Monthly Archives: December 2019

CISSP PRACTICE QUESTIONS – 20191213

Posted on by
Reply

Effective CISSP Questions

Your company decides to start the business of selling toys online and shipping globally. A team in-house is in charge of developing a web-based E-Commerce system that supports the new business. The team is evaluating the authentication solution. Which of the following is the least feasible?
A. Use the ‘Basic’ HTTP authentication encoded with Base64 but not encrypted
B. Use HTTP Digest access authentication that relies on browser implementation
C. Implement Kerberos to protect passwords and facilitate single sign-on (SSO)
D. Develop a proprietary mechanism by sending an HTML form via HTTP POST in clear text

Continue reading

10 Must-Read NIST Publications

Posted on by
1

10 Must-Read NIST Guidelines

10 Must-Read NIST Publications

  1. NIST Special Publication 800-12 Revision 1
    An Introduction to Information Security
  2. NIST Special Publication 800-39
    Managing Information Security Risk – Organization, Mission, and Information System View
  3. NIST Special Publication 800-30 Revision 1
    Guide for Conducting Risk Assessments
  4. NIST Special Publication 800-37 Revision 2
    Risk Management Framework for Information Systems and Organizations – A System Life Cycle Approach for Security and Privacy
  5. NIST Special Publication 800-53 Revision 4
    Security and Privacy Controls for Federal Information Systems and Organizations
  6. NIST Special Publication 800-160 VOLUME 1
    Systems Security Engineering – Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems
  7. NIST Special Publication 800-88 Revision 1
    Guidelines for Media Sanitization
  8. NIST Special Publication 800-41 Revision 1
    Guidelines on Firewalls and Firewall Policy
  9. NIST Special Publication 800-61 Revision 2
    Computer Security Incident Handling Guide
  10. NIST Special Publication 800-115
    Technical Guide to Information Security Testing and Assessment

Recommended

  1. NIST Special Publication 800-100
    Information Security Handbook: A Guide for Managers
  2. NIST Special Publication 800-34 Rev. 1
    Contingency Planning Guide for Federal Information Systems
  3. NIST Special Publication 800-50
    Building an Information Technology Security Awareness and Training Program
  4. NIST Special Publication 800-70 Revision 4
    National Checklist Program for IT Products – Guidelines for Checklist Users and Developers
  5. NIST Special Publication 800-86
    Guide to Integrating Forensic Techniques into Incident Response
  6. NIST Special Publication 800-92
    Guide to Computer Security Log Management
  7. NIST Special Publication 800-94
    Guide to Intrusion Detection and Prevention Systems (IDPS)
  8. NIST Special Publication 800-128
    Guide for Security-Focused Configuration Management of Information Systems
  9. NIST Special Publication 800-150
    Guide to Cyber Threat Information Sharing
  10. NIST Special Publication 800-153
    Guidelines for Securing Wireless Local Area Networks (WLANs)
  11. NIST Special Publication 800-32
    Introduction to Public Key Technology and the Federal PKI Infrastructure

CISSP PRACTICE QUESTIONS – 20191212

Posted on by
Reply

Effective CISSP Questions

The development team of your company is implementing a web-based multi-tiered Procurement Management System. Purchase orders shall be approved before issuance by different management levels based on a variety of criteria, e.g., Order Amount, Supplier, or Product Category. As criteria are subject to change, the development team decides not to hard code the approval logics and policies but implements a user interface for the procurement manager to manage them. The web server delegates the authorization decision of requests from web clients to a remote authorization server that will refer to the approval policies managed by the procurement manager.  If the authorization mechanism is based on XACML, which of the following roles is the web server?
A. Policy Enforcement Point (PEP)
B. Policy Decision Point (PDP)
C. Policy Administration Point (PAP)
D. Policy Information Point (PIP)

Continue reading

Common Attacks

Posted on by
2
The Peacock
  1. Brute force
  2. Advanced Persistent Threat (APT)
  3. Multi-vector, polymorphic attacks
  4. Denial of Service
  5. Buffer Overflows
  6. Mobile Code: ActiveX, JavaApplet, Flash, JavaScript
  7. Malicious Software (Malware)
  8. Drive-by download attacks
  9. Spyware
  10. Trojan Horse
  11. Keyloggers
  12. Password Crackers
  13. Spoofing/Masquerading
  14. Sniffers, Eavesdropping, and Tapping
  15. Emanations and TEMPEST
    Spontaneous emission of electromagnetic radiation” (EMR) subject to TEMPEST eavesdropping
  16. Shoulder Surfing
  17. Tailgating
  18. Piggybacking
  19. Object Reuse
  20. Data Remanence
  21. Unauthorized Targeted Data Mining
  22. Dumpster Diving
  23. Backdoor/Trapdoor
  24. Maintenance Hook
  25. Logic bombs
  26. Social Engineering
  27. Phishing
  28. Pharming
    A cyber attack intended to redirect a website’s traffic to another, fake site.
  29. Covert Channel
    Unauthorized channel for data transportation
  30. IP Spoofing/Masquerading
    IP Spoofing is malicious, while Masquerading is a specific form of Network Address Translation (NAT) and can be valid.
  31. Elevation of privilege/Privilege escalation
  32. Tampering
  33. Sabotage
  34. SQL injection
  35. Cross-Site Scripting (XSS)
  36. Session Hijacking and Man-in-the-Middle Attacks
  37. Zero-day exploit
    A zero-day exploit hits after a network vulnerability is announced or discovered but before a patch or solution is implemented.
  38. Race condition
  39. TOC/TOU
  40. Aggregation and Inference
  41. Data diddling
  42. Salami attack
  43. Frequency analysis (against classical ciphers)
  44. Cryptanalytic attacks: Ciphertext only, Known plaintext, Chosen ciphertext, *Chosen plaintext (CPA)
  45. Implementation attacks: Side-Channel Analysis (active or passive) and Fault Analysis (active), e.g., Timing attack and Differential fault analysis
  46. Man-in-the-Middle (MITM)
  47. Meet-in-the-Middle
  48. Birthday attack
  49. ARP poisoning
  50. DNS cache poisoning/spoofing

