Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
Organizations get penetration tests year after year, yet companies still get breached because they’re STILL missing the basics.Traditional penetration tests are failing to prepare organizations for the threats they actually face. They’ve become a commodity of compliance and box-checking. Remediation steps rarely include management objectives. General lack of excitement for Blue Team functions. Red team is sexy, but just a tool. Do you even have a JBOSS server? (Then why are you seeing alerts for it?)
How to prepare for the CISSP Exam. A presentation created by the (ISC)2 Hellenic Chapter to assist and instruct those in Greece interested in pursuing the CISSP Certification.
The (ISC)2 Hellenic Chapter Team
Welcome to the CISSP Mentor Program! What is the CISSP Mentor Program • History: 1st class was 2010; 6 students • Today’s class; 80 students. Why do we do it • Success Stories • Heck, it’s free! If you aren’t satisfied, we’ll refund everything you paid us. We need MORE good information security people!
Domain 3: Security Engineering
Virtualization and Distributed Computing
System Vulnerabilities, Threats and Countermeasures
Cornerstone Cryptographic Concepts
History of Cryptography
Types of Cryptography
Cryptographic Attacks
Implementing Cryptography
Slide Deck Class Session 11 – FRSecure CISSP Mentor ProgramFRSecure
FRSecure has a goal of changing a broken industry. There are many ways to accomplish this endeavor such as setting high assessment standards, using proprietary reporting methods that are easy to understand to hiring expert talent just to name a few. However, one unique approach FRSecure uses to bring about change is our CISSP Mentor Program. By design the program is provided at no cost to anyone with an interest in the information security industry.
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
Organizations get penetration tests year after year, yet companies still get breached because they’re STILL missing the basics.Traditional penetration tests are failing to prepare organizations for the threats they actually face. They’ve become a commodity of compliance and box-checking. Remediation steps rarely include management objectives. General lack of excitement for Blue Team functions. Red team is sexy, but just a tool. Do you even have a JBOSS server? (Then why are you seeing alerts for it?)
How to prepare for the CISSP Exam. A presentation created by the (ISC)2 Hellenic Chapter to assist and instruct those in Greece interested in pursuing the CISSP Certification.
The (ISC)2 Hellenic Chapter Team
Welcome to the CISSP Mentor Program! What is the CISSP Mentor Program • History: 1st class was 2010; 6 students • Today’s class; 80 students. Why do we do it • Success Stories • Heck, it’s free! If you aren’t satisfied, we’ll refund everything you paid us. We need MORE good information security people!
Domain 3: Security Engineering
Virtualization and Distributed Computing
System Vulnerabilities, Threats and Countermeasures
Cornerstone Cryptographic Concepts
History of Cryptography
Types of Cryptography
Cryptographic Attacks
Implementing Cryptography
Slide Deck Class Session 11 – FRSecure CISSP Mentor ProgramFRSecure
FRSecure has a goal of changing a broken industry. There are many ways to accomplish this endeavor such as setting high assessment standards, using proprietary reporting methods that are easy to understand to hiring expert talent just to name a few. However, one unique approach FRSecure uses to bring about change is our CISSP Mentor Program. By design the program is provided at no cost to anyone with an interest in the information security industry.
Domain 1: Security and Risk Management – Review
Information Security Governance, Administrative Controls, Risk Analysis: ALE, TCO, ROI (or ROSI), Legal Systems and Ethics
Domain 4: Communication and Network Security - Review
Application Layer TCP/IP Protocols and Concepts, Layer 1 Network Cabling, LAN Technologies and Protocols, LAN Physical NetworkTopologies, WAN Technologies and Protocols, Network Devices and Protocols and Network Attacks
Ethical Hacking Conference 2015- Building Secure Products -a perspectiveDr. Anish Cheriyan (PhD)
This talk was given in Unicom Ethical Hacking Conference 2015. This talk focuses on the importance of building security inside the product development life cycle. The presentation talks about architectural flaws and implementation bugs, principles of design, software development life cycle and activities to be done from security perspective.
Revised by Christian Reina
Version: 1.1
Date: September 18, 2009
Change log:
-Risk Based Audit approach
-Things to know
-Penetration Testing Stages
-OSI Model protocols
-Firewall generations
-Wireless
-Common Criteria ISO 15408
-Problem Management
-System Development Life Cycle
-Software Life Cycle
-Five rules of evidence
-Incident Response framework
-Evidence Lifecycle
-Fair Information Practices
Slide Deck Class Session 10 – FRSecure CISSP Mentor ProgramFRSecure
FRSecure has a goal of changing a broken industry. There are many ways to accomplish this endeavor such as setting high assessment standards, using proprietary reporting methods that are easy to understand to hiring expert talent just to name a few. However, one unique approach FRSecure uses to bring about change is our CISSP Mentor Program. By design the program is provided at no cost to anyone with an interest in the information security industry.
