cissp tips - cloudinary · oracle 1521 h.323 1720 pptp 1723 rdp 3389. reproduction prohibited ......


OVERVIEW

ISC2 REQUIREMENTS ON INDIVIDUALS

THESE INCLUDE:

• BACKGROUND

• FIVE YEARS EXPERIENCE IN ANY OF THE 8 DOMAINS OR FOUR YEARS EXPERIENCE AND A COLLEGE

DEGREE

• TEST FEE

• APPROVED APPLICATION

• AGREEMENT TO THE ISC2 CODE OF ETHICS

2


DOMAINS

THE 8 DOMAINS ARE:

1. SECURITY AND RISK MANAGEMENT

2. ASSET SECURITY

3. SECURITY ENGINEERING

4. COMMUNICATION AND NETWORK SECURITY

5. IDENTITY AND ACCESS MANAGEMENT

6. SECURITY ASSESSMENT AND TESTING

7. SECURITY OPERATIONS

8. SOFTWARE DEVELOPMENT SECURITY

3


EXERCISE

Classify each of the following as an attack on confidentiality, integrity, and/or availability

(more than one may apply) and justify your answers. Post on Peerlyst.com.

• Olavi crashes Sami's system

• Pierre forges Paul's signature

• Sami spoofs Mandy's IP address to gain access to her laptop

• Tom publishes company internal document on his blog

• Someone copy your article

• James added a zero to Paul’s cheque bank and changed it from 100€ to 1000€

4

Reproduction prohibited5

IDENTITY AND ACCESS MANAGEMENT



6

▪ Identity and access management overview

▪ Identification mechanisms

▪ Authentication factors

▪ Password authentication protocols

▪ Enforcing accountability

▪ Managing credentials with policies

▪ Using access control lists

▪ Defending against access control attacks



7

A key aspect of security is access control – Whether or

not to accept a request.



8

Identification & Authentication

▪ Representing identity: Users, groups, roles, certificates.

▪ Information systems possess the characteristic of identification when they are able

to recognize individual users;

▪ Authentication occurs when a control provides proof that a user possesses the

identity that he or she claims;

▪ Identification and authentication are essential to establishing the level of access or

authorization that an individual is granted;

▪ Authentication is a technical concept: e.g., it can be solved through cryptography;



9

AUTHENTICATION can be accomplished by biometrics, a password, a

passphrase, a password, a one-time password, or a token.



10



11

Authorization

Policy stating who is allowed to do which actions on what resources;

When user/computer is authorized will be granted specific right,

such; access, update, delete, etc…



12

Access control = Mechanism by which services

know whether to accept or deny requests.

There are four pieces to the process:

• Identification: Claiming an identity.

• Authentication: Who are you ? What you have

? What you are ?

• Authorization: Expressing a permission.

• Decision: Accept or not a request.



13

• Access control is a must in information

security.

• The information owner defines the

classification of the data and assets.

• The custodian implements the right

controls.



14

• ADMINISTRATIVE

• TECHNICAL (LOGICAL)

• PHYSICAL



15

ADMINISTRATIVE CONTROLS:

• POLICIES

• STANDARDS

• PROCEDURES

• GUIDELINES

• PERSONAL SCREENING

• AWARENESS TRAINING



16

TECHNICAL (LOGICAL) CONTROLS:

• NETWORK ARCHITECTURE

• ENCRYPTION

• SECURITY DEVICES

• IDENTIFICATION AND AUTHENTICATION



17

PHYSICAL CONTROLS:

• BUILDING PROTECTION

• SECURITY GUARDS

• LOCKS

• MONITORING

• DATA BACKUPS

• MOTION OR THERMAL ALARM SYSTEMS



18

DISCRETIONARY ACCESS CONTROL

MANDATORY ACCESS CONTROL

NON-DISCRETIONARY ACCESS CONTROL

ROLE-BASED ACCESS CONTROL

Identification

Authentication

Authorization

Accountability



19

DISCRETIONARY ACCESS

CONTROL:

OBJECT ACCESS

RESTRICTED TO IDENTITY

OF THE SUBJECT



20

MANDATORY ACCESS CONTROL (MAC) USES

A SECURITY LABEL SYSTEM.

USERS HAVE CLEARANCES, AND RESOURCES

HAVE SECURITY LABELS WITH DATA

CLASSIFICATIONS.



21

NONDISCRETIONARY ACCESS

CONTROL IS BASED ON A ROLE-

BASED APPROACH TO DEFINE

RIGHTS AND PERMISSIONS.

Role 1

Role 2

Role 2



22

Role-based access control (RBAC) = User roles and

permissions

Pros Cons

Scalable Provisioning

Flexible Maintenance

Less Administrative

Tasks

Static



23

• Manageability problems

• Scalability problems

• Granularity

• Delegation

• Revocation



24

Sure

!

Doctor… I don’t want my

information to be shared with

researchers who are not HIPPA

compliant !!

Oh Gosh ! How

do I do that ?!

You have data

release requests

from

510 researchers



25

PREVENTIVE CONTROLS: CONTROLS TO AVOID

• No internal or external access

• Example: Security policy

DETECTIVE CONTROLS: CONTROLS THAT IDENTIFY

• Track an unauthorized transaction



26

CORRECTIVE CONTROLS: CONTROLS THAT REMEDY

• Recover or restore operations

DETERRENT CONTROLS: CONTROLS THAT DISCOURAGE

• Used to encourage or increase compliance



27

RECOVERY CONTROLS: CONTROLS THAT RESTORE

• Example: Offsite facility

COMPENSATIVE CONTROLS: CONTROLS THAT PROVIDE

ALTERNATIVES TO OTHER CONTROLS



28

Single sign-on technology

authenticated to the network only one

time.

