CISSP HIGHLIGHTS

Chapter 1 – The CISSP Certification & Test

250 Questions

6 hours – no scheduled breaks – inform the proctor if you need a break

700 / 1000 Passing score – Questions are weighted but no penalty for wrong answers

Requires 5 years of experience in at least 2 of the 10 CBOK domains

OR 4 years of experience in at least 2 of the domains and an accredited 4 year degree

OR 3 years of experience, a degree, and a recognized certification

Candidates who pass will be required to acquire an ENDORSEMENT form from a currently certified CISSP who will vouch for them

Candidates who do not pass will be provided with feedback on their score and which domains they scored best/worst on

Continuing Education Credits – 120 over a 3 year certification cycle

You MUST enter 20 per year in the year they were earned – do NOT procrastinate

If your CECs and AMFs are done, you don’t need to retake the test

AMFs – Annual Maintenance Fee is currently $85/year billed following the first year

You need to know all 10 domains but FOCUS on these five heavily tested areas:

Information Security and Risk management
Access Control
Security Architecture
Telecommunication and Network Security
BCP and DRP

Chapter 2 - Security Trends

Evolution of computing from Mainframe to a distributed environment, now heading back into mainframes – understand the security issues for each environment

Information Warfare – any action to deny, exploit, corrupt, or destroy the enemy’s information and its function, while at the same time protecting oneself against those same actions

Electronic Communications Policy – An electronics communications policy acts as a guideline for employees in the use of a company's electronics communications system. As such it provides an important safeguard for companies against liability due to misuse and abuse of electronic communications resources by its employees. A good electronic communications policy should also provide guidelines for dealing with employees who abuse the policy.

Openness – In open societies, government is responsive and tolerant, and political mechanisms are transparent and flexible. The state keeps no secrets from itself in the public sense; it is a non-authoritarian society in which all are trusted with the knowledge of all. Political freedoms and human rights are the foundation of an open society. Consider the affect of openness in the international arena as we continue to expand our global economy – what pros and cons are there to readily sharing information with other countries?

Acceptable Use Policy /Intended Use Policy / Fair Use Policy – An acceptable use policy (AUP; also sometimes acceptable usage policy or Fair Use Policy) is a set of rules applied by the owner/manager of a network, website or large computer system that restrict the ways in which the network site or system may be used. AUP documents are written for corporations, businesses, universities, schools, internet service providers, and website owners often to reduce the potential for legal action that may be taken by a user, and often with little prospect of enforcement.

Two Tiered Architecture – used in web environments to allow customers access to the front end web services while still protecting sensitive data behind an additional firewall. Secure, but highly sensitive environments will require a three tiered architecture. (p 40-42)

DMZ (Demilitarized zone) - a physical or logical subnet that contains and exposes an organization's external services to a larger untrusted network (usually the Internet.) The term is normally abbreviated to DMZ; also known as a Data Management Zone or Demarcation Zone or Perimeter Network. The purpose of a DMZ is to add an additional layer of security to an organization's Local Area Network (LAN); an external attacker only has access to equipment in the DMZ, rather than any other part of the network.

Chapter 3 – Information Security and Risk Management

Top-Down Approach – the initiation, support and direction for IT security policies come directly from top level / executive management and work their way through middle management

Bottom-up Approach – a situation in which the IT department tries to develop a security program without proper mgmt support and direction

Three primary types of controls:

Administrative – policies, standards, procedures, guidelines, etc.

Technical / Logical – passwords, access control, configuration, etc.

Physical – locks, doors, fences, removing unnecessary hardware, etc.

Due Care - the care that a reasonable man would exercise under the circumstances; the standard for determining legal duty. Due care is a legal term used to determine if someone is acting responsibly, giving them a lower probability of being found negligent or liable in a court of law.

Due Diligence - a term used for a number of concepts involving either the performance of an investigation of a business or person, or the performance of an act with a certain standard of care.

Remember: Due Care / Do Correct – Due Diligence / Do Detect

Fundamental Principles of Security / The Security CIA Triad

Confidentiality

Integrity

Availability

Vulnerability – a software, hardware or procedural weakness that may provide an attacker the open door he is looking for to enter a computer or network and have unauthorized access to resources within the network

Threat – any potential danger to information or systems. The threat is that someone or something will identify a specific vulnerability and use it against the company or individual.

Threat agent – could be an intruder accessing the network through a port on the firewall, an insecure process, a tornado, an unintentional mistake in data entry, etc.

Risk – the likelihood of a threat agent taking advantage of a vulnerability and the corresponding business impact.

Exposure – an instance of being exposed to losses from a threat agent.

Countermeasure / safeguard – something put into place to mitigate the potential risk.

Security through Obscurity – an intentional act of keeping security policies/procedures/details a secret. If you don’t know what’s behind the emerald curtain, you won’t have the knowledge required to attack it. Not a recommended best practice, as it assumes stupidity of the enemy.

Security Frameworks

COBIT – Control Objectives for Information and related Technology – a model for IT governance developed by the ISACA / ITGI – defines goals for the controls that should be used to properly manage IT and ensure that those solutions map to business needs. Four domains: Plan & Organize; Acquire and Implement; Deliver and Support; Monitor and Evaluate. Based on the COSO Guidelines, each domain provides control objectives, goal and performance indicators, maturity models, etc.

COSO – Committee of Sponsoring Organizations – 1985 – a model for corporate governance/ works at the strategic level to define best practices – ENORMOUS guidelines – both of these answer “what is to be achieved” but neither deal specifically with how to achieve it.

ISO 27001- Provides the steps for setting up and maintaining a security program

ISO 27002 / 17799 – Provides the security controls that can be used within the security program to achieve objectives

ITIL - a set of concepts and practices for managing Information Technology (IT) services (ITSM), IT change mgmt, service desk, configuration mgmt, and release mgmt.

Security Governance – all of the tools, personnel, and business processes necessary to ensure that the security implemented meets the organization’s specific needs.

Risk Analysis – a method for identifying vulnerabilities and threats and assessing the possible damage to determine where to implement security safeguards. Ensures that security is cost-effective, relevant, timely, and responsive to threats. The four main goals are: Identify assets and their values; Identify vulnerabilities and threats; Quantify the probability and business impact of the threats; Provide an economic balance between the impact of the threat and the cost of the countermeasure.

