6.3 - TCP/IP Model

Transmission Control Protocol/Internet Protocol (TCP/IP) governs the way data travel from one device to another as a suite of protocols.

IP is a network layer protocol and provides datagram routing services. IP’s main task is to support internetwork addressing and packet routing. It is a connectionless protocol that envelops data passed to it from the transport layer. It works with other protocols to transmit the data to the destination computer and then reassemble the data back into a form that the application layer can understand and process.

The text explains IP as:

"The data, IP, and network relationship can be compared to the relationship between a letter and the postal system:

• Data = Letter
• IP = Addressed envelope
• Network = Postal system

The message is the letter, which is enveloped and addressed by IP, and the network and its services enable the message to be sent from its origin to its desti-nation, like the postal system."

6.2 - Open Systems Interconnection Reference Model

Created by the ISO (International Organization for Standardization), ISO has worked to develop protocols set to be used by all vendors throughout the world to allow the interconnection of network devices.

This ideology was perpetuated with the intent of ensuring all vendor products and technologies could communicate and interact across international and technical boundaries.

The protocol did not catch on as a standard, but the model of this protocol set, the OSI model, was adopted and is used as an abstract framework to which most operating systems and protocols adhere.

6.1 - Telecommunications & Network Security

Telecommunications and networking use various devices, software, and protocols that are interrelated and integrated.

Telecommunications is the electrical transmission of data among systems, whether through analog, digital, or wireless transmission types. While, networking is more complex in the computer field, due to evolving technologies. Modern technologies are improving exponentially in functionality and security monthly. Often times there seems to be new and emerging technologies that must be learned, understood, implemented, and secured.

Network administrators must know how to configure networking software, protocols and services, and devices and deal with interoperability issues, in addition to effective  troubleshooting.

5.5 - Perimeter Security (Part II)

As previously discussed, perimeter security deals with facility and personnel access controls, external boundary protection mechanisms, intrusion detection, and corrective actions.
Here, we will discuss the elements that make up these categories.

• Facility Access Control
• Access control needs to be enforced through physical and technical components when it comes to physical security. Having personnel within sensitive areas is one of the best security controls because they can personally detect suspicious behavior. However, they need to be trained on what activity is considered suspicious and how to report such activity.

• Personnel Access Controls
• Proper identification needs to verify whether the person attempting to access a facility or area should actually be allowed in. Identification and authentication can be verified by matching an anatomical attribute (biometric system), using smart or memory cards (swipe cards), or presenting a photo ID to a security guard, using a key, or providing a card and entering a password or PIN.
• Additionally, this stops piggybacking, or when an individual gains unauthorized access by using someone else’s legitimate credentials or access rights.

• External Boundary Protection Mechanisms
• Proximity protection components are usually put into place to provide one or more of the following services:
• Control pedestrian and vehicle traffic flows
• Various levels of protection for different security zones
• Buffers and delaying mechanisms to protect against forced entry attempts • Limit and control entry points

5.5 - Perimeter Security (Part I)

The first line of defense is perimeter control at the physical site location, this prevents unauthorized access to the facility. Perimeter security deals with facility and personnel access controls, external boundary protection mechanisms, intrusion detection, and corrective actions.

Perimeter Security Defense Model:

This defense model works in two main modes: 

1) During normal facility operations

• When the facility is in operation, security gets more complicated because authorized individuals need to be distinguished from unauthorized individuals.

2) After the facility is closed

• When closed, all doors should be locked with monitoring mechanisms in strategic positions to alert security personnel of suspicious activity. 

5.4 - Internal Support Systems

When dealing with physical security, consideration for support services must be considered. This is done because malfunctions or disruption could negatively affect the organization in many ways.

For example, in August of 2003, eight East Coast states (and parts of Canada) lost power for several days. During the investigation, there were rumors of a worm causing this disruption; however, the official report attributed it to a software bug in GE Energy’s XA/21 system. This left over 50 million people without power for days and resulted in four nuclear power plants being shut down. Security professionals must be able to handle both the smaller issues, such as power surges or sags, and the massive issues, such as what happened in the United States and Canada on August 14, 2003 when dealing with organizations.

• Electric Power
• Protecting power can be done in three ways: through UPSs, power line conditioners, and backup sources.