CISSP PRACTICE QUESTIONS – 20191211

Posted on by
1

Effective CISSP Questions

Your company implemented a variety of information systems that host their user accounts, and an LDAP-compliant directory maintained by the Human Resource department. The development team is developing a solution that streamlines the HR processes to create and synchronize new employee accounts and assign privileges across systems. As a security professional, which of the following will you recommend the most?
A. Federated Identity
B. XACML (eXtensible Access Control Markup Language)
C. SPML (Service Provisioning Markup Language)
D. IDaaS (Identity as a Service)

Continue reading

Trusted Path

Posted on by
1

windowsnt_login

To build a trusted path, we identify a key on the keyboard (in Windows NT this is the key combination Ctrl-Alt-Delete) and make it special. Whenever this key is pressed, the security kernel gets control and monitors what is typed on the keyboard. There is no way to hijack the key that opens the trusted path. (Schneider)

Wikipedia

A trusted path or trusted channel is a mechanism that provides confidence that the user is communicating with what the user intended to communicate with, ensuring that attackers can’t intercept or modify whatever information is being communicated.

The term was initially introduced by Orange Book. As its security architecture concept, it can be implemented with any technical safeguards suitable for particular environment and risk profile.

Source: Wikipedia

Orange Book

  • Trusted Path – A mechanism by which a person at a terminal can communicate directly with the Trusted Computing Base. This mechanism can only be activated by the person or the Trusted Computing Base and cannot be imitated by untrusted software.
  • B2: NEW: The TCB shall support a trusted communication path between itself and user for initial login and authentication. Communications via this path shall be initiated exclusively by a user.
  • B3: CHANGE: The TCB shall support a trusted communication path between itself and users for use when a positive TCB-to-user connection is required (e.g., login, change subject security level). Communications via this trusted path shall be activated exclusively by a user or the TCB and shall be logically isolated and unmistakably distinguishable from other paths.

Source: Trusted Computer System Evaluation Criteria [“Orange Book”]

 

NIST FARM

Posted on by
Reply

Excerpts from NIST SP 800-39 and NIST SP 800-30 R1

MULTITIERED ORGANIZATION-WIDE RISK MANAGEMENT

NIST FARM-MultiTiered

RISK MANAGEMENT PROCESS APPLIED ACROSS THE TIERS

NIST FARM-Tirad

INFORMATION SECURITY REQUIREMENTS INTEGRATION

NIST FARM-Enterprise Architecture

RELATIONSHIP AMONG RISK FRAMING COMPONENTS

NIST FARM-Assessment Methodology

RISK ASSESSMENT PROCESS

NIST FARM-Assessment Process

GENERIC RISK MODEL WITH KEY RISK FACTORS

NIST FARM-Risk Model

Assessment Approaches

Risk, and its contributing factors, can be assessed in a variety of ways, including quantitatively, qualitatively, or semi-quantitatively.

Analysis Approaches

An analysis approach can be: (i) threat-oriented; (ii) asset/impact-oriented; or (iii) vulnerability-oriented.

  • Organizations have great flexibility in choosing a particular analysis approach. The specific approach taken is driven by different organizational considerations.
  • However, differences in the starting point of the risk assessment can potentially bias the results, causing some risks not to be identified.
  • Therefore, identification of risks from a second orientation (e.g., complementing a threat-oriented analysis approach with an asset/impact-oriented analysis approach) can improve the rigor and effectiveness of the analysis.

In addition to the orientation of the analysis approach, organizations can apply more rigorous analysis techniques (e.g., graph-based analyses) to provide an effective way to account for the many-to-many relationships.

  • For example, graph-based analysis techniques (e.g., functional dependency network analysis, attack tree analysis for adversarial threats, fault tree analysis for other types of threats) provide ways to use specific threat events to generate threat scenarios.
  • Graph-based analysis techniques can also provide ways to account for situations in which one event can change the likelihood of occurrence for another event. Attack and fault tree analyses, in particular, can generate multiple threat scenarios that are nearly alike, for purposes of determining the levels of risk.
  • With automated modeling and simulation, large numbers of threat scenarios (e.g., attack/fault trees, traversals of functional dependency networks) can be generated. Thus, graph-based analysis techniques include ways to restrict the analysis to define a reasonable subset of all possible threat scenarios.

Sources

  • NIST SP 800-39
  • NIST SP 800-30 R1