Methodologies for Risk Assessments – there are many to choose from, including NIST (healthcare), Facilitated Risk Assessment Process (FRAP), OCTAVE (Carnegie Mellon), CRAMM, Spanning Tree Analysis – choose the most appropriate for your industry and level of knowledge.

FMEA – Failure Modes and Fault Analysis – initially designed for systems engineering – created a diagram that strives to identify all potential points of failure / system vulnerabilities to proactively provide a fix or countermeasure (page 90)

QUANTITATIVE RISK ANALYSIS – attempts to assign real and meaningful numbers to all elements of the risk analysis process including asset values, business impact, exploit probabilities, safeguard effectiveness, etc. It is still somewhat qualitative / subjective but uses mathematical calculations to determine cost/benefit and frequently uses automated software.

AV / EF / SLE / ALE / ARO

SLE = asset value x exposure factor (EF)

ALE = SLE x annualized rate of occurrence (ARO)

QUALITATIVE RISK ANALYSIS – walks through difference scenarios of risk possibilities and ranks the seriousness of the threats and the validity of the different countermeasures based on opinions, expert judgment. Uses surveys, interviews, focus groups, expert opinion, questionnaires, checklists, etc.

Understand the Risk Matrix (4 box) on page 99

The Delphi Technique – the objective of most Delphi applications is the reliable and creative exploration of ideas or the production of suitable information for decision making. The Delphi Method is based on a structured process for collecting and distilling knowledge from a group of experts by means of a series of questionnaires interspersed with controlled opinion feedback.

RATA – Four ways to handle risk

Policies – organizational policies, issue specific policies, system specific policies

Regulatory policies, Advisory policies, Informational policies

Standards – mandatory activities, actions or rules that give the security policy it’s reinforcement and support

Baselines – the minimum level of protection that is required

Guidelines – recommended actions and operational guides to users when a specific standard doesn’t apply – best practices to follow

Procedures – detailed step-by-step tasks that should be performed to achieve a certain goal

Information Classification

Private sector vs Military sector – know the standard classifications in order

Information/data owner vs information/data custodian

Personnel Controls and Hiring Practices

Collusion

Rotation of Duties

Mandatory Vacation (at LEAST five days)

Separation of Duties / Dual control / Two man control / Split Knowledge

Nondisclosure agreements

Hold harmless agreement

Background checks

Employment / Education Verification

Termination procedure to ensure all access is removed – no holes!

Security awareness training – constantly changes, should be appropriate for the position, should be timely and relevant – must be continually evaluated for effectiveness

Chapter 4 – Access Control

IAAA – Identification, Authentication, Authorization, Accounting

Access, Subject, Object, Information flow

Race Condition – when processes carry out their tasks on a shared resource in the incorrect order, which can affect functionality and in this situation (authentication) create risk

Strong authentication / Two Factor authentication –

Something You Are, Something You Have, Something You Know

Federated Identity - a portable account that allows a user to authenticate across multiple IT systems and/or multiple organizations (i.e. Microsoft Passport, AKO Online)

Directories – x.500 standard namespace allows interaction with multiple apps and systems

Password Mgmt – Password synchronization, Self-service reset, Assisted password reset

Attack passwords = brute force, dictionary attack, rainbow tables, sniffing, social engineering

Cognitive password = fact or opinion based pw based on pre-determined questions

One time passwords – token devices (synchronous / asynchronous)

Password clipping levels, Min/max password age, PW history

Passphrase - Passphrases are generally longer than passwords. While passwords can frequently be as short as 8, 6, or even 4 characters, passphrases have larger minimum lengths and, in practice, typical passphrases might be 20 or 30 characters long or longer. This greater length provides more powerful security; it is far more difficult for a cracker to break a 25-character passphrase than an 8-character password.

Biometrics

Type I error – False Rejection Rate

Type II error – False Acceptance Rate

CER – Crossover error rate – the point at which the FRR equals the FAR – lower is better

Highest accuracy = iris scan

Lowest user acceptance = retinal scan

Behavioral vs Physiological

Memory cards vs Smart Cards

Authorization Creep

Groups vs Roles

Default to NO access

Need-to-know principle and the Least-privilege principle

KERBEROS

KDC, TGT, TGS – understand the process on page 202

Uses symmetric secret key between user and KDC – session key with resource

Subject to password guessing and brute force attacks – can be SPOF or bottleneck

SESAME

Very similar to Kerberos but uses PACS (Privileged Attribute Certs) & PAS

Discretionary Access Control – access is at the discretion of the owner

Mandatory Access Control – nobody can override the permissions

Role-Based Access Control – great for high turnover environments

Rule-Based Access Control – uses rules to determine access between subjects and objects

Constrained User Interfaces (CUI) – database views, limited menus and shells, etc.

Access Control Matrix –

Access Control List & Capability Tables

Content dependent access control –i.e. filtering emails based on SSN

Context dependent access control – i.e. allowing SYN/ACK only in response to a SYN

ACCESS CONTROL CENTRALIZED ADMINISTRATION

Radius – used by ISPs for authentication, authorization and accounting – uses UDP – encrypts password only

Tacacs – 3 flavors – XTACACS has extended two factor authentication and TACACS+ offers full solution that includes encryption of data / uses TCP – supports multiple protocols

Diameter – built on radius with added functionality – used for VOIP, FOIP, Mobile IPs, wireless and cell phones – stacks with IPSEC or TLS

Control Functionalities

Deterrent, Preventative, Corrective, Recovery, Detective, Compensating, Directive

Audit Logs – ensuring the proper use and security for audit logs – audit reduction tools

Keystroke Monitoring / Keystroke Logging

Object Reuse dangers

Emanation Security (TEMPEST, White Noise, Control Rooms)

Intrusion Detection Systems (IDS)

Host based or network device

Knowledge or Signature based detection (only catches what matches the KB)

State-based IDS – looks for signatures in the stream of activity rather than individual packets to detect compromised state of system

Statistical-anomaly based IDS – learns what is normal and then looks for something abnormal – can detect 0-day attacks rather than waiting for signature update

Protocol-anomaly based IDS – expert on a single protocol and understands normal usage/processes

Traffic-anomaly based IDS – knows normal – looks for abnormalities like DOS attacks

Rule-based IDS – uses IF/THEN programming with expert systems – needs knowledge base and inference engine – cannot detect new attacks

Intrusion Prevention Systems (IPS) – inline devices that require traffic to pass through them before they can reach the internal network thereby preventing attacks

Honeypot – a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated, (un)protected, and monitored, and which seems to contain information or a resource of value to attackers.

