Sunday, December 7, 2014

11.1 - The Role of the Operations Department

Companies perform important pieces of “due care and due diligence” efforts which include correct policies, procedures, standards, and guidelines.

These due diligence efforts require responsible, careful, cautious, and practical company practicing. It is important to identify systems and operations that are sensitive (meaning they need to be protected from disclosure) and critical (meaning they must remain available at all times).

Organizations consider many threats including disclosure of confidential data, theft of assets, corruption of data, interruption of services, and destruction of the physical or logical environment. The correct steps need to be taken to achieve the necessary levels of security while balancing various constraints.

Operations security departments ensure that people, applications, equipment, and the overall environment are properly and adequately secured.

10.3 - Software Development Life Cycle

The Software Development Life Cycle consists of requirements gathering, design, development, testing/validation, and release/maintenance.


  • Requirements gathering: Determines the why create this software, the what the software will do, and the for whom the software will be created
  • Design: deals with how the software will accomplish the goals identified
  • Development: programming software code to meet specifications laid out in the design phase
  • Testing/validation: validating software ti ensure that goals are met and the software works as planned
  • Release/maintenance: deploying the software and then ensuring that it is properly configured, patched, and monitored

Wednesday, December 3, 2014

10.2 - System Development Life Cycle

A life cycle is a representation of development changes. Systems have their own developmental life cycle, which is made up of the following phases: initiation, acquisition/development, implementation, operation/maintenance, and disposal. These together are referred to as a system development life cycle (SDLC).

  • Initiation:
    • Need for a new system is defined
  • Acquisition/development:
    • New system is either created or purchased
  • Implementation:
    • New system is installed into production environment
  • Operation/maintenance:
    • System is used and cared for
  • Disposal: 
    • System is removed from production environment

10.1 - Where Do We Place Security?

Different Environments Demand Different Security
- Network and security administrators are overwhelmingly having to integrate various applications and computer systems to keep up with company demand.

Environment vs Application
- Application controls and are very specific to their needs and in the security compromises they understand.

Functionality vs Security
- Code security and functionality is inherently built-in.

9.3 - Ethics


  • Ethics are based on many different issues and foundations because of this they are interpreted differently on an individual basis.


  • Computer Ethics Institute is a nonprofit organization that works to help advance technology by ethical means.
  • The Computer Ethics Institute has developed its own Ten Commandments of Computer Ethics:
      1. Thou shalt not use a computer to harm other people.
      2. Thou shalt not interfere with other people’s computer work.
      3. Thou shalt not snoop around in other people’s computer files.
      4. Thou shalt not use a computer to steal.
      5. Thou shalt not use a computer to bear false witness.
      6. Thou shalt not copy or use proprietary software for which you have not paid.
      7. Thou shalt not use other people’s computer resources without authorization or proper compensation.
      8. Thou shalt not appropriate other people’s intellectual output.
      9. Thou shalt think about the social consequences of the program you are writing or the system you are designing.
      10. Thou shalt always use a computer in ways that ensure consideration and respect for your fellow humans.

9.2 - Intellectual Property Laws

Intellectual property laws do not always concern themselves with what is right or wrong. Its main focus is on how organizations and individuals protect what they rightfully own from unauthorized use. This provides these entities options for what they can do if these laws are violated.
  • Trade Secret
    • This is something that is proprietary to an organization and vital for its profitability  and survival.
    • For example, the trade secret that Coca-Cola owns is the formula used for their soft drink. This resource is highly confidential and protected with various security precautions and actions. Such actions could be both physical (Safes and Security surveillance) and legal (Non-Disclosure Agreements).
  • Copyright
    • Denoted by a (©), copyrights protect the right of an original author to control the distribution, reproduction, display, and adaptation of an original work. 
    • This law covers various types of work: pictorial, graphic, musical, dramatic, literary, pantomime, motion picture, sculptural, sound recording, and architectural. 
    • It should be noted that, unlike trade secret law, copyrights do not protect the specific resource; however, it indemnifies the “expression of the idea of the resource instead of the resource itself”.
  • Trademarks
    • These differ from copyrights in that they are used to protect a words, names, symbols, sounds, shapes, colors, and any combination of these. 
    • Generally, trademarks are sought after they are believed to represent an entities’ brand identity to a group of people or the world.
  • Patent
    • Patents are granted to individuals and organizations to grant legal ownership that enables exclusive use or copying of the invention covered by the patent.
    • After the inventor completes an application for a patent and it is approved, the patent grants a limited property right to exclude others from making, using, or selling the invention for a specific period of time.

