an elliptical curve, in conjunction with logarithmic problems, for encryption and signatures. Uses less processing power than other methods, making it a good choice for mobile devices.
  • El Gamal Not based on prime number factoring, this method uses the solving of discrete logarithm problems for encryption and digital signatures.
  • RSA An algorithm that achieves strong encryption through the use of two large prime numbers. Factoring these numbers creates key sizes up to 4,096 bits. RSA can be used for encryption and digital signatures and is the modern de facto standard.

Hash algorithms:

  • MD5 (Message Digest algorithm) Produces a 128-bit hash value output, expressed as a 32-digit hexadecimal.
  • SHA-1 Developed by the NSA (National Security Agency), SHA-1 produces a 160-bit value output, and was required by law for use in U.S. government applications.
  • SHA-2 Developed by the NSA, actually holds four separate hash functions that produce outputs of 224, 256, 384, and 512 bits.

Trust Models

  • web of trust, multiple entities sign certificates for one another.
  • single authority system has a CA at the top that creates and issues certs. Users trust each other based on the CA itself.
  • hierarchical trust system also has a CA at the top (which is known as the root CA), but makes use of one or more intermediate CAs underneath it— known as registration authorities (RAs)—to issue and manage certificates.

Cryptography Attacks:

  • Known plaintext attack In this attack, the hacker has both plaintext and corresponding ciphertext messages—the more, the better. The plaintext copies are scanned for repeatable sequences, which are then compared to the ciphertext versions. Over time, and with effort, this can be used to decipher the key.
  • Ciphertext-only attack In this attack, the hacker gains copies of several messages encrypted in the same way (with the same algorithm). Statistical analysis can then be used to reveal, eventually, repeating code, which can be used to decode messages later on.
  • Replay attack Most often performed within the context of a man-in-the- middle attack. The hacker repeats a portion of a cryptographic exchange in hopes of fooling the system into setting up a communications channel. The attacker doesn’t really have to know the actual data (such as the password) being exchanged, he just has to get the timing right in copying and then replaying the bit stream. Session tokens can be used in the communications process to combat this attack.

A digital certificate is an electronic file that is used to verify a user’s identity, providing non-repudiation throughout the system.

  • Version This identifies the certificate format.. The most common version in use is 1.
  • Serial Number Fairly self-explanatory, the serial number is used to uniquely identify the certificate itself.
  • Subject Whoever or whatever is being identified by the certificate.
  • Algorithm ID (or Signature Algorithm) Shows the algorithm that was used to create the digital signature.
  • Issuer Shows the entity that verifies the authenticity of the certificate. The issuer is the one who creates the certificates.
  • Valid From and Valid To These fields show the dates the certificate is good through.
  • Key Usage Shows for what purpose the certificate was created.
  • Subject’s Public Key A copy of the subject’s public key is included in the digital certificate.
  • Optional fields These fields include Issuer Unique Identifier, Subject Alternative Name, and Extensions.


FOR ECCouncil Vulnerability Research is part of the reconnaissance.

Difference in definition between reconnaissance and footprinting:

For many, recon is more of an overall, over-arching term for gathering information on targets, whereas footprint- ing is more of an effort to map out, at a high level, what the landscape looks like. They are interchangeable terms in CEH parlance, but if you just remember that footprinting is part of reconnaissance.


DNS is using port 53; Name lookups generally use UDP, whereas zone transfers use TCP.

DNS record types:

  • SRV- Service Defines the host name and port number of servers providing specific services, such as a Directory Services server.
  • SOA – Start Of Authority This record identifies the primary name server for the zone.The SOA record contains the host name of the server responsible for all DNS records within the namespace, as well as the basic properties of the domain.
  • PTR – Pointer Maps an IP address to a host name (providing for reverse DNS lookups).You don’t absolutely need a PTR record for every entry in your DNS namespace, but these are usually associated with e-mail server records.
  • NS – Name Server This record defines the name servers within your namespace.These servers are the ones that respond to your clients’ requests for name resolution.
  • MX -Mail Exchange This record identifies your e-mail servers within your domain.
  • CNAME – Canonical Name This record provides for domain name aliases within your zone. For example, you may have an FTP service and a web service running on the same IP address. CNAME records could be used to list both within DNS for you.
  • A – Address This record maps an IP address to a host name, and is used most often for DNS lookups.

DNS Footprinting tools: whois, nslookup, dig

Scanning and Enumeration

Relevant ICMP Message Types

  • 0: Echo Reply – Answer to a Type 8 Echo Request
  • 3: Destination Unreachable

Error message indicating the host or network cannot be reached.