Padded Cell – a locked down honeypot

Chapter 5 – Security Architecture and Design

Security Policy – outlines how entities access each other, what operations they can carry out, what level of protection is required for a system or product, and what actions should be taken when the requirements are not met

Security Model – outlines the requirements necessary to properly support and implement a certain security policy

CPU (Central Processing Unit) – the brain of your computer. Fetches instructions from memory and executes them. The actual execution is done by the Arithmetic Logic Unit (ALU).

CPU Registers – Interrupt requests - Address bus vs Data bus

CPU Rings of Protection – layers of protection used for access controls – entities have to request help when communicating outside their own ring

Ring 0 – operating system kernel – MOST secure – inner core

Ring 1 – operating system

Ring 2 – file drivers

Ring 3 – email client, word processor, web browser, database, user interfaces

Multiprocessing (symmetric vs asymmetric)

Multitasking (cooperative vs preemptive)

Multiprogramming

Multithreading

Process isolation

RAM – SRAM/DRAM/SDRAM/EDO RAM/EDO DRAM/BEDO DRAM/DDR SDRAM - volatile

ROM – PROM/EPROM/EEPROM

Memory Leaks

Virtual memory / swap drive

Critical concepts – memorize the information on page 316

Trusted Computer Base - everything in a computing system that provides a secure environment. This includes the operating system and its provided security mechanisms, hardware, physical locations, network hardware and software, and prescribed procedures. Typically, there are provisions for controlling access, providing authorization to specific resources, supporting user authentication, guarding against viruses and other forms of system infiltration, and backup of data. It is assumed that the trusted computing base has been or should be tested or verified.

Trusted path – a mechanism that provides confidence that the user is communicating with what the user intended to communicate with, ensuring that attackers can't intercept or modify whatever information is being communicated.

Trusted shell - trusted shell runs only trusted programs – the programs working in that shell can’t bust out of it - SSH-2 is an example of a trusted shell environment.

Reference monitor – abstract concept that mediates all access subjects have to objects to ensure subjects can access appropriately and to ensure objects are not accessed without authorization / protected from destructive modification.

Security kernel – made up of the hardware, software, and firmware components that fall within the TCB and implements and enforces the reference monitor concept. The security kernel mediates all access and functions between subjects and objects. 3 main requirements – must provide isolation, must be invoked for every access attempt, must be small enough to be tested & verified

STATE MACHINE MODELS

Bell-LaPadula Model

First model created – enforces only confidentiality

1. Simple security rule – NO READ UP

2. Star property rule – NO WRITE DOWN

3. Strong star property – read/write only at my level

4. Tranquility principle – subjects and objects cannot change their security levels/security labels once created

Biba Model

Enforces integrity rather than confidentiality

1. Star integrity axiom – NO WRITE UP

2. Simple integrity axiom – NO READ DOWN

3. Invocation property – subject cannot invoke subjects of a higher integrity

Remember – star write, star bright –if the rule is star, it pertains to write permissions

Clark-Wilson Model

Constrained data items / Unconstrained data items

Well formed transactions

Separation of Duties

Auditing is required

Brewer-Nash Model

Dynamically changing access control – protects against conflicts of interest

(Can’t work on both the Pepsi and Coke campaigns at the same time)

Also called the Chinese Wall method

Graham-Denning Model

6 – 7- 8 Primitive Protection Rules

Shows how objects and subjects should be created, deleted and how to assign

and delegate access rights

Security Modes of Operations – recap on 354

Dedicated Security Mode

System High Security Mode

Compartmented Security Mode

Multilevel Security Mode

SYSTEM EVALUATION METHODS

Orange Book – Developed by DOD – TCSEC

4 levels of ratings – concerned only with confidentiality – validates against Bell Lapadula

Rainbow series expanded to networks (red book)

C1 – minimal protection, contains testing and documentation

C2 – object reuse and auditing

B1 – separate operator and administrator roles, protects against covert timing, security labels

B2 – requires trusted recovery, covert channel analysis, trusted facility mgmt, trusted path

B3 – systems must be highly resistant to penetration

A1 - Formal methods and proof of integrity of TCB – VERY few achieve this rating

ITSEC – European countries attempted a common standard – E0 to E6 and F1 to F10

Evaluated based on functionality and assurance – 2 ratings addressed CIA

Common Criteria

Developed by multiple countries in conjunction with the ISO – 1993

Globally recognized criteria for evaluation

7 Levels – Evaluation Assurance Levels (EALs)

Uses protection profiles, which can be shared and reused – contains 5 sections

Open Systems vs Closed Systems

Chapter 6 – Physical Security

Physical Security Concerns

Theft, interruption of service, physical damage, compromised systems / integrity,

unauthorized access

Crime Prevention through Environmental Design (CPTED)

Security Zones (Controlled, Restricted, Public, Sensitive, etc.)

Natural Access Control (Doors, Fences, Bushes, Lighting)

Territorial Reinforcement (Create a sense of community)

Framework for a Physical Security Program – pg 416

Selecting a Physical Site – pg 417

Remember legal/regulatory reqs – OSHA, EPA, ADA, etc.

Construction

Light frame, heavy timber, incombustible & fire-resistant material

Entry Points

How many doors, what type? Security vs Fire code

Mantraps

FAIL SAFE vs FAIL SECURE (p 423)

Windows

Standard

Tempered – heated then cooled quickly – extra strong

Acrylic – very strong, but toxic in fire

Embedded wires

Laminated – plastic film (filters UV and protects from flying glass)

Power Issues

UPS vs Smart UPS / Online UPS vs Standby UPS

EMI and RFI (p 432)

Excess power – spikes and surges, in-rush current

Low/loss of power – faults and blackouts

Degradation – sags, dips and brownouts

Line conditioners and voltage regulators!!!