Threat Dissection - Alberto Soliño Testa Research Director, Core SecurityCore Security
Anatomy 101 of how and what threats actually do in your network. In this session, we will pick a well-known threat and go through the cycle of how actors behave and how security teams can deter, detect, respond and validate using Core Security products.
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...Core Security
Vulnerability Assessments, Penetration Tests and Red Teaming – Do you know what these tactics are all about? In this session, we will present our understanding of these practices in terms of when to apply them and what to expect. Nowadays, organizations run on top of hundreds, if not thousands, of Information Technology assets with some of them on premise and others cloud based. Having control over all of this is a challenging task. Based on our extensive experience with securing our customers, I will show what real findings and attack trends look like while hopefully, shedding some light on how to be prepared to resist current attacks.
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte
Join Infocyte co-founder and Chief Product Officer, Chris Gerritz, for a two-hour digital forensics and incident response (DFIR) training session.
During this presentation, Chris shows participants how to set up Infocyte's managed detection and response (MDR) platform and how to leverage Infocyte to detect, investigate, isolate, and eliminate sophisticated cyber threats. Additionally, Infocyte helps enterprise cyber security teams eliminate hidden IT risks, improve security hygiene, maintain compliance, and streamline security operations—including improving the capabilities of existing endpoint security tools.
Using Infocyte's new extensions, participants are encouraged to custom create their own collection (detection and analysis) and action (incident response) extensions.
Slide Deck - CISSP Mentor Program Class Session 1FRSecure
FRSecure has a goal of changing a broken industry. There are many ways to accomplish this endeavor such as setting high assessment standards, using proprietary reporting methods that are easy to understand to hiring expert talent just to name a few. However, one unique approach FRSecure uses to bring about change is our CISSP Mentor Program. By design the program is provided at no cost to anyone with an interest in the information security industry.
Domain 1: Security and Risk Management – Review
Information Security Governance, Administrative Controls, Risk Analysis: ALE, TCO, ROI (or ROSI), Legal Systems and Ethics
Domain 4: Communication and Network Security - Review
Application Layer TCP/IP Protocols and Concepts, Layer 1 Network Cabling, LAN Technologies and Protocols, LAN Physical NetworkTopologies, WAN Technologies and Protocols, Network Devices and Protocols and Network Attacks
Ethical Hacking Conference 2015- Building Secure Products -a perspectiveDr. Anish Cheriyan (PhD)
This talk was given in Unicom Ethical Hacking Conference 2015. This talk focuses on the importance of building security inside the product development life cycle. The presentation talks about architectural flaws and implementation bugs, principles of design, software development life cycle and activities to be done from security perspective.
Revised by Christian Reina
Version: 1.1
Date: September 18, 2009
Change log:
-Risk Based Audit approach
-Things to know
-Penetration Testing Stages
-OSI Model protocols
-Firewall generations
-Wireless
-Common Criteria ISO 15408
-Problem Management
-System Development Life Cycle
-Software Life Cycle
-Five rules of evidence
-Incident Response framework
-Evidence Lifecycle
-Fair Information Practices
Slide Deck Class Session 10 – FRSecure CISSP Mentor ProgramFRSecure
FRSecure has a goal of changing a broken industry. There are many ways to accomplish this endeavor such as setting high assessment standards, using proprietary reporting methods that are easy to understand to hiring expert talent just to name a few. However, one unique approach FRSecure uses to bring about change is our CISSP Mentor Program. By design the program is provided at no cost to anyone with an interest in the information security industry.
Threat Dissection - Alberto Soliño Testa Research Director, Core SecurityCore Security
Anatomy 101 of how and what threats actually do in your network. In this session, we will pick a well-known threat and go through the cycle of how actors behave and how security teams can deter, detect, respond and validate using Core Security products.
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...Core Security
Vulnerability Assessments, Penetration Tests and Red Teaming – Do you know what these tactics are all about? In this session, we will present our understanding of these practices in terms of when to apply them and what to expect. Nowadays, organizations run on top of hundreds, if not thousands, of Information Technology assets with some of them on premise and others cloud based. Having control over all of this is a challenging task. Based on our extensive experience with securing our customers, I will show what real findings and attack trends look like while hopefully, shedding some light on how to be prepared to resist current attacks.