0—Destination network unreachable

1—Destination host unreachable

6—Network unknown

7—Host unknown

9—Network administratively prohibited 10—Host administratively prohibited

13—Communication administratively prohibited

  • 4: Source Quench A congestion control message
  • 5: Redirect Sent when there are two or more gateways available for the sender to use, and     the best route available to the destination is not the configured default gateway.


0—Redirect datagram for the network

1—Redirect datagram for the host

  • 8: ECHO Request A ping message, requesting an Echo reply
  • 11:Time Exceeded The packet took too long to be routed to the destination (Code 0 is TTL expired).

The port numbers range from 0 to 65,535 and are split into three different groups:

  • Well-known: 0–1023
  • Registered: 1024–49151
  • Dynamic: 49152–65535

Some of the more important well-known port numbers to remember are:

  • FTP (20/21)
  • Telnet (23)
  • SMTP (25)
  • DNS (53),
  • POP3 (110)
  • NetBIOS (137–139)
  • SNMP (161/162)

The TCP header flags are:

  • URG (Urgent) When this flag is set, it indicates the data inside is being sent out of band.
  • ACK (Acknowledgment) This flag is set as an acknowledgment to SYN flags. This flag is set on all segments after the initial SYN flag.
  • PSH (Push) This flag forces delivery of data without concern for any buffering.
  • RST (Reset) This flag forces a termination of communications (in both directions).
  • SYN (Synchronize) This flag is set during initial communication establishment. It indicates negotiation of parameters and sequence numbers.
  • FIN (Finish) This flag signifies an ordered close to communications.

Nmap is the de-facto tool for footprinting networks. It is capable of finding live hosts, access points, fingerprinting

operating systems, and verifying services. It also has important IDS evasion capabilities.

nmap <scan options> <target>

-sA ACK scan

-sI FIN scan

-sL IDLE scan

-sN DNS scan

-sO NULL scan

-sP Ping scan

-sR RPC scan

-sS SYN scan

-sT TCP connect scan

-sW Window scan

-sX XMAS tree scan

-PI ICMP ping

-Po No ping

-PS SYN ping

-PT TCP ping

-oN normal output

-oX XML output

-T0 slowest – T4 fastest

Seven generic scan types for port scanning:

  • TCP Connect Runs through a full connection (three-way handshake) on all ports. Easiest to detect, but possibly the most reliable. Open ports will respond with a SYN/ACK, closed ports with a RST/ACK.
  • SYN Known as a “half-open scan.” Only SYN packets are sent to ports (no completion of the three-way handshake ever takes place). Open ports will respond with a SYN/ACK, closed ports with a RST/ACK.
  • FIN scans run the communications setup in reverse, sending a packet with the FIN flag set. Closed ports will respond with RST, whereas open ports won’t respond at all.
  • XMAS A Christmas scan is so named because the packet is sent with multiple flags (FIN, URG, and PSH) set. Closed ports will respond with RST, whereas open ports won’t respond at all
  • ACK Used mainly for Unix/Linux-based systems. Open ports will send RST, closed ports, no answer
  • IDLE Uses a spoofed IP address to elicit port responses during a scan. Designed for stealth, this scan uses a SYN flag and monitors responses as with a SYN scan.
  • NULL Almost the opposite of the XMAS scan. The NULL scan sends packets with no flags set. Responses will vary, depending on the OS and version, but NULL scans are designed for Unix/Linux machines.

War dialing is a process by which an attacker dials a set of phone numbers specifi- cally looking for an open modem.

War driving used to refer to, quite literally, driving around in a car looking for open access points. In the ethical hacking realm, it still indicates a search for open WAP

Simple Network Management Protocol was designed to manage IP-enabled devices across a network. As a result, if it is in use on the subnet, you can find out loads of information with properly formatted SNMP requests. Later versions of SNMP make this a little more difficult, but plenty of systems out there are still using the protocol in version 1.

Sniffers and Evasion

All Peoples Seems To Need Data Processing – mnemonic phrase to remember the layers.

  • ISO/OSI layers

Application – data

Presentation – data

Session   – data

Transport – segment

Network – packet

Data     -frames

Physical – byes

ISO/OSI to TCP/IP mapping(3 1 1 2)

  • TCP/IP Model layers




Network Access

The MAC address that is burned onto a NIC is actually made of two sections.The first half of the address, 3 bytes (24 bits), is known as the Organizational Unique Identifier, and is used to identify the card manufacturer.The second half is a unique number burned in at manufacturing, to ensure no two cards on any given subnet will have the same address.