KERBEROS

• A user receives a ticket from the KDC

• The Kerberos user receives a ticket

granting ticket (TGT)

• The user requests access through the

ticket granting service (TGS).

• The TGS

• generates a new ticket with the session

keys.



29

Kerberos Strengths:

• Client and Sever mutually authenticate

• User’s passwords are never sent across the network

• Secret Keys are only passed encrypted



30

SESAME SECURE EUROPEAN SYSTEM IN A MULTIVENDOR

ENVIRONMENT

Sesame uses symmetric and

asymmetric encryption



31

KERBEROS VS SESAMESYMMETRIC VS SYMMETRIC & ASYMMETRIC


SECURITY ASSESSMENT AND TESTING


▪ Design and validate assessment and test strategies

▪ Vulnerability assessment

▪ Penetration testing

▪ Log reviews

▪ Synthetic transactions

▪ Code review and testing (e.g. manual, dynamic, static, fuzz)

▪ Misuse case testing

▪ Test coverage analysis

▪ Interface testing (e.g. API, UI, physical)

▪ Backup verification data




34

Employee

Network

Social Engineer / Hacker

Firewall

Social Engineering

Traditional Hacking



35

Social Engineering is an art mixed with science.

Or

Social engineering is an attack using manipulation to access

confidential information.



36

Most common social engineering scenarios:

• Scenario with a sense of urgency: Car accident or Stolen wallet in a foreign

country

• Impersonating someone important such as a CEO: CEO Fraud

• Mentioning popular events: Manchester Vs Barca Replay

• Offering an incentive: Free ticket to Britney’s concert



37

Security assessments are security reviews of a

system, application, or other tested environment.



38



39



40



41

Vulnerability scans check systems, applications,

and networks, looking for vulnerabilities that may be

exploited.



42

Vulnerability scans check systems, applications,

and networks, looking for vulnerabilities that may be

exploited.

=

Security testing tools



43

• TCP Connect Scanning

• TCP ACK Scanning

• Xmas Scanning

Network Discovery Scanning



44

The TCP SYN scan sends a SYN packet and receives

back a SYN ACK packet.

IT does NOT send the final ACK.



45

The most popular tool for

network discovery scanning

is an open source tool

called nmap



46

Network vulnerability

scan will scan more in

depth the network than

discovery scans.



47

FTP 21

SSH 22

Telnet 23640

SMTP 25

DNS 53

HTTP 80

POP3 110

NTP 123

HTTPS 443

Microsoft SQL Server

1433

Oracle 1521

H.323 1720

PPTP 1723

RDP 3389



48

Open ports = Security risks

Ports 80 and 443 are expected to be open.

Port 1433 is a database port and should NOT be exposed.



49

Web Vulnerability Scanning

• Burp Suite https://portswigger.net/burp

‘’Burp or Burp Suite is a graphical tool for testing Web application security. The

tool is written in Java and developed by PortSwigger Security.’’

• Veracode https://www.veracode.com/products/static-analysis-

sast/static-code-analysis

https://portswigger.net/burp

https://www.veracode.com/products/static-analysis-sast/static-code-analysis



50

Web Vulnerability Scanning

• Burp Suite https://portswigger.net/burp

‘’Burp or Burp Suite is a graphical tool for testing Web application security. The

tool is written in Java and developed by PortSwigger Security.’’

• Veracode https://www.veracode.com/products/static-analysis-

sast/static-code-analysis

https://portswigger.net/burp

https://www.veracode.com/products/static-analysis-sast/static-code-analysis



51

Network vulnerability scans generally and Application

vulnerability looks into the structure of web

applications



52

Metasploit is an automated exploit tool.



53

Penetration Testing

The process may include the following:

▪ Reconnaissance

▪ Network discovery scans

▪ Network vulnerability scans

▪ Web application vulnerability scans

▪ Use of exploit tools

▪ Manual attack attempts



54

▪ White Box Penetration Test

▪ Grey Box Penetration Test

▪ Black Box Penetration Test



55

Code Review and Testing

The inspection of the source code to find security vulnerabilities,

OWASP Best Practices, Vulnerable Syntax, Inputs



56

▪ Planning

▪ Overview

▪ Preparation

▪ Inspection

▪ Rework

▪ Follow-up



57

OWASP TOP 10

‘’The Open Web Application Security Project (OWASP) is a 501(c) worldwide

not-for-profit charitable organization focused on improving the security of

software.’’

CWE SANS TOP 25

The CWE/SANS Top 25 Most Dangerous Software Errors is a list of the most

critical programming errors that can lead to critical software vulnerabilities.



58

Static testing Without running the software

Dynamic testing Software in a runtime environment

Fuzz testing Stress software’s limits



59

Interface testing

Performance of modules vs

the interface specifications



60

Misuse case testing known ways that an attacker might exploit.



61

Security assessment reports are addressed to the

organization’s management.



62

■ Number of open vulnerabilities

■ Time to resolve vulnerabilities

■ Number of compromised accounts

■ Number of software flaws

■ Repeatable audit findings

■ Attempts to visit malicious sites


THANK YOU !

PLEASE FEEL FREE TO ASK QUESTIONS

OR SHARE YOUR TIPS

63

cissp tips - cloudinary · oracle 1521 h.323 1720 pptp 1723 rdp 3389. reproduction prohibited ......

Documents