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte
Join Infocyte co-founder and Chief Product Officer, Chris Gerritz, for a two-hour digital forensics and incident response (DFIR) training session.
During this presentation, Chris shows participants how to set up Infocyte's managed detection and response (MDR) platform and how to leverage Infocyte to detect, investigate, isolate, and eliminate sophisticated cyber threats. Additionally, Infocyte helps enterprise cyber security teams eliminate hidden IT risks, improve security hygiene, maintain compliance, and streamline security operations—including improving the capabilities of existing endpoint security tools.
Using Infocyte's new extensions, participants are encouraged to custom create their own collection (detection and analysis) and action (incident response) extensions.
Slide Deck - CISSP Mentor Program Class Session 1FRSecure
FRSecure has a goal of changing a broken industry. There are many ways to accomplish this endeavor such as setting high assessment standards, using proprietary reporting methods that are easy to understand to hiring expert talent just to name a few. However, one unique approach FRSecure uses to bring about change is our CISSP Mentor Program. By design the program is provided at no cost to anyone with an interest in the information security industry.
Domain 3: Security Engineering - Review (Part 2)
Virtualization and Distributed Computing, System Vulnerabilities, Threats and Countermeasures, Cornerstone Cryptographic Concepts, History of Cryptography, Types of Cryptography and Cryptographic Attacks
Domain 4: Communication and Network Security - Review
Network Architecture and Design, Fundamentals, OSI Model, TCP/IP Model and Encapsulation (speaking of which)
Slide Deck Class Session 8 – FRSecure CISSP Mentor ProgramFRSecure
Domain 4: Communication and Network Security -Review
•Network Architecture and Design
•Fundamentals
•OSI Model
•TCP/IP Model
•Encapsulation(speaking of which)
HHS Ransomware and Breach Guidance - Brad NighFRSecure
A recent U.S. Government inter-agency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000 daily ransomware attacks reported in 2015). Ransomware attack prevention from a healthcare perspective is vitally important due to recent changes in HHS guidance. To understand what this means practically, FRSecure offers some valuable resources that discusses what constitutes a ransomware breach, non-compliance consequences and easy steps that can be implemented to reduce organizational risk of a Ransomware breach.
Slides for a CISSP prep course at City College San Francisco. Instructor: Sam Bowne
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372.
More information at https://samsclass.info/125/125_S18.shtml
For a college course at Coastline Community College taught by Sam Bowne. Details at https://samsclass.info/125/125_F17.shtml
Based on: "CISSP Study Guide, Third Edition"; by Eric Conrad, Seth Misenar, Joshua Feldman; ISBN-10: 0128024372
Complete coverage of CISSP 7th Chapter - Security Operations. I have made sure to cover all topics from three books in this presentation. For corrections, clarifications, please feel free to reach me.
01Introduction to Information Security.pptit160320737038
A distributed system is a collection of computer programs that utilize computational resources across multiple, separate computation nodes to achieve a common, shared goal. Distributed systems aim to remove bottlenecks or central points of failure from a system.
Enumerating software security design flaws throughout the SSDLCJohn M. Willis
A tool and methodology to enumerate security functional requirements arising in the solution space is described. A proof of concept tool for use by security architects and security engineers is described. The tool facilitates use of community-developed security requirements packages, security functional requirements, threat model taxonomy including mitigations. A risk-based decision making process is facilitated. Tool outputs used for change checklist, new test requirements, system security plan, risk decision documentation, deferred controls, and inherited controls.
Enumerating software security design flaws throughout the ssdlc cosac - 201...John M. Willis
A tool and methodology to enumerate security functional requirements arising in the solution space is described. A proof of concept tool for use by security architects and security engineers is described. The tool facilitates use of community-developed security requirements packages, security functional requirements, threat model taxonomy including mitigations. A risk-based decision making process is facilitated. Tool outputs used for change checklist, new test requirements, system security plan, risk decision documentation, deferred controls, and inherited controls.
Design principles and common security related programming principlesSaurav Aryal
Design principles and common security related programming principles, principle of least privilege,principle of least common mechanism, trust in the system
Embracing GenAI - A Strategic ImperativePeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfTechSoup
In this webinar you will learn how your organization can access TechSoup's wide variety of product discount and donation programs. From hardware to software, we'll give you a tour of the tools available to help your nonprofit with productivity, collaboration, financial management, donor tracking, security, and more.