MAC Spoofing Set the MAC address of a NIC to the same value as another

MAC Flooding Overwhelm the CAM (content addressable memory) table of the switch so it coverts to hub mode

ARP Poisoning Inject incorrect information into the ARP caches of two or more endpoints.


Snort rule:

alert tcp !HOME_NET any -> $HOME_NET 31337 (msg :"BACKDOOR ATTEMPT-Backorifice")

If you happen to come across a packet from any address that is not my home network, using any source port, intended for an address within my home network on port 31337, alert me with the message ‘BACKDOOR ATTEMPT-Back- orifice.’”

Span port = port mirroring

False negative – when an IDS reports a particular stream as clean but it’s not

Wireshark display filters

Display filters work basically like: proto.field operator value

Analyse the following examples:

tcp.flags == 0x29
ip.addr !=
tcp.port eq 25 or icmp
ip.src== and ip.dst==
http.request.uri matches "login.html"

Tcpdump syntax:

tcmdump flag(s) interface

Attacking a System

EC-Council rules for the passwords:

  • The password must not contain any part of the user’s name. For example, a password of “[email protected]!” wouldn’t work for the CEH exam, because you can clearly see my name there.
  • The password must have a minimum of eight characters. Eight is okay. Nine is better. Seven? Not so good.
  • The password must contain characters from at least three of the four major components of complexity—that is, special symbols (such as @&*#$), uppercase letters, lowercase letters, and numbers. [email protected] contains all four, whereas use8chars uses only two.

LM Hashing – 7 spaces hashed = AAD3B435B51404EE

Four main attack types are defined within CEH.

  • passive online attack basically amounts to sniffing a wire in the hopes of either intercepting a password in clear text or attempting a replay or man-in- the-middle (MITM) attack.
  • active online, occurs when the attacker begins simply trying passwords—guessing them, for lack of a better word
  • offline attacks occur when the hacker steals a copy of the password file (remember our discussion on the SAM file earlier?) and works the cracking efforts on a separate system.
  • non-electronic = the social engineering.

sidejacking. The idea is to steal the cookies exchanged between two systems and ferret out which one to use as a replay-style attack

Social Engineering and Physical Security

Human-Based Attacks

  • Dumpster diving
  • Impersonation
  • Technical support
  • Shoulder surfing
  • Tailgating and piggybacking

Computer-Based Attacks

  • phishing.

Types of Social Engineers

  • Insider Associates Have limited authorized access, and escalate privileges from there.
  • Insider Affiliates Are insiders by virtue of an affiliation, they spoof the identity of the insider.
  • Outsider Affiliates Are nonͲtrusted outsiders that use an access point that was left open.

Physical Security

Three major categories of physical security measures:

  • Physical measures include all the things you can touch, taste, smell, or get shocked by. For example, lighting, locks, fences, and guards with Tasers are all physical measures.
  • Technical measures are a little more com- plicated. These are measures taken with technology in mind, to protect explicitly at the physical level. For example, authentication and permissions may not come across as phys- ical measures, but if you think about them within the context of smart cards and bio- metrics, it’s easy to see how they should become technical measures for physical security.
  • Operational measures are the policies and procedures you set up to enforce a security-minded operation.

Web-Based Hacking

This dot-dot-slash attack is also known as a variant of “Unicode” or unvalidated input attack.

SQL injection attacks types:

  • Union query The thought here is to make use of the UNION command to return the union of your target database with one you’ve crafted to steal data from it.
  • Tautology An overly complex term used to describe the behavior of a database system when deciding whether or not a statement is true. Because user IDs and passwords are often compared, and the “true” measure allows access, if you trick the database by providing something that is already true (1 does, indeed, equal 1), then you can sneak by.
  • Blind SQL injection This occurs when the attacker knows the database is susceptible to injection, but the error messages and screen returns don’t come back to the attacker. Because there’s a lot of guesswork and trial and error, this attack takes a long while to pull off.
  • Error-based SQL injection This isn’t necessarily an attack so much as an enumeration technique. The objective is to purposely enter poorly constructed statements in an effort to get the database to respond with table names and other information in its error messages.