Environmental issues

Positive drain – water, steam and gas lines

Temperature (keep server racks under 73 degrees – thermometer)

Humidity (recommend 50% +/- 10% - hygrometer NOT barometer)

Fire issues

Prevention vs Detection vs Suppression

Smoke activated alarm (photoelectric device) – sensitive to dust

Heat activated alarm (rate-of-rise temp or fixed-temp signal)

Plenum Area

Four types of smoke detectors – A, B, C, D

NO more Halon – know alternatives (p 443)

Recycle Halon tanks at a certified recycling center

Sprinkler Systems

Wet pipe – fungus can build up, vulnerable to pipe/nozzle breaks

Dry pipe – delayed reaction but no freezing pipes in winter

Preaction system – dry pipe until alarm, then pressurized water shoots into pipes but

not released until thermal fuse on sprinkler head has melted – BEST FOR SERVER RM

Deluge system – large volume of water dropped quickly

Locks

Warded locks / padlocks – bypass with padlock shims

Tumbler locks / pin tumbler locks – picked with tension/torque wrench and lock pick

Wafer tumbler locks – file cabinets – VERY easy to circumvent

Combination locks (lockers) – more wheels = better security

Cipher locks – programmable, keyless – danger of shoulder surfing

Door delay, Override code, Master keying, Hostage alarm

Smart locks – use if/then logic – e.g. only allow people in at allowed hours

Device locks – port locks / slot locks / cable locks – keep equipment secure

Lock strength – GRADE 1 (Commercial) is best – GRADE 3 (residential) is not

Bump locks

Circumvention techniques – shoulder surfing, piggybacking, lock picking

Fences

3-4 feet will deter trespassers

6-7 feet too high to climb easily

8 feet + deters even determined intruders (esp with razor wire!)

PIDAS – Perimeter Intrusion detection (fence w/alarm built in) – sensitive to wind, animals

Bollards – protection from vehicles driving through building/lobby

Gates - Class 1/Residential, Class 2/Commercial, Class 3/Industrial, Class 4/Restricted (Best)

Lighting – Lighting zones, overlap, standby lighting, responsive area illumination (motion)

CCTV

Understand focal length, iris / manual iris and depth of field

Integrated with recording devices, designed w/lighting requirements

PTZ – pan, tilt, zoom (camera can move)

Intrusion Detection (Physical)

Electromechanical systems – detect break in circuit

Photoelectric system/photometric system – detect change in light beam (windowless)

Passive infrared – changes in heat waves

Acoustical detection / Vibration sensors

Wave-pattern motion detectors

Proximity / capacitance detector – monitors magnetic field (museum artwork)

Redundant power, tied to security system, FAIL-SAFE, resistant to tampering

Security Guards

Provide DISCERNING judgment – must be trained properly

Auditing Physical Access

Testing and Drills

Chapter 7 – Telecommunications and Network Security

OSI MODEL

Vendor independent guidelines for communication between systems

Know the 7 layers in order and what they do, protocols, devices, etc.

Developed by ISO for use with OPEN systems

Layer 7 – Application

These are the protocols that support the user application / interface – and include browsers, FTP clients, mail clients, etc.

DNS, DHCP, NNTP, SMTP, FTP, HTTP, Telnet

Layer 6 – Presentation

This layer is concerned with data representation and formatting – it’s a translator that provides a common representation of data. Doesn’t care about the meaning of the data!

Compression & Encryption happen here

JPEG, MPEG, TIFF, MIDI

Layer 5 – Session Layer

This layer creates the connection between two apps, maintain the connection, then release it when the comm. Is finished – does connection establishment, data transfer, and connection release.

NFS, SQL, NetBIOS, Sockets, Named Pipes

Layer 4 – Transport Layer

Handshake determines data transfer, error detection, flow control, etc. Provides END-TO-END transport of data.

TCP, UDP, SPX, SSL

Layer 3 – Network layer

Responsible for determining the best route for the packets to take – routing protocols / routing tables exist at this layer.

RIP, OSPF, BGP, ICMP, IGMP, IP, IPv6, NAT

HW: Routers

Layer 2 – Data Link Layer

Data is translated here from LAN to WAN format & put into frames for transmission

Consists of two sub layers – Logical Link Control & Media Access Control

SLIP, PPP, L2F, L2TP, FDDI, ISDN, ATM, RARP, ARP

HW: Bridges, Switches

Layer 1 – Physical Layer

Converts bits to voltage for transmission – this layer handles voltage levels and physical connectors.

HW: Wires/cables, hubs, connectors, repeaters, dumb hubs

TCP/IP

Connection oriented protocol. Handshake (SYN, SYN ACK, ACK). Reliable.

IPv4 – 32 bit addresses / Class A, B, C / CIDR / NAT

IPv6 – 128 bit addresses / hex / QoS

Well-known ports

23 - Telnet 80 - HTTP 110 - POP

25 - SMTP 21/20 – FTP 143 - IMAP

443 - SSL 161/162 – SNMP 53 - DNS

KNOW THESE:

Analog vs Digital

Asynchronous vs Synchronous

Broadband vs Baseband

Protocol

Socket (Port/IP combination)

Physical Topologies

Ring, Bus, Star, Mesh

Cables

10Base2 (Thinnet), 10Base5 (Thicknet), 10BaseT (UTP, STP)

Know the speeds for cat5 (100), cat6 (1gb), and cat7 (10gb)

Bandwidth – the size of the pipe

Throughput – the amount of data that can travel through it

Noise, attenuation, crosstalk

Plenum cable

LAN Technologies

Ethernet – IEEE 802.3

CSMA/CD, Coax or Twisted pair, full duplex, broadcast domains

Token Ring – IEEE 802.5

Token passing, CSMA/CA, MAU, active monitoring, beaconing

FDDI – IEEE 802.8

Primary & secondary ring, fiber optic, backbone

Unicast vs Multicast vs Broadcast (p 524)

LAN Protocols

ARP / RARP

DHCP (BOOTP)

ICMP

Routing, Switching, and Bridging

Routing protocols – RIP, OSPF, IGRP (Cisco), BGP

Distance vector routing vs Link-state routing (p. 533)

Source routing – not a good idea

What is the diff between a router, a switch and a bridge?