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
• The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
• The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X.
• The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
Model Attribute Check Company Auto PropertyCeline George
In Odoo, the multi-company feature allows you to manage multiple companies within a single Odoo database instance. Each company can have its own configurations while still sharing common resources such as products, customers, and suppliers.
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
Honest Reviews of Tim Han LMA Course Program.pptxtimhan337
Personal development courses are widely available today, with each one promising life-changing outcomes. Tim Han’s Life Mastery Achievers (LMA) Course has drawn a lot of interest. In addition to offering my frank assessment of Success Insider’s LMA Course, this piece examines the course’s effects via a variety of Tim Han LMA course reviews and Success Insider comments.
6. Domain 2: Asset Security – Quiz Review
CISSP Mentor Program Session #4
D
D
7. Domain 2: Asset Security – Quiz Review
CISSP Mentor Program Session #4
B
B
8. Domain 2: Asset Security – Quiz Review
CISSP Mentor Program Session #4
A
D
9. Domain 2: Asset Security – Quiz Review
CISSP Mentor Program Session #4
D
D
10. Domain 2: Asset Security – Quiz Review
CISSP Mentor Program Session #4
B
C
11. Domain 2: Asset Security – Quiz Review
CISSP Mentor Program Session #4
A
Piece of cake!
12. CISSP Mentor Program Session #4
Domain 2: Asset Security – Current Events
http://www.nytimes.com/2016/01/30/us/politics/22-clinton-emails-
deemed-too-classified-to-be-made-public.html?_r=0
http://www.usnews.com/news/articles/2016-05-04/panama-papers-
revelation-we-must-rethink-data-security-systems
http://www.databreaches.net/centene-discloses-missing-hard-drives-
contain-personal-information-of-950000-people/
13. CISSP Mentor Program Session #4
Domain 3: Security Engineering (Engineering and Management of
Security)
• Security Models
• Evaluation Methods, Certification and Accreditation
• Secure System Design Concepts
• Secure Hardware Architecture
• Secure Operating System and Software Architecture
• Virtualization and Distributed Computing
• System Vulnerabilities, Threats and Countermeasures
Formerly separate domains: Security Architecture, Cryptography, and Physical Security
14. CISSP Mentor Program Session #4
Security Models
What subjects and objects are permitted to
do (within a model or framework)
• Subject (often a user)
• Object (a resource)
• Managing relationship between subject
and object is access control
• Understand concepts of read up, read
down, write up, write down
15. CISSP Mentor Program Session #4
Security Models
Controls
• Discretionary access control (DAC)
• Defined in the Trusted Computer System Evaluation Criteria (TCSEC)
• Means of restricting access to objects based on the identity of subjects and/or groups to which they belong
• A subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject
• Mandatory access control (MAC)
• Type of access control where the operating system constrains the ability of a subject to access or perform some sort of operation on an
object
• Authorization rule enforced by the operating system kernel
• Security policy is centrally controlled by a security policy administrator
• Rule-based access control (RBAC)
• Access is allowed or denied to objects based on a set of rules defined by a system administrator
• Access properties are stored in Access Control Lists (ACL) associated with each object
• Role-based access control (also RBAC)
• Also known as Non-discretionary Access Control
• Assigns permissions to particular roles in an organization
16. CISSP Mentor Program Session #4
Security Models
Understand the Fundamental Concepts of Security Models
• State Machine Model
• Bell-LaPadula Model
• Lattice-Based Access Controls
• Biba Model
• Clark-Wilson Model
• Information Flow Model
• Brewer and Nash Model (aka Chinese Wall)
• Take-Grant Model
• Access Control Matrix
• Zachman Framework for Enterprise Architecture
• Graham-Denning Model
• Harrison-Ruzzo-Ullman Model
17. CISSP Mentor Program Session #4
Security Models
State Machine Model
• State of a machine is captured in order to verify the security of a system
• State consists of all current permissions and all current instances of subjects
accessing the objects. If the subject can access objects only by means that are