The buffer overflow attack categories are as follows:

  • Stack This idea comes from the basic premise that all program calls are kept in a stack and executed in order. If you affect the stack with a buffer overflow, you can perhaps change a function pointer or variable to allow code execution.
  • Heap Also referred to as heap overflow, this attack takes advantage of the memory “on top of” the application, which is allocated dynamically at runtime. Because this memory usually contains program data, you can cause the application to overwrite function pointers.
  • NOP Sled A NOP sled makes use of a machine instruction called “no-op.” In the attack, a hacker sends a large number of NOP instructions into the buffer, appending command code instruction at the end. Because this attack is so common, most IDSs protect against it.

Dangerous Functions for buffer overflows

The following functions are dangerous because they do not check the size of the destination buffers:





Wireless Network hacking

802.11 Specifications

Spec   Distance Speed Freq

802.11a 30M     54Mbps   5Ghz

802.11b 100M   11Mbps 2.4Ghz

802.11g 100M   54Mbps 2.4Ghz

802.11n 125M   100Mbps+ 2.4Ghz, 5Ghz


WEP Uses RC4 for the stream cipher with a 24b initialization vector

Key sizes are 40b or 104b

WPA Uses RC4 for the stream cipher but supports longer keys; 48 bits IV

WPA/TKIP Changes the IV with each frame and includes key mixing

WPA2 Uses AES as the stream cipher and includes all the features of TKIP; 48 bits IV.


Rogue APs (evil twins) may also be referenced as a “mis- association” attack.


Bluetooth attackes :

Bluesmacking is simply a denial-of-service attack against a device.

Bluejacking consists of sending unsolicited messages to, and from, mobile devices.

Bluesniffing is exactly what it sounds like, and, finally.

Bluescarfing is the actual theft of data from a mobile device.

Trojans and Other Attacks

Windows will automatically run everything located in Run, RunServices, RunOnce, and RunServicesOnce

Virus types:

  • Boot sector virus Also known as a system virus, this virus type actually moves the boot sector to another location on the hard drive, forcing the virus code to be executed first. They’re almost impossible to get rid of once you get infected. You can re-create the boot record—old-school fdisk or mbr could do the trick for you—but it’s not necessarily a walk in the park.
  • Shell virus Working just like the boot sector virus, this virus type wraps itself around an application’s code, inserting its own code before the application’s. Every time the application is run, the virus code is run first.
  • Multipartite virus Attempts to infect both files and the boot sector at the same time. This generally refers to a virus with multiple infection vectors. This link describes one such DOS-type virus: http://www.f-secure.com/v-descs/ neuroqui.shtml. It was multipartite, polymorphic, retroviral, boot sector, and generally a pretty wild bit of code.
  • Macro virus Usually written with VBA (Visual Basic for Applications), this virus type infects template files created by Microsoft Office—normally Word and Excel. The Melissa virus was a prime example of this.
  • Polymorphic code virus This virus mutates its code using a built-in polymorphic engine. These viruses are very difficult to find and remove because their signatures constantly change.
  • Metamorphic virus This virus type rewrites itself every time it infects a new file.

DOS attack types:

  • SYN attack The hacker will send thousands upon thousands of SYN packets to the machine with a false source IP address. The machine will attempt to respond with a SYN/ACK but will be unsuccessful (because the address is false). Eventually, all the machine’s resources are engaged and it becomes a giant paperweight.
  • SYN flood In this attack, the hacker sends thousands of SYN packets to the target, but never responds to any of the return SYN/ACK packets. Because there is a certain amount of time the target must wait to receive an answer to the SYN/ACK, it will eventually bog down and run out of available connections.
  • ICMP flood Here, the attacker sends ICMP Echo packets to the target with a spoofed (fake) source address. The target continues to respond to an address that doesn’t exist and eventually reaches a limit of packets per second sent.
  • Application level A simple attack whereby the hacker simply sends more “legitimate” traffic to a web application than it can handle, causing the system to crash.
  • Smurf The attacker sends a large number of pings to the broadcast address of the subnet, with the source IP spoofed to that of the target. The entire subnet will then begin sending ping responses to the target, exhausting the resources there. A fraggle attack is similar, but uses UDP for the same purpose.
  • Ping of death In the ping of death, an attacker fragments an ICMP message to send to a target. When the fragments are reassembled, the resultant ICMP packet is larger than the maximum size and crashes the system.

(My) CISSP Notes – Bibliography

This is the last ticket from/for “(My) CISSP Notes” and will contains links to the materials that I used for the preparation of the exam.