• Environmental Issues
• Improper environmental controls can cause damage to services, hardware, lives, and interruption of some services can cause unpredictable results.
• Maintaining appropriate temperature and humidity is important in any facility, especially facilities with computer systems. Improper levels of either can cause damage to computers and electrical devices. High humidity can cause corrosion, and low humidity can cause excessive static electricity. This static electricity can short out devices, cause the loss of information, or provide amusing entertainment for unsuspecting employees.

• Ventilation
• Ventilation has several requirements that must be met to ensure a safe and comfortable environment.
• A closed-loop recirculating air-conditioning system should be installed to maintain air quality. This means the air within the building is reused after it has been properly filtered, instead of bringing outside air in.
• Positive pressurization and ventilation should also be implemented to control contamination. Positive pressurization means that when an employee opens a door, the air goes out, and outside air does not come in. 

• Fire Prevention, Detection, and Suppression
• Fire prevention includes training employees on how to react properly when faced with a fire, supplying the right equipment and ensuring it is in working order, making sure there is an easily reachable fire suppression supply, and storing combustible elements in the proper manner. 
• Fire Detection includes the manual detection, such as, red pull boxes response systems seen on many building walls. These automatic detection response systems are built with sensors that react when they detect the presence of fire or smoke.
• Fire suppression is the use of a suppression agent to put out a fire. This takes place manually through handheld portable extinguishers, or via automated systems such as water sprinkler systems, or halon or CO2 discharge systems.

5.3 - Protecting Assets

In this section, we identify the main physical security components to fight against threats as theft, interruption to services, physical damage, compromised systems and environment integrity, and unauthorized access.

The loss from these components being damaged as well as cost to replace these systems, consultant fees, and additional negative effects on productivity and customer confidence are considered real losses. Although, companies are generally prepared for these types of losses, by using risk analysis tools, often times the data held within these systems is of high greater value than the physical systems themselves.

Protection against physical theft can be mitigated by taking the following measures:

• Inventory all laptops, including serial numbers, so they can be properly identified if recovered.
• Password protected BIOS.
• Register physical devices with the vendor to allow a report to be filed if stolen.
• Do not check physical devices as luggage, when flying.
• Never leave a physical device unattended (should be carried in a nondescript carrying case)
• Engrave the device with a symbol or number for proper identification.
• Back up the data from the laptop and store it on a stationary PC or backup media.
• Specialized safes
• Data Encryption

5.2 - The Planning Process

Physical security programs rely on the level of protection needed for the organization which it is designed to protect. Typically, this depends on the organization’s acceptable level of risk. When an organization defines the acceptable level of risk, they must first plan and design the laws and regulations for compliance and its threat profile of the overall organization.

5.1 - Introduction to Physical Security

In the early days of computing (circa 1960-1970), the physical security of computers and their resources were not nearly as difficult as they are now in modern times. This is due to the large size of those computers which comprised mostly of mainframes secured away in server rooms and the fact that a limited number of individuals knew what to do with them.

In present day, most computers are compact enough to sit on desks in every company around the world. Also, access to devices and other resources is distributed throughout the environment. Organizations now have server rooms and remote mobile users that take computers out of the company facility. "Properly protecting these computer systems, networks, facilities, and employees has become an overwhelming task to many companies." -CISSP: All In One Exam Guide

4.4 - Open vs. Closed Systems

Open systems are built upon “standards, protocols, and interfaces that have published specifications”. This type of architecture provides multi-operability between computer products created by various vendors. This interoperability is provided by all the vendors involved who follow certain standards and provide interfaces that enable the system to communicate with other systems.

A vast majority of the systems in use today are open. The book states that the reason an administrator can have several different operating systems on computers and they are still able to communicate easily on the same network is because these platforms are open.

Closed architecture systems do not require or follow industry standards. Interoperability and standardized interfaces are not used to create simple communication between different types of systems, these systems are proprietary.

A closed architecture can potentially provide more security to the system because it may operate in a more secluded environment than those of open systems. This is due to, the  proprietary nature of these closed systems. There are few tools to thwart the security mechanisms and not as many individuals who can understand its design, language, and security weaknesses to exploit them.

4.3 - System Security Architecture

Firstly, security starts at a policy level, to serve as a high-level directive that provides the foundational goals for an overall system.