concurrent with the security policy, the system is secure
• Always secure no matter what state it is in
• Finite state machine (FSM)
• State transition
• Secure state machine
• The basis for most other security models
18. CISSP Mentor Program Session #4
Security Models
State Machine Model
• State of a machine is captured in order to verify the security of a system
• State consists of all current permissions and all current instances of subjects
accessing the objects. If the subject can access objects only by means that are
concurrent with the security policy, the system is secure
• Always secure no matter what state it is in
• Finite state machine (FSM)
• State transition
• Secure state machine
• The basis for most other security models
19. CISSP Mentor Program Session #4
Security Models
Bell-LaPadula Model
• Originally developed for the U.S. Department of Defense
• Focused on maintaining the confidentiality of objects
• Two Access Rules:
• Simple Security Property – no read up
• * Security Property (“Star” Security Property) – no write down
• Two Object Label Rules:
• Strong and Weak Tranquility Property - security labels will not change while the system is
operating
• Weak Tranquility Property - security labels will not change in a way that conflicts with defined
security properties
20. CISSP Mentor Program Session #4
Security Models
Lattice-Based Access Controls
• Security controls for complex environments
• For every relationship between a subject and an
object, there are defined upper and lower access
limits implemented by the system
• Subjects have a Least Upper Bound (LUB) and
Greatest Lower Bound (GLB) of access to the objects
based on their lattice position
• A security lattice model combines multilevel and
multilateral security
21. CISSP Mentor Program Session #4
Security Models
Biba Model
• Developed after Bell-LaPadula model
• Focused on maintaining the integrity of objects
• Uses a lattice of integrity levels unlike Bell-LaPadula which
uses a lattice of security levels
• Two primary rules
• Simple Integrity Axiom – no read down
• * Integrity Axiom (“Star” Integrity Axiom) – no write up
• Essentially the reverse of Bell-LaPadula
22. CISSP Mentor Program Session #4
Security Models
Clark-Wilson Model
• Real-world integrity model
• Requires subjects to access objects via programs
• Programs have specific limitations to what they can and cannot do to objects
• Two primary concepts
• Well-Formed Transactions - ability to enforce control over applications; comprised of the “access
control triple:” user, transformation procedure (TP/well-formed transaction), and constrained
data item (CDI/data that requires integrity) - integrity verification procedures (IVPs) ensure that
data are kept in a valid state
• Separation of Duties - ensures that authorized users do not change data in an inappropriate way
23. CISSP Mentor Program Session #4
Security Models
Information Flow Model
• In this model, data is thought of as being held in individual discrete
compartments
• Information is compartmentalized based on two factors; classification and
need to know
• Subject clearance has to dominate the object classification and the subject
security profile must contain the one of the categories listed in the object
label, which enforces need to know
24. CISSP Mentor Program Session #4
Security Models
Brewer and Nash Model (aka Chinese Wall)
• Designed to avoid conflicts of interest by prohibiting one person, such as a
consultant, from accessing multiple conflict of interest categories (CoIs)
• Provides access controls that can change dynamically depending upon a user’s
previous actions
• Model states that a subject can write to an object if, and only if, the subject
can not read another object that is in a different data set
• Initially designed to address the risks inherent with employing consultants
working within banking and financial institutions
25. CISSP Mentor Program Session #4
Security Models
Noninterference Models
• Model ensures that any actions that take place at a higher security level do
not affect, or interfere with, actions that take place at a lower level
• Not concerned with the flow of data, but rather with what a subject knows
about the state of the system
• Addresses the inference attack that occurs when some one has access to
some type of information and can infer(guess) something that he does not
have the clearance level or authority to know.