  • CISSP study guide – This was my main source of information.
  • CISSP for dummies – This was my second source of information; very easy to read and understand but not sufficient to pass the exam.
  • 11th Hour CISSP: Study guide – This is a short version of the CISSP study guide . I use it for a quick review the last few days before the exam.
  • CISSP Boxed Set – This box set contains a study guide and a book with practice exams. I used the study guide only punctually for specific topics and I found it very complete. I tried at the beginning the use it as the main source of information but the main problem is the huge quantity of information (1400 pages).

Practice Exams

Audio Postcasts

  • McGraw-Hill Education CISSP Podcasts – The podcasts are covering all the domains and are of quite good (audio) quality.  If you don’t have the time to listen everything then you could choose the listen only the review podcasts containing only the most important information.

(My) CISSP Notes – Security Operations

Note: This notes were made using the following books: “CISPP Study Guide” and “CISSP for dummies”.

Operations Security is concerned with threats to a production operating environment.

So operations security is about people, data, media, hardware, and the threats associated with each of these in a production environment.

Administrative security

One fundamental aspect of operations security is ensuring that controls are in place to inhibit people either inadvertently or intentionally compromising the confidentiality, integrity, or availability of data or the systems and media holding that data. Administrative Security provides the means to control people’s operational access to data.

Administrative personnel controls :

  • least privilege – the principle of least privilege dictates that persons have no more than the access that is strictly required for the performance of their duties.
  • need to know – only people with a valid need to know certain information in order to perform their job functions, should have access to that information.An extension to the principle of least privilege in MAC environments is the concept of compartmentalizationCompartmentalization, a method for enforcing need to know, goes beyond the mere reliance upon clearance level and necessitates simply that someone requires access to information.
  • separation of duties –  prescribes that multiple people are required to complete critical or sensitive transactions.The goal of separation of duties is to ensure that in order for someone to be able to abuse their access to sensitive data or transactions; they must convince another party to act in concert. Collusion is the term used for the two parties conspiring to undermine the security of the transaction.
  • rotation of duties – also known as job rotation or rotation of responsibilities, provides an organization with a means to help mitigate the risk associated with any one individual having too many privileges.Rotation of duties simply requires that critical functions or responsibilities are not continuously performed by the same single person without interruption.
  • mandatory leave – an additional operational control that is closely related to rotation of duties is that of mandatory leave, also known as forced vacation.
  • non-disclouse agreement (NDA) – is a work-related contractual agreement that ensures that, prior to being given access to sensitive information or data, an individual or organization appreciates their legal responsibility to maintain the confidentiality of sensitive information.
  • background checks – also known as background investigations or preemployment screening; are an additional administrative control commonly employed by many organizations.

Sensitive information/media security

Wherever the data exists, there must be processes that ensure the data is not destroyed or inaccessible (a breach of availability), disclosed, (a breach of confidentiality) or altered (a breach of integrity).

Perhaps the most important step in media security is the process of locating sensitive information, and labeling or marking it as sensitive.

People handling sensitive media should be trusted individuals who have been vetted by the organization.

When storing sensitive information, it is preferable to encrypt the data. Encryption of data at rest greatly reduces the likelihood of the data being disclosed in an unauthorized fashion due to media security issues.

The term data remanence is important to understand when discussing media sanitization and data destruction. Data remanence is data that persists beyond noninvasive means to delete it.

Wiping, also called overwriting or shredding, writes new data over each bit or block of file data.

By introducing an external magnetic field through use of a degausser, the data on magnetic storage media can be made unrecoverable.

Asset management

  • Patch management – One of the most basic, yet still rather difficult, tasks associated with maintaining strong system security configuration is patch management, the process of managing software updates.
  • Vulnerability management – Vulnerability scanning is a way to discover poor configurations and missing patches in an environment. While it might seem obvious, it bears mentioning that vulnerability scanning devices are only capable of discovering the existence of known vulnerabilities. The term vulnerability management is used rather than just vulnerability scanning to emphasize the need for management of the vulnerability information.
  • Change management – In order to maintain consistent and known operational security, a regimented change management or change control process needs to be followed. The purpose of the change control process is to understand, communicate, and document any changes with the primary goal of being able to understand, control, and avoid direct or indirect negative impact that the change might impose.

Continuity of operation

Three basic types of backups exist:

  • full backup – is the easiest to understand of the types of backup; it simply is a replica of all allocated data on a hard disk. Full backups contain all of the allocated data on the hard disk, which makes them simple from a recovery standpoint in the event of a failure.
  • incremental backup – one alternative to exclusively relying upon full backups is to leverage incremental backups. Incremental backups only archive files that have changed since the last backup of any kind was performed. Since fewer files are backed up, the time to perform the incremental backup is greatly reduced.
  • differential backup – while the incremental backup only archived those files that had changed since any backup, the differential method will back up any files that have been changed since the last full backup.