Layer3/4 Switches

VLANs

PBXs – private telephone switch

Phreakers

Firewalls

Packet-filtering – uses ACLs, limited logging, cannot prevent attacks

Stateful firewalls – maintains state table, checks if outgoing request was made before allowing incoming response

Proxy firewalls (p. 552) – heavy performance hit

Application-level proxies – knows all legitimate commands for the app, inspects packets all the way up to the application layer, works for single protocol/service only

Circuit-level proxies (i.e. SOCKS Proxy) – less complex, more flexible, less granular

Kernel proxy firewall – 5^th gen – runs in kernel so very fast – creates dynamic stacks to evaluate packets

Know Firewall Best practices on p 559 (Also good review box at top of page for FW)

Bastion Host

Honeypot

Network Basics

NOS (Network Operating System)

DNS (primary vs secondary zones, stub zone, DNS poisoning)

NAT

Intranet vs. Extranet

EDI – Electronic Data Interchange (p 580)

WAN Technologies

SONET– self healing, fully redundant, fiber backbone

Dedicated line / Leased Line / Point-to-point link

T-Carriers (T1 – 1.544 Mbps on 24 voice channels, T3 – 44.736 Mbps /28 T1s)

CSU / DSU – LAN to WAN connector

WAN Technologies (cont)

Circuit switching vs packet switching (p 591)

Frame Relay – still used by Navy, packet-switching, pay for bandwidth you use

X.25 – fat and slow – charged on bandwidth used

ATM – high speed, fixed cells of 53 bytes, used for voice/video, can be cheaper than T-line because it’s based on usage

Quality of Service (QoS)

Constant Bit Rate (CBR) – VOIP/Video

Variable Bit Rate (VBR)

Unspecified Bit Rate (UBR)

Available Bit Rate (ABR)

REMOTE ACCESS

Wardialing / Daemon Dialing

ISDN – BRI (Basic Rate) – 2 B channel / 1 D channel (call set up & connection) – 144 Kbps

PRI (primate rate) – 23 B channels / 1 D channel – 1.544 Mbps (T1 speed)

Broadband ISDN – backbone

DSL – 4 flavors of DSL – SDSL, ADSL, ISDL and HDSL – always connected (PPP connection)

VPN – secure private network through public lines

PPP – Point to Point creates connection (replaces SLIP)

PPTP (Microsoft) uses MPPE (encryption)

L2TP (Cisco) stacks with IPsec – more than just IP (x.25, ATM, FR)

PAP, CHAP, EAP – authentication protocols

Fax banks – caller ID and callback functions

Two factor authentication

Wireless Technology

Spread Spectrum – breaks frequency into multiple channels – resistant to natural interference and jamming

Frequency Hopping Spread Spectrum (FHSS) – predefined hop sequence, uses only portion of bandwidth – difficult to eavesdrop

Direct Sequence Spread Spectrum (DSSS) – uses all avail bandwidth continuously – much higher data throughput (11 Mbps)

Access Points (AP) and Service Set IDs (SSID)

WEP (Wired Equiv Privacy) is default on many home devices – easy to crack, there are better

Wireless Standards

802.11A

54 Mbps / 5 GHz frequency

NOT compatible with B

802.11B – first to hit the market

11 Mbps / 2.4 GHz frequency

802.11G

54 Mbps / 2.4 GHz frequency

802.11H

802.11A for Europe – diff standards required

802.11N

100 Mbps / 5 GHz range - MIMO

802.11X

Added authentication of user required (User – NOT system)

802.15 – Wireless personal area network

Bluetooth / Bluejackers (p 634)

Limited range – phone, PDA, laptop

War driving – walking/driving for the purpose of discovering APs and breaking into them

Countermeasures – Enable WEP, change SSID, disable SSID broadcast, encrypt, allow only known MAC addresses, etc.

WAP – comm. Protocols used to standardize wireless interfaces

Uses WTLS (Wireless Transport Layer Security) – similar to TLS/SSL

i-Mode is the Japanese implementation of WAP

Rootkits – malware program designed to take control of a system / install backdoor

Contain log scrubbers, often disable admin right so they can’t be uninstalled/removed

Counter: harden system, antispyware, IDS

Spyware / Adware

Instant Messaging – security concerns

Chapter 8 – Cryptography

Substitution Ciphers (Confusion)

Atbash method – simple substitution (mono or poly alphabetic)

Caesar cipher was a shifted alphabet cipher

Transposition Ciphers (Diffusion)

Move the letters around / word scramble

Running key cipher

Uses components in the world around you – e.g. references book numbers, page numbers,

and word position to encipher

Concealment cipher

A message within a message (read every third word for actual message)

Steganography

Hiding data in another media type, covert channel that hides text within a web page or a photo

or that hides secret files within the Windows sys32 folder

Scytale cipher – paper wrapped around a stick (400 bc Spartans)

ROT13 – sub cipher from 80’s for adult /inappropriate material

Vigenere Cipher – developed for Henry III – used Vigenere table – more complex

Algorithm – set of rules that dictates how enciphering and deciphering take place

Key – the value that is used to encrypt plaintext into ciphertext

Keyspace – the range of values that can be used to construct a key – the larger the keyspace, the

tougher it will be to crack the key

Work factor – the combination of the algorithm, secrecy / length of key, initialization vectors, etc. that

determine how STRONG the cryptosystem will be / how vulnerable to attacks – strength

should vary with the importance of data

Cryptosystem – all components incl software, algorithm, protocols, keys

Kerckhoff’s Principle – Only secrecy of the key is necessary for security – algorithms unimportant

(similar to open source principle – the more people that vet, the more secure our algorithm is going to be)

One-Time Pad – a pad of random values that is used to encrypt a message once and only once –

Considered unbreakable – also called Vernam cipher – pad equals size of message –

Still requires secure out-of-band delivery of shared key – very costly

Frequency Analysis – looking for common words and phrases that appear often to help decipher/crack

the code

Initialization Vector – random values used with algorithms to ensure no patterns are created – to hide common phrases/words – adds randomness (more overhead, more secure)

Wassenaar Arrangement – abt 40 countries

Governs export of cryptographical algorithms to terrorist / dangerous countries

Also controls stealth technology, radar, jet engines, etc.

Symmetric Cryptography

Shared secret key – requires out-of-band sharing of keys & trust

Block ciphers vs stream ciphers (p 685)

DES (Data Encryption Standard) – 56 bit block encryption – IBM’s Lucifer – widely used

16 rounds of computations, works on 64 bit blocks of data

Cracked in 1998 – replaced by Rinjindael / AES

Electronic Code Book (ECB) – fast, but not enough randomness for lrg files

Cipher Block Chaining (CBB) – builds on the previous block – good randomness

Cipher Feedback Mode (CFM) – large streaming data – new IV for each stream – very similar to CBC but adds new values to each stream

Output Feedback Mode (OFM) – doesn’t use the ciphertext so corruption can’t propagate

Counter Mode – generates mult keys so can encrypt many blocks simultaneously – no chaining

3DES – uses 3 56 bit keys and runs 48 rounds of computations – very slow/heavy performance hit