A security policy is a strategic tool that dictates how sensitive information and resources are managed and protected. A security policy states exactly what the security level should become by once the goals of the security mechanisms are defined. The security policy also acts as a baseline for evaluating a system after it is built.

Security Architecture Requirements

• Trusted Computing Base: is a collection of all the hardware, software and firmware components within a system. These provide a type of security enforcement in the system’s security policy.

Security Kernel

• Similar to the Trusted Computing Base, the Security Kernel is made up of hardware, software, and firmware components. However, the security kernel mediates all access functions between subjects and objects. This makes the security kernel at the core of the most commonly used approaches to building trusted computing systems.

4.2 - Operating System Architecture

Operating system architectures have undergone changes based on industry functionality and security needs. The architecture identifies how the parts of the operating system operate with each other and the functionality that the applications require.

The complexity in operating systems is in the architectural approaches running in the kernel mode. As seen below, in a monolithic architectures, all the operating system processes operate in kernel mode.

In MS-DOS, an early operating system, its architecture was based upon monolithic design. The whole operating system acted as a software layer user applications and actual hardware. The issues that tend to arrive with this system is the complexity, portability, extensibility, and security.

If a flaw is found in a software component it becomes difficult to localize and quickly  fix it, since the core code functionality is spread throughout the system.

Alternatively, layered operating system architectures divide system functionality into hierarchical layers.

A system that follows a layered architecture had five layers of functionality. 

• Layer 0 controlled processor access and provided multiprogramming functionality; 
• Layer 1 carried out memory management; 
• Layer 2 provided interprocess communication; 
• Layer 3 dealt with I/O devices; 
• Layer 4 was where the applications resided.

Each of the processes at the different layers, each had interfaces to be used by processes in layers below and above them.

4.1 - Computer Architecture

Computer architecture encompasses all of the functioning parts of a computer system, including the operating system, memory chips, storage devices, and input and output devices, security components, buses, and networking interfaces. The relationships and internal working of these components can be quite complex, and making them work together in a secure fashion consists of complicated methods and mechanisms.

4 - Security Architecture Introduction

A majority of the compromises organizations around the world experience are flaws in software. Amazing strides in the advancement of perimeter security technology (firewalls, intrusion detection systems, etc.) are improved frequently, but the software that carries critical processing still has a lot of vulnerabilities that are exploited on a daily basis.

3.5 - Threats to Access Control

Generally, there is a higher risk that an attacker will attempt to cause issues from within an organization than from outside it. 

An attacker from the outside a system can enter through remote access entry points, firewalls and even web servers. This can be a physical break in, carry out social engineering attacks, and exploits via a partner communication paths. Insiders have legitimate reasons for using the systems and resources; however, misuse does occur and could launch an actual attack.

The danger of insiders is that they have already been given a wide range of access that a hacker would have to work to obtain; they probably have intimate knowledge of the environment; and, generally, they are trusted. 

In the previous section, we discussed the different types of access control mechanisms. These served to keep outsiders out and restrict the insiders’ abilities to a minimum and audit their actions. Here we will look at some specific attacks commonly carried out in environments today by insiders or outsiders.

Dictionary Attacks

This type of program receives lists (dictionaries) of commonly used words or combinations of characters, and then compares these values to capture passwords. A program hashes these words and then compares the message with the system password file that stores passwords in a one-way hash format. 

If a match is found, the program has uncovered a password. The dictionaries come with the password-cracking programs, and extra dictionaries can be found on several sites on the Internet.

Brute Force Attacks

Brute force is defined as multiple possible combinations until the correct one is identified. In a brute force password attack, the software tool sees the first letter and continues through the alphabet until that single value is uncovered. After, then the tool moves on to the second value. This continues until the access is created.

Spoofing at Logon

This program presents the user a fake log on screen, that tricks the user into attempting to log on. The user is asked for credentials such as a username and password, which are stored by the attacker to access at a later time. The user does not know this is not his usual logon screen because they look exactly the same. A fake error messages may appear, indicating that the user mistyped his credentials.

Phishing and Pharming

This is a type of social engineering designed to obtain personal information, credentials, credit card number, and financial data. The attackers lure, or fish, for sensitive data through various different methods.