• Covert Channel – policy violation hidden from the system owner
26. CISSP Mentor Program Session #4
Security Models
Take-Grant Model
• Contains rules that govern the interactions between subjects and objects, and
permissions subjects can grant to other subjects
• Two rights occur in every instance of the model: take and grant
• Rules include take, grant, create, and remove
• take rule allows a subject to take rights of another object (add an edge originating at the subject)
• grant rule allows a subject to grant own rights to another object (add an edge terminating at the
subject)
• create rule allows a subject to create new objects (add a vertex and an edge from the subject to
the new vertex)
• remove rule allows a subject to remove rights it has over on another object (remove an edge
originating at the subject)
27. CISSP Mentor Program Session #4
Security Models
Access Control Matrix
• Commonly used in OS and applications
• Table that defines access permissions between specific subjects and objects
28. CISSP Mentor Program Session #4
Security Models
Zachman Framework for
Enterprise Architecture
• Six frameworks for providing
information security, asking what,
how, where, who, when, and why
29. CISSP Mentor Program Session #4
Security Models
Graham-Denning Model
• Defines a set of basic rights in terms of commands that a specific subject can execute
on an object
• Three parts; objects, subjects, and rules; focus on the eight (8) rules:
• R1: Transfer Access
• R2: Grant Access
• R3: Delete Access
• R4: Read Object
• R5: Create Object
• R6: Destroy Object
• R7: Create Subject
• R8: Destroy Subject
30. CISSP Mentor Program Session #4
Security Models
Harrison-Ruzzo-Ullman Model
• HRU is an operating system level computer security model which deals with the integrity of access
rights in the system
• Based around the idea of a finite set of procedures being available to edit the access rights of a
subject on an object
• Maps subjects, objects, and access rights to an access matrix
• Variation to the Graham-Denning Model
• Six primitive operations:
• Create object
• Create subject
• Destroy subject
• Destroy object
• Enter right into access matrix
• Delete right from access matrix
31. CISSP Mentor Program Session #4
Security Models
Modes of Operation
• There are four (4) modes of system/access control operation:
• Dedicated:
• Only one classification (label) for all objects in the system
• Subject must possess a clearance equal or greater than the system label
• Subjects must have 1) appropriate clearance, 2) formal access approval, and 3) a need to
know for all the objects in the system
32. CISSP Mentor Program Session #4
Security Models
Modes of Operation
• There are four (4) modes of system/access control operation:
• System High:
• System contains objects of mixed labels
• Subjects must possess a clearance equal to (or greater than) the highest object label
33. CISSP Mentor Program Session #4
Security Models
Modes of Operation
• There are four (4) modes of system/access control operation:
• Compartmented:
• Objects are placed into “compartments”
• Subjects must have a formal (system-enforced) need to know to access data in
compartment
• All subjects must have 1) Signed NDA for ALL information on the system, 2) clearance for
ALL information on the system, 3) formal access approval for SOME objects on the system,
and 4) valid need to know for SOME objects on the system
34. CISSP Mentor Program Session #4
Security Models
Modes of Operation
• There are four (4) modes of system/access control operation:
• Multilevel:
• System contains objects of varying labels
• Subjects with varying clearances can access the system
• Reference Monitor mediates access between subjects and objects
• All subjects must have 1) Signed NDA for ALL information on the system, 2) clearance for
SOME information on the system, 3) formal access approval for SOME objects on the
system, and 4) valid need to know for SOME objects on the system
35. CISSP Mentor Program Session #4
Evaluation Methods, Certification and
Accreditation
Trusted Computer System Evaluation
Criteria (TCSEC or Orange Book)
• Developed by the federal government; National
Computer Security Center (NCSC), part of the
National Institute of Standards and Technology
(NIST), and the National Security Agency (NSA)
• Developed in 1983 as part of the Rainbow Series
• One of the 1st evaluation frameworks
• Now used as part of U.S. Government Protection
Profiles within the International Common Criteria
framework
36. CISSP Mentor Program Session #4
Evaluation Methods, Certification and Accreditation
Trusted Computer System Evaluation Criteria (TCSEC or Orange Book)
• Download here http://csrc.nist.gov/publications/history/dod85.pdf
• Division D is the lowest form of security, and A is the highest:
• D: Minimal Protection
• C: Discretionary Protection
• C1: Discretionary Security Protection
• C2: Controlled Access Protection
• B: Mandatory Protection
• B1: Labeled Security Protection
• B2: Structured Protection
• B3: Security Domains
• A: Verified Protection
• A1: Verified Design
37. CISSP Mentor Program Session #4
Evaluation Methods, Certification and Accreditation
Trusted Computer System Evaluation Criteria (TCSEC or Orange Book)
• Download here http://csrc.nist.gov/publications/history/dod85.pdf
• Division D is the lowest form of security, and A is the highest:
• D: Minimal Protection
• C: Discretionary Protection
• C1: Discretionary Security Protection
• C2: Controlled Access Protection
• B: Mandatory Protection
• B1: Labeled Security Protection
• B2: Structured Protection
• B3: Security Domains
• A: Verified Protection
• A1: Verified Design
38. CISSP Mentor Program Session #4
Evaluation Methods, Certification and Accreditation
Trusted Network Interpretation (TNI)/Red Book
• Sort of like the Orange Book for network systems
• Can download it here http://ftp.fas.org/irp/nsa/rainbow/tg011.htm
• All of the Rainbow Books can be accessed here
http://ftp.fas.org/irp/nsa/rainbow.htm
39. CISSP Mentor Program Session #4
Evaluation Methods, Certification and Accreditation
Information Technology Security Evaluation Criteria (ITSEC)
• Used extensively in Europe (where it was developed)
• 1st successful international evaluation criteria
• References to the Orange Book, but added:
• F – Functionality
• Q – Effectiveness (part of assurance)
• E – Correctness (also part of assurance)
40. CISSP Mentor Program Session #4
Evaluation Methods, Certification and Accreditation
Information Technology Security Evaluation Criteria (ITSEC)
• Assurance correctness ratings range from E0 (inadequate) to E6 (formal model of
security policy)
• Functionality ratings range include TCSEC equivalent ratings (F-C1, F-C2, etc.)