AES (Advanced Encryption Standard) – six times faster than 3DES - Rinjindael algorithm

works on blocks of 128 (10 rounds of computation), 192 (12) and 256 (14) bits

IDEA – works on 64 bit blocks of data using 128 bit key – has not yet been hacked

Blowfish – varying key size 32-448 bits – 16 rounds of computation – Bruce Schneier – given freely to the public domain

RC4 – most common stream cipher – used in SSL – Ron Rivest – source code stolen & leaked - algorithm is simple and efficient

RC5 – Ron Rivest – block cipher - variable block and key size – up to 255 rounds

RC6 – Ron Rivest – block cipher - better speed than RC5

Asymmetric Cryptography

PKI – Public/private key pairs – Public always shared - Private NEVER shared

Slower than symmetrical – more overhead

Provides more flexibility, including non-repudiation - scalable

Secure message format – encrypt with receiver’s public key – only receiver can open

Open message format – encrypt with sender’s private key –proves sender sent it

Diffie-Hellman Algorithm – used for key distribution only (no digital sig unless add El Gamal) – no authentication on it’s own so vulnerable to man in the middle attacks

RSA – MIT/RSA Laboratories – worldwide standard – digital signatures, key exchange, encryption all in one – uses LARGE numbers factored into prime numbers – often used in hybrid

El Gamal – extension of Diffie Hellman to allow digital signatures, also encryption and key exchange - slow performance

Eliptic Curve Cryptosystem – More bang for the buck – based on mathematical equations of geometry - greater security in a smaller key size

HYBRID Encryption

Use asymmetric cryptography to securely send a session key (symmetric, short term)

Then encrypt with symmetric session key – session keys not reused, limited time

Zero Knowledge Proof – prevent inference attacks – provide nothing extra

Message Integrity

One-way hash function – takes variable length message and creates a fixed-length has value. The calculations are run on each side – if same, message has not been altered or corrupted. NEVER run in reverse.

Hash – integrity only, not confidentiality or authentication

HMAC – integrity and data origin

CBC-MAC – integrity and data origin (no hashing – uses ciphertext

MD2 / MD4 / MD5 – Ron Rivest – 128 bit message digest – MD5 more complex, efficient

HAVAL – variable length hash based on MD5 – works on blocks of 1024

SHA – 160 bit hash designed by NSA/NIST – now offers mult flavors (SHA-256,SHA-384,SHA-512)

Tiger – 192 bit hash – faster than MD5 and SHA – works completely diff than other hash functions

Birthday Attack – Brute force attacks on hash (p 721)

Digital Signatures – encrypt the message hash value with your private key – provides integrity and non-repudiation

PKI – Cert Authority vs Registration Authority

Certificate Revocation List

Online Certificate Status Protocol (real time validation)

PKI Steps on p730 if you need to review

Key Mgmt – VERY important – protect from key loss, damage, etc.

Keys should be as long as needed to protect data appropriately

Keys should have a lifetime appropriate to the sensitivity of the info they protect

The more they are used, the shorter their lifespan should be

Key recovery / key recovery agent

Link Encryption – decrypts at each hop that routes – headers, trailers, addresses are also encrypted – physical/data link layer

End-to-End Encryption – headers, addresses, routing and trailer info is not encrypted – data remains encrypted from end-to-end, but header info (etc) can provide hackers with inside information – layer 6

Email Standards

MIME/SMIME

Privacy-Enhanced Mail (not flexible enough)

Message Security Protocol (NSA version of PEM)

PGP (pretty good privacy) – first widespread encryption for email and files – uses OWN certificates – uses passphrases not passwords – “web of trust” – keyring holds public keys of friends

Quantum Cryptography – uses quantum mechanics to guarantee secure communication – photons can carry data on particles of light - not subject to eavesdropping or man-in-the-middle attacks – just looking/sniffing at atom changes its photons and invalidates the data stream

Internet Security

HTTP

HTTPS – verifies a secre transmission – server authenticates to client w/certificate – secure path until client disconnects – think SSL

SHTTP – protects individual message where https creates a circuit/channel

SET – new technology from Visa/MC to create secure credit card transactions over the web

Secure Shell (SSH) – allows authentication and secure transmission over public lines – better than telnet

IPSec (Internet Security Protocol) – more flexibility, less $$

Authentication Header (AH) – authentication protocol (no encrypt) – cannot use with NAT

Encapsulating Security Payload (ESP) – strong encryption

Attacks

Ciphertext-only / Chosen-ciphertext

Plaintext-only / Chosen-plaintext

Differential / Linear Cryptanalysis

Side-channel attacks (Covert channels)

Replay attacks

Chapter 9 – Business Continuity and Disaster Recovery

Disaster Recovery – minimize the effects of a disaster & resume operations as quickly as safely possible

Business Continuity – ensuring the business will continue after suffering catastrophic issue

1. Develop continuity planning policy statement

2. Conduct Business Impact Analysis (BIA)

3. Identify preventative controls

4. Develop recovery strategies

5. Develop contingency plans

6. Test the plan / conduct training & exercises

7. Maintain the plan

Management support essential – you have to know where you hurt (not just revenue) the most to mitigate and handle risk

Plan should start at top level and build at each lower level – org plan vs dept plan

Business Impact Analysis – maps threats according to where/how they will hurt

Maximum tolerable Downtime (MTD) – p 782 (Critical to Nonessential)

Regulatory responsibilities / Legal obligations

Reputation

Interdependencies between systems

SPOF (single points of failure) identified

Preventative measures suggested

Offiste storage/locations – (50 to 200 miles between critical infrastructure)

Hot Site, Warm Site, Cold Site – advantages and disadvantages of each (790)

Reciprical agreements

Redundant sites (e.g. rolling hot site or multiple processing/call centers)

Hardware backups / hardware replacement strategy

Software backups – not just data, but applications – SOFTWARE ESCROW

Data backups – full backup, differential, incremental, copy – offsite storage – test restores

Electronic backups – disk mirroring, electronic vaulting, remote journaling, tape vaulting

Documentation – data, operating manuals, network diagrams, playbooks, application manuals, policies and procedures – anything that might be needed

Human Resources

Executive Succession Planning – WHO is in charge?

End user agreements – who is going to work at the alternate site & what does everyone else do

Restoration team

Salvage team

Damage Assessment Team (include city experts)

3 Phases of BCP Plan – Activation, Operation and Reconstitution Phase

Reconstitution – move back to original site – least critical functions first

4 Goals of BCP Plan – Assigning responsibility, Defining Authority, Setting Priorities, Implementation & Testing

Testing and Drills

Testing and exercises should occur at LEAST once a year

Checklist Test

Structured Walk-through test – group walks through diff scenarios to vet plan

Simulation test

Parallel Test

Full-interruption test – most risky, rarely used

You can not read enough supplemental information about BCP! It’s a very hot topic right now!