3.4 - Access Control Practices

In this section, we will discuss additional measures to ensure there are no unnecessary open access to allow the environment to continue at the same level of security that has been established. 

What this means is that good access control practices need to be implemented and maintained from the beginning. Lack of periodical updates usually causes the most vulnerabilities in an environment.

These updates include:
• Deny access to systems to undefined users or anonymous accounts.
• Limit and monitor the usage of administrator and other powerful accounts.
• Suspend or delay access capability after a specific number of unsuccessful logon attempts.
• Remove obsolete user accounts as soon as the user leaves the company.
• Suspend inactive accounts after 30 to 60 days.
• Enforce strict access criteria.
• Enforce the need-to-know and least-privilege practices.
• Disable unneeded system features, services, and ports.
• Replace default password settings on accounts.

3.3 - Access Control Methods

As stated in the last post, access controls are often implemented at various layers of a system. Some of these controls act as core components of operating systems, devices, and applications.

Access Control Levels

Access control consists of 3 main categories: administrative, technical, and physical.  Each category has different access control mechanisms that are carried out manually or automatically.

Administrative Controls

• Policy and procedures
• Personnel controls
• Supervisory structure
• Security-awareness training
• Testing

Physical Controls

• Network segregation
• Perimeter security
• Computer controls
• Work area separation
• Data backups
• Cabling
• Control zone

Technical Controls

• System access
• Network architecture
• Network access
• Encryption and protocols
• Auditing

Administrative Controls

These construct security policies to delegate the development of supporting procedures, standards, and guidelines. Additionally, they indicate specific personnel controls should be implemented.

3.2 - Access Controls Techniques & Technologies

As stated by the CISSP All-in-One Exam Guide, Access Control Models are frameworks which dictate how objects are accessed by subjects. These frameworks are enforced by using specific control technologies and security mechanisms of the model.

Discretionary Access Control (DAC)

• Gives the resource owner the ability to specify the subjects can access specific resources. The model is named “discretionary” due to the control of access which is based on the owner’s discretion. (e.g. department managers as owners of the data within their can specify who should and should not have access).
• Additionally, the DAC model provides restricted access based granted authorization to the users. The most common implementation of DAC is dictated and set by the owners and enforced by the operating system. “This can make a user’s ability to access information dynamic versus the more static role of mandatory access control (MAC).” -CISSP All-in-One Exam Guide

Mandatory Access Control (MAC)

• Unlike the DAC model, users do not have the ability to determine who can access objects. Generally, operating systems that are MAC model based greatly reduce rights, permissions, and functionality that users have for security purposes. This means that a user cannot “install software, change file permissions, add new users”.  -CISSP All-in-One Exam Guide
• These highly specialized systems mainly serve to protect highly classified data by governmental agencies that maintain top secret information. Consequently, most people have never interacted with a MAC-based system.

Role-Based Access Control (RBAC)

• Controls are centrally administered to determine subject and object interaction. Additionally, access control levels can be based upon the necessary operations and tasks a user needs to carry out to fulfill her responsibilities without an organization. Essentially, access to resources is based on the role the user serves within an organization.

3.1 - Access Controls & Authorization

In this section, I will be discussing Access Controls, the second domain of information security. 

Access Controls:
When protecting assets, access controls act as first line defense security. An example of this can be the verification of logging into web applications, which restrict access to unauthorized users.

These controls are typically inherent administrative, physical, or technical in nature and should be applied in a layered approach, ensuring that an intruder would have to compromise more than one countermeasure to access critical assets.

Security Principles:
In the previous chapter, we learned that security management procedures include identifying threats that negatively impact the availability, integrity, and confidentiality of the assets of the company. This includes finding a cost effective means by implementing countermeasures for protection.

• Availability
• Information, systems, and resources must be available to users in a timely manner to not affect productivity.
• Integrity
• Information that is gathered must be accurate, complete, and protected from unauthorized modifications. When a security provides integrity, it protects data, or a resource, from being altered in an unauthorized fashion.
• Confidentiality
• This assures that any information is not disclosed to unauthorized individuals, programs, or processes because some information is more sensitive than others and requires a higher level of confidentiality.  Control mechanisms need to be in place to dictate who can access data and what the subject can do with it once they have accessed it.