• The equivalent ITSEC/TCSEC ratings are:
• 0: D
• F-C1,E1: C1
• F-C2,E2: C2
• F-B1,E3: B1
• F-B2,E4: B2
• F-B3,E5: B3
• F-B3,E6: A1
41. CISSP Mentor Program Session #4
Evaluation Methods, Certification and Accreditation
Information Technology Security Evaluation Criteria (ITSEC)
• Additional functionality ratings include:
• F-IN: High integrity requirements
• AV: High availability requirements
• DI: High integrity requirements for networks
• DC: High confidentiality requirements for networks
• DX: High integrity and confidentiality requirements for networks
42. CISSP Mentor Program Session #4
Evaluation Methods, Certification and Accreditation
International Common Criteria (“Common Criteria”)
• Internationally agreed upon standard for describing and testing the security of IT
products
• Primary objective of the Common Criteria is to eliminate known vulnerabilities of the
target for testing
• Terms:
• Target of Evaluation (ToE): the system or product that is being evaluated
• Security Target (ST): the documentation describing the TOE
• Protection Profile (PP): an independent set of security requirements and objectives for a specific
category of products or systems
• Evaluation Assurance Level (EAL): the evaluation score of the tested product or system
43. CISSP Mentor Program Session #4
Evaluation Methods, Certification and Accreditation
International Common Criteria (“Common Criteria”)
• There are seven (7) Levels of Evaluation (EALs):
• AL1: Functionally tested
• EAL2: Structurally tested
• EAL3: Methodically tested and checked
• EAL4: Methodically designed, tested, and reviewed
• EAL5: Semi-formally designed, and tested
• EAL6: Semi-formally verified, designed, and tested
• EAL7: Formally verified, designed, and tested
• Latest version of Common Criteria;
http://www.commoncriteriaportal.org/files/ccfiles/CCPART3V3.1R3.pdf
44. CISSP Mentor Program Session #4
Secure System Design Concepts
Layering
• Separates hardware and software functionality into modular tiers
• Actions that take place at one layer do not directly affect components in
another
• For networking types; OSI is an example of layering (covered later)
• Generic list of security architecture layers:
• Hardware
• Kernel (and system/device drivers)
• Operating system
• Applications
45. CISSP Mentor Program Session #4
Secure System Design Concepts
Abstraction – Complexity is the enemy of security
• Unnecessary details are hidden from the user
• Good example from the book:
A user double-clicks on an MP3 file containing music, and the music plays via the
computer speakers. Behind the scenes, tremendously complex actions are taking
place: the operating system opens the MP3 file, looks up the application associated
with it, and sends the bits to a media player. The bits are decoded by a media player,
which converts the information into a digital stream, and sends the stream to the
computer’s sound card. The sound card converts the stream into sound, sent to the
speaker output device. Finally, the speakers play sound. Millions of calculations are
occurring as the sound plays, while low-level devices are accessed.
Abstraction means the user simply presses play and hears music.
46. CISSP Mentor Program Session #4
Secure System Design Concepts
Security Domains
• A security domain is the list of objects a subject is allowed to access.
• A security domain is also a groups of subjects and objects with similar security
requirements
• Kernel - the central core of a computer's operating system; two domains (or modes)
• User mode – user accounts and processes
• Kernel mode (or supervisor mode) – the kernel itself; low-level access to memory and hardware
components
• The two domains are separated – an error in user mode should not affect kernel mode operation
• Operating systems run entirely in kernel mode
47. CISSP Mentor Program Session #4
Secure System Design Concepts
The Ring Model
• Form of CPU hardware layering used to separate and protect domains (user mode from kernel mode)
• Most CPUs (including Intel x86) have four rings
• Ring 0 – Kernel
• Ring 1 – Operating system components outside of Ring 0
• Ring 2 - Device drivers
• Ring 3 – User applications
• Processes communicate between the rings via system calls
• System calls are slow (compared to performing work within one ring), but provide security
• Ring model also provides abstraction
• Linux and Windows use rings 0 and 3 only
• Hypervisor mode allows virtual guests to operate in ring 0, controlled by the hypervisor one ring “below” (ring
-1)
49. CISSP Mentor Program Session #4
Secure Hardware Architecture
Open and Closed Systems
• Open systems use open hardware and
standards, using standard components from
various vendors
• IBM-compatible PCs
• Closed systems use proprietary hardware or
software
50. CISSP Mentor Program Session #4
Secure Hardware Architecture
System Unit and Motherboard
• System unit is the computer case and
everything in it.