9.1 - Complexities in Cybercrime

A majority of cyber attackers rarely caught because they mask their identities and addresses, this is known as spoofing. As we know, these attackers hack into networks, retrieve any resources they sought, and wipe clean all logs that may have tracked their activity. Often times, companies do not even know they have been violated.

The Evolution of Attacks
  • In the early days of computing, hackers were mainly made up of people who just enjoyed the thrill of hacking. True hackers saw this as a challenging game without any real intent of harm or damage. Unfortunately, this former trends have taken on more sinister and destructive means.
  • In modern times, script kiddies and others hack to simply wreak havoc and just for the fun of it. Additionally, organized criminals have now sprouted on the scene and have increased the amount of damage done.

International Issues
  • The text explains, “If a hacker in Ukraine attacked a bank in France, whose legal jurisdiction is that?” Cybercrime lacks the uniformity in standard law for prosecuting these individuals.

Tuesday, December 2, 2014

8.1 - Business Continuity and Disaster Recovery

The goal of a business after a disaster is recovery. The steps required to minimize the effects of a disaster and disruption means that necessary actions are enacted to ensure that the resources, personnel, and business processes are able to resume operation in a timely manner. This differs from continuity planning, which provides procedures for dealing with long-term outages and disasters. The goal of a disaster recovery plan is to handle the disaster and its issues after the disaster occurs. Generally, the disaster recovery plan is information technology focused.

A disaster recovery plan (DRP) is used when in emergency mode. People are scrambling to bring critical systems back online. Business continuity plans (BCP) take a more broad approach to problems by: getting critical systems to other environments while repairs of the original facilities are under way.


7.5 - Internet Security

A common misconception that people tend to have is that the Web is the Internet, it is not. The Web actually runs on top of the Internet, it is the collection of servers that process websites. The Internet is the collection of physical devices and communication protocols that interact with these websites.

Web browsers understand protocols because they have the capability to process the various types of commands; however, they do not understand all of them. For those protocols or commands the user’s browser does not know how to process, the user can download and install plug-ins that integrates itself into the system or browser.

This is a quick and easy way to expand the functionality of the browser. However, this can cause serious security compromises, because the payload of the module can easily carry viruses and malicious software that users don't discover until it’s too late.

HTTP Secure (HTTPS) is the HTTP running over SSL. Secure Sockets Layer (SSL) uses a user's public key encryption and provides data encryption, server authentication, message integrity, and client authentication. Essentially, when clients access websites, the site site may have both secured and public portions. This HTTPS allows the user to access the secured portion via authentication, in some way.

7.4 - Link Encryption vs. End-to-End Encryption


Encryption is performed with different types of protection and communication levels. Two general types of encryption implemented are link encryption and end-to-end encryption. 



Link encryption, or online encryption, is provided by service providers and integrated into their network protocols. All of the information is encrypted, the packets must be decrypted at each point to the router to send the packet next. The router must decrypt the header portion of the packet, read the routing and address information within the header, and then re-encrypt it and send it on its way.

With end-to-end encryption, the packets do not need decryption and then encryption at each hop. This happens because the headers and trailers are unencrypted. Also, the devices between the beginning and the end destination read the necessary routing information and pass the packets on the way.