Here’s an excellent template for creating a BCP, with explanations built in –

http://74.125.155.132/search?q=cache:P4WjoIk2CCQJ:www.calstate.edu/risk_management/events/fitting_the_pieces_together/documents/presentations08/3cs08-5bcp.doc+reconstitution+phase+bcp&cd=3&hl=en&ct=clnk&gl=us

And a great paper on how to set up a BCP plan created by HP:

http://www.score.org/pdf/HP_BusinessContinuity_Download_6_07.pdf

Chapter 10 – Legal, Regulations, Compliance & Investigations

Computer assisted crime – computer is a tool for crime (i.e. to get secrets)

Computer targeted crime – crime not possible w/o computer (i.e. DOS attack)

Computer is incidental crime – computer is insignificant/secondary (i.e. store stolen secrets)

Zombie systems – Bots & Botnets

Script kiddies

Problem of international crimes – who prosecutes? Who chases cyber criminals?

OECD (Org for Economic Cooperation and Development) – sets guidelines for transborder information flow (how data should be protected internationally – guidelines not laws

SAFE HARBOR – outlines how private data must be transferred to/from Europe to protect it

European Union much stricter – created Principles on Privacy ( 6 rules/guidelines)

Types of Law

Civil / code law – based on rules not precedence

Common Law – based on custom & precedence, includes civil, criminal & regulatory (admin)

Civil law – determines liability – can result in damages

Criminal law – determines guilt or innocence – violates law

Customary Law – traditions/customs of the region – covers personal conduct & behavior

Religious Law – open to interpretation, can vary by region

Mixed Legal System

Trade Secret (p 849)

Trademark

Patent (remember Patent Trolls)

Software Piracy

PRIVACY

Data aggregation companies

HIPAA / SOX (just understand what they’re for and WHY we created them)

PCI/DSS – credit card regulations on privacy – 12 req for safeguarding customer data

Due care (do correct) vs. Due diligence (do detect)

Investigations

Incident Response (incident vs event)

Triage, Reaction, Follow-up

Post mortem/root cause investigations – publish results, recommendations

Forensics – investigators MUST be properly trained or they could do more harm than good

Motive, Opportunity and Means

Should be documented process to ensure nothing is missed

IOCE – International Organization on Computer Evidence

International principles on collecting and handling digital evidence

Control the crime scene

Create two duplicates of forensics media – never work on the original media

Ensure Chain of Custody

Evidence

Best Evidence

Secondary Evidence

Direct Evidence

Conclusive Evidence

Circumstantial Evidence

Corroborative Evidence

Opinion / Expert Judgment Evidence

Hearsay Evidence

Computer Surveillance – illegal in many states

Also, if you are monitoring employees/customers you have to tell them

Enticement vs. Entrapment

Exigent Circumstances 9p 883)

Attacks

Salami attack – small attacks so larger crime goes unnoticed (Office Space)

Data Diddling – modification of data to hide crime (Taco Bell)

Excessive Privilege

Password Sniffers – passive attack

IP Spoofing

Dumpster Diving – the most ignored danger

Emanations Capturing - TEMPEST

Wiretapping – telephone tapping, cellular scanners, etc. – illegal in most states

Ethics

ISC2 Code of Ethics – http://www.isc2.org/ethics/default.aspx?terms=code+of+ethics

Act Honorably, Respectfully, Ethically – even if that means you get fired for it

Promote the business and the certification

Computer ethics institute – 10 commandments of computer ethics (not enforceable)

Corporate Ethics Programs

Internet Architecture Board (IAB) – http://www.iab.org

Issues ethics related statements concerning the use of the internet – IAB oversees the technical and engineering development of the Internet and is run by the Internet Society (ISOC). Subcommittees include Internet Engineering Task Force (IETF) & Internet Research Task Force (IRTF)

ICANN – Internet Corporation for Assigned Names and Numbers

responsible for managing the assignment of domain names and IP addresses. To date, much of its work has concerned the introduction of new generic top-level domains (TLDs).

IANA - Internet Assigned Numbers Authority (IANA) is the entity that oversees global IP address allocation, root zone management for the Domain Name System (DNS), media types, and other Internet Protocol related assignments. It is operated by ICANN.

Chapter 11 – Application Security

Vendors stress user friendliness over security – can cause clunky code

Danger of Unpatched systems

Failure States – app should always return to a secure state after unexpected stop or failure

(e.g. Blue Screen of Death)

DBMS – Database Management System

Best practices for databases – p 914

Relational Database Model – linked by relationships – uses primary/foreign keys

Hierarchical Data model – tree structure – not as flexible or as common (LDAP)

Network database model – mesh like – multiple parents/ multiple children – fast retrieval

Object oriented database – holds images, music, 3-D data, geographical info & procedure

Object relational database (ord) – combine massive scalability & support for object oriented features

Semantic integrity – only #s in a # field are allowed

Referential integrity – all foreign keys reference an existing primary key in another table

Entity integrity – guarantees the tuples (rows) have a unique primary key value – no duplicates

Rollback – transaction is all or nothing

Savepoints / database commit

Aggregation – using limited access to figure out the big picture / information beyond your level

(An inference attack)

Database Security

Database views

Cell suppression

Partitioning

Noise & Perturbation

Content dependent access controls

Context dependent access controls

Polyinstantiation (multiple tuples with same primary key for different access levels)

OLTP – Online Transaction Processing – load balancing, scalable, auto rollback, clustered

ACID TEST – Atomic, Consistent, Isolated and Durable

Data Warehousing & Data Mining (KDD)

Metadata

System Development Life Cycle – know these in order

1. Project initiation – risk mgmt & risk analysis

2. Functional design analysis and planning

3. System design specifications - WBS

4. Software development – verification vs validation

5. Install / implement

6. Operate / maintain

7. Disposal

Remember: Separation of Duties in terms of system development

Testing – not only for functionality but test for errors, problems, invalid data

Unit testing – indiv components

Integration testing – all components work together

Acceptance testing – customer is happy

Regression testing – retest after a change takes place

Black box testing – no access to code

White box testing – unit testing w/code is an example

Software Development Methods – p 952

Waterfall – discrete phases

Spiral – similar to waterfall but revisits previous phases

Joint Analysis Development – workshop oriented

Rapid Application Development – done quickly – not recommended

Cleanroom – highest quality method – critical apps / strict certification

CASE Tools (Computer aided software engineering) – translators, compilers, debuggers