Redundant array of inexpensive disks (RAID)

The goal of a Redundant Array Inexpensive Disks (RAID) is to help mitigate the risk associated with hard disk failures.

Three terms that are important to understand with respect to RAID are:

  • mirroring – is the most obvious and basic of the fundamental RAID concepts, and is simply used to achieve full data redundancy by writing the same data to multiple hard disks.
  • striping – is a RAID concept that is focused on increasing the read and write performance by spreading data across multiple hard disks. With data being spread amongst multiple disk drives, reads and writes can be performed in parallel across multiple disks rather than serially on one disk.
  • parity – is a means to achieve data redundancy without incurring the same degree of cost as that of mirroring in terms of disk usage and write performance.

RAID 0: Striped Set As is suggested by the title, RAID 0 employs striping to increase the performance of read and writes. By itself, striping offers no data redundancy so RAID 0 is a poor choice if recovery of data is the reason for leveraging RAID.

RAID 1: Mirrored Set This level of RAID is perhaps the simplest of all RAID levels to understand. RAID 1 creates/writes an exact duplicate of all data to an additional disk. The write performance is decreased, though the read performance can see an increase.

RAID 2: Hamming Code RAID 2 is not considered commercially viable for hard disks and is not used. This level of RAID would require either 14 or 39 hard disks and a specially designed hardware controller, which makes RAID 2 incredibly cost prohibitive. RAID 2 is not likely to be tested.

RAID 3: Striped Set with Dedicated Parity (byte level) Striping is desirable due to the performance gains associated with spreading data across multiple disks. However, striping alone is not as desirable due to the lack of redundancy. With RAID 3 data, at the byte level, is striped across multiple disks, but an additional disk is leveraged for storage of parity information, which is used for recovery in the event of a failure.

RAID 4: Striped Set with Dedicated Parity (block level) RAID 4 provides the exact same configuration and functionality as that of RAID 3, but stripes data at the block, rather than byte, level.

RAID 5: Striped Set with Distributed Parity One of the most popular RAID configurations is that of RAID 5, Striped Set with Distributed Parity. Again with RAID 5 there is a focus on striping for the performance increase it offers, and RAID 5 leverages a block level striping. Like RAIDs 3 and 4, RAID 5 writes parity information that is used for recovery purposes. However, unlike RAIDs 3 and 4, which require a dedicated disk for parity information, RAID 5 distributes the parity information across multiple disks.

RAID 6: Striped Set with Dual Distributed Parity While RAID 5 accommodates the loss of any one drive in the array, RAID 6 can allow for the failure of two drives and still function. This redundancy is achieved by writing the same parity information to two different disks.

System redundancy

The most common example of this in-built redundancy is systems or devices which have redundant onboard power in the event of a power supply failure. In addition to redundant power, it is also common to find redundant network interface cards (NICs), as well as redundant disk controllers.

Some applications and systems are so critical that they have more stringent uptime requirements than can be met by standby redundant systems, or spare hardware. These systems and applications typically require what is commonly referred to as a high-availability (HA) or failover cluster. A high-availability cluster employs multiple systems that are already installed, configured, and plugged in, such that if a failure causes one of the systems to fail then the other can be seamlessly leveraged to maintain the availability of the service or application being provided.

Incident response management

Incident handling or incident response are the terms most commonly associated with how an organization proceeds to identify, react, and recover from security incidents.

Computer Security Incident Response Team (CSIRT) is a term used for the group that is tasked with monitoring, identifying, and responding to security incidents.

Phases of incident responses :

  • detection – one of the most important steps in the incident response process is the detection phase. Detection is the phase in which events are analyzed in order to determine whether these events might comprise a security incident.
  • containment – is the point at which the incident response team attempts to keep further damage from occurring as a result of the incident.This phase is also typically where a binary (bit by bit) forensic backup is made of systems involved in the incident.
  • eradication – involves the process of understanding the cause of the incident so that the system can be reliably cleaned and ultimately restored to operational status later in the recovery phase.
  •  recovery – involves cautiously restoring the system or systems to operational status.
  • reporting – is the one most likely to be neglected in immature incident response programs. This fact is unfortunate because the reporting phase, if done right, is the phase that has the greatest potential to effect a positive change in security posture. The goal of the reporting phase is to provide a final report on the incident, which will be delivered to management.