7.3 - Public Key Infrastructure

Public key infrastructure contains programs, data formats, procedures, communication protocols, security policies, and public key cryptography working together. The public key establishes trust within an environment.

This ISO framework uses public key cryptography it sets up authentication across various networks and the Internet. Public key cryptography is alternatively named as asymmetric algorithms.

We need e-mail clients, e-mail servers, and e-mail messages, which together build a type of infrastructure—an e-mail infrastructure. PKI is made up of many different parts: certificate authorities, registration authorities, certificates, keys, and users. The following sections explain these parts and how they all work together.

Monday, December 1, 2014

7.2 - Methods of Encryption

There are several parts to an encryption process; however, it should be noted that there are two main pieces: algorithms and keys. Algorithms used in computer systems are complex mathematical formulas enforce rules of how the plaintext will be turned into cipher-text. Keys are strings of bits that use these algorithms and add randomness for encryption.

To allow entities to communicate through encryption, these entities must use the same algorithm and the same key. With some encryption technologies, the receiver and the sender have the same key to use (symmetric), and in other encryption technologies, they must use different related keys for encryption and decryption (asymmetric, public and private keys).


Example of symmetric encryption.

7.1 - History of Cryptography

Cryptography is believed to originate in Egypt, around 2000 B.C. Hieroglyphics, at the time, were used to decorate tombs which told the life story of the deceased. This practice was to portray the story in a noble and ceremonial manner than to actually hide the messages themselves.

Over time, encryption evolved from being visual representations of storytelling and into applications used to obscure information from others.

For example, substitution cipher (replacement of characters with another characters), became a cryptographic method used. A method of this could be used to require the alphabet to be flipped so each letter in the original alphabet corresponds to a different letter in the flipped alphabet. This was encryption method was called atbash, which hid the true meaning of messages.

Example:

ABCDEFGHIJKLMNOPQRSTUVWXYZ
ZYXWVUTSRQPONMLKJIHGFEDCBA

“As an example, suppose we need to encrypt the message “Logical Security.” We take the first letter of this message, L, and shift up three locations within the alphabet. The encrypted version of this first letter is O, so we write that down. The next letter to be encrypted is O, which matches R when we shift three spaces. We continue this process for the whole message. Once the message is encrypted, a carrier takes the encrypted version to the destination, where the process is reversed.”
-CISSP Security Guide

Plaintext:
LOGICAL SECURITY

Ciphertext:
ORJLFDO VHFXULWB

Presently, this technique is rather too simplistic and ineffective; however, in the time of Julius Caesar, few people could read, so a high level of protection was provided. The Caesar cipher is an example of a monoalphabetic cipher. Once more people could read and reverse-engineer this type of encryption process, the cryptographers of that day increased the complexity by creating polyalphabetic ciphers.

6.5 - Networking Devices

There are several types of networking devices. These include LANs, MANs, and WANs that  provide intercommunication among computers and their networks. These different networking devices vary based on their capabilities and intelligence

  • Repeaters
    • These provide the most basic type of connectivity, by only repeating electrical signals between cable segments which enables it to extend a network at the physical layer. Additionally, repeaters are add-on devices that extend network connection over further distances. The device amplifies signals.
  • Bridges
    • Bridges are LAN devices that connect LAN segments at the data link layer. Repeaters forward all signals received. A bridge divides overburdened networks into smaller segments. This ensures efficient use of bandwidth and traffic control. Like a repeater, it then amplifies the electrical signal; however, it is more intelligent than a repeater and enables the administrator to filter frames for further control.
  • Routers
    • Routers operate at the network layer, they are devices that connect similar or different networks. They are devices with two or more interfaces and a routing table to receive and transmit packets to their destinations. Additionally, routers filter traffic based on access control lists (ACLs), and it fragments packets when necessary.
  • Switches
    • Switches combine the functions of repeaters and bridges. A switch amplifies electrical signals, like a repeater, and has the built-in circuitry and intelligence of a bridge. 

Subscribe to: Posts (Atom)