Prototyping (p 953)

CHANGE CONTROL – (hugely important on your exam)

1. Formal request for a change

2. Analyze change

3. Record change in system of record

4. Submit change for approval to stakeholders

5. Develop / implement change

6. Report results to management

Capability Maturity Model – process maturity – 5 levels

Initial, Repeatable, Defined, Managed, and Optimized

Distributed Computing

CORBA / ORBs – vendor independent architecture – all apps based on the structure will work on any CORBA system

COM / DCOM – Microsoft standard similar to Corba – use these APIs and the app is guaranteed to work on Windows

Enterprise Javabeans – platform independent – encapsulates business logic from the back end – specifically deals with persistence, transaction processing, java director svcs

OLE / Object Linking and Embedding – embed a picture or spreadsheet in your word doc

DCE – Distributed Computing Environment – open source version of DCOM/Corba

Expert System

Knowledge-Based System

Artificial Neural Network

Web Security

Administrative interfaces – highest security says only manage from system (not web)

Authentication & Access control – PW policy

Input validation – beware path/directory traversal, Unicode encoding (p 988)

Remember: Diff browsers respond differently – include mult in testing

Client side validation by app - SQL injection attack

Parameter validation – your app can check non-user input (O/S, browser, flash installed, etc.)

Mobile Code

Java applets – run in sandbox– JVM converts bytecode to machine code

ActiveX – Microsoft mobile code – Authenticode technology relies on digital certs for security and authentication

Viruses – Require a host

Macro, Boot Sector, Compression viruses

Stealth, polymorphic, multipart and self-garbling viruses

Meme virus, script virus, tunneling virus

Botnet / Zombie network

Worms – self contained / no host required / can reproduce on their own

Logic bombs

Trojan horses

Remote Access Trojans – designed to take over system remotely – hide their existence

Anti-virus software

Signature-based detection (typical fingerprint detection)

Heuristic detection

Behavior blocking – looks for suspicious activity

Malware Immunization – attaches fake code to files that makes it look like it’s been infected already

Spam detection

Bayesian filtering – looks for filter words and how often they appear – mathematical calculations determine likelihood of msg being spam

Anti-Malware programs

Most are signature based – need strict policy on what is loaded and how often it is updated

Ensure users can’t disable, bypass, or override anti-virus / anti-malware – FORCE updates

Best practices on p. 1006

PATCH MANAGEMENT

1. Infrastructure in place to manage

2. Research the patch

3. Assess and test patch

4. Mitigation steps (rollback plan)

5. Deployment (rollout) of patch

6. Validate, Report and Log results

Always back up before patching – integrate with config mgmt to maintain up to date inventory of HW, SW, Licenses, configs and patch level

Attacks

Denial of Service (DoS / DDoS)

Smurf – attacker spoofs IP addy to be victims and sends ICMP ECHO REQUEST packets to amplifying network – all responses go to victim to hopefully overwhelm system

Fraggle – attacker spoofs IP addy to be victims and sends UDP packets to amplifying network – all responses go to victim

SYN Flood – most common attack – send so many SYN requests to a port that it can’t respond and backlog causes system to lock and potentially crash – know what a SYN PROXY does

Teardrop – send fragmented packets that cannot be properly reassembled, system doesn’t know what to do – was worst on Win 3.1, 9x, NT and early Linux

Chapter 12 – Operations Security

This chapter does a great job of putting everything together – you might want to reread it as it’s full of good logic and best practices that you’ll want to know!

Administrative Mgmt

Separation of duties / Dual control

Job rotation

Least privilege

Mandatory vacations (at least a week)

Security personnel (NOT network team)

Implements / maintains security equipment on network

Carries out security assessments

Creates / maintains user profiles and access control

Configures / maintains security labels

***Sets initial passwords for users

Reviews audit logs

Operational assurance – product’s architecture, embedded features, customer functionality

Life-cycle assurance – design specs, clipping levels, unit testing, config mgmt

Asset Management – knowing everything about the environment – hardware, firmware, operating system, language runtime environments, applications, and individual libraries

Trusted Recovery – return to secure state

System reboot, ***emergency system restart, system cold start

System Crash –

1. Enter into single mode (recovery console or equivalent)

2. Fix the issue/ recover the files

3. Validate critical files and operations***

Security Concerns – p 1040 (protect system logs, audit logs, bootup sequence & shutdown)

Media erasure – sanitization

Purging, Zeroization, Degaussing (best), and Destruction

Prevent others from accessing data remanence

Media tracking

Do you know where your tapes are, what’s on them, how old they are, what the access controls are, etc. Are they labeled? Inventoried?

Data Leakage – most commonly caused by employees (intentional or unintentional)

Network Availability

Redundant Hardware – no SPOF

Fault tolerant technology

Service Level agreements

Solid operational procedures

MTBF, MTTR

Storage

DASD

RAID 0, RAID 1, RAID 5, RAID 10

MAID, RAIT, SAN

Clustering

Grid Computing (like SETI)

HSM – Hierarchical Storage Mgmt – moves between disk & tape

Email - SMTP, POP (download), IMAP (synchronize), Email Relay

Fax – understand the security concerns & the benefits of technologies like RightFax

Hacker Attack Methods

Network mapping tools (like N-map)

Operating system fingerprinting (why is this dangerous)

Port scanning

Network sniffers / network analyzers / protocol analyzers – promiscuous mode

Session hijacking

Password cracking

Backdoors

Fake login screens

Mail bombing (overwhelming mail server w/junk)

Slamming and cramming (i.e. changing someone’s phone service)

Vulnerability testing

Always get a written contract before beginning

Includes personnel testing, physical testing and system/network testing

Penetration testing

Discovery, Enumeration, Vulnerability mapping, Exploitation, Report to Mgmt

Can perform with zero knowledge (like a hacker) or partial knowledge

Tests can be blind (network team is aware), double blind (stealth assessment) or targeted to a specific area or system of interest

Wardialing

Black hat vs White hat hackers

Other Vulnerability Types

Kernel flaws

Buffer overflows

Symbolic links (unix/linux)

File descriptor attacks

Race conditions

File and directory permissions