• The motherboard is the hardware board that
typically includes the Central Processing Unit
(CPU), memory slots, firmware, and peripheral
slots such as PCI (Peripheral Component
Interconnect) slots.
51. CISSP Mentor Program Session #4
Secure Hardware Architecture
Computer Bus
• Primary communication channel
on a computer system
• Communication between the
CPU, memory, and input/output
devices such as keyboard,
mouse, display, etc., occur via
the bus
52. CISSP Mentor Program Session #4
Secure Hardware Architecture
Computer Bus
• Northbridge – also called the Memory
Controller Hub (MCH), connects the
CPU to RAM and video memory;
directly connected to CPU, so it’s
faster
• Southbridge - also called the I/O
Controller Hub (ICH), connects
input/output (I/O) devices, such as
disk, keyboard, mouse, CD drive, USB
ports, etc.
53. CISSP Mentor Program Session #4
Secure Hardware Architecture
The Central Processing Unit (CPU)
• The “brains” - capable of controlling and performing mathematical
calculations
• Everything a computer does is mathematical
• Rated by the number of clock cycles per second; a 2.4 GHz Pentium 4 CPU has
2.4 billion clock cycles per second.
54. CISSP Mentor Program Session #4
Secure Hardware Architecture
The Central Processing Unit (CPU)
• Arithmetic Logic Unit (ALU) -
performs mathematical calculations
• Control Unit (CU) – controls and send
instructions to the ALU
55. CISSP Mentor Program Session #4
Secure Hardware Architecture
The Central Processing Unit (CPU)
• Fetch & Execute, process actually takes
four steps (one CPU or clock cycle):
• Fetch Instruction 1
• Decode Instruction 1
• Execute Instruction 1
• Write (save) result 1
56. CISSP Mentor Program Session #4
Secure Hardware Architecture
The Central Processing Unit (CPU)
• Pipelining combines multiple steps into one combined process; simultaneous
fetch, decode, execute, and write steps
• Each part is called a pipeline stage
57. CISSP Mentor Program Session #4
Secure Hardware Architecture
The Central Processing Unit (CPU)
• Interrupts cause the CPU to stop processing its current task, save the state,
and process a new request. Once the interrupt task is complete, the CPU will
start where it left off.
• Interrupts are typically hardware related.
58. CISSP Mentor Program Session #4
Secure Hardware Architecture
The Central Processing Unit (CPU)
• Process – an executable program and its data loaded and running in memory
• Thread (also called a lightweight process or “LWP”) – a child process; where one
process has “spawned” another process. A heavyweight process (or “HWP”) is called
a task
• Process states:
• New: a process being created
• Ready: process waiting to be executed by the CPU
• Running: process being executed by the CPU
• Blocked: waiting for I/O
• Terminate: a completed process
A zombie or orphan is a
process (or thread) where
the parent is terminated
59. CISSP Mentor Program Session #4
Secure Hardware Architecture
The Central Processing Unit (CPU)
• Multitasking allows multiple tasks (heavy weight processes) to run
simultaneously on one CPU
• Multiprocessing - multiple processes running on multiple CPUs
• Symmetric Multiprocessing (SMP) - one operating system to manage all CPUs
• Asymmetric Multiprocessing (AMP) - one operating system image per CPU
• Multiprogramming - multiple programs running simultaneously on one CPU
• Multithreading - multiple threads (light weight processes) running
simultaneously on one CPU
60. CISSP Mentor Program Session #4
Secure Hardware Architecture
The Central Processing Unit (CPU)
• Watchdog Timers are designed to recover a system by rebooting after critical
processes hang or crash
• Complex Instruction Set Computer (CISC)
• Reduced Instruction Set Computer (RISC)
61. CISSP Mentor Program Session #4
Secure Hardware Architecture
Memory Protection
• Preventing processes from accessing memory space belonging to another
• Memory protection is required for multi-user systems
Process Isolation
• Logical control that attempts to prevent one process from interfering with
another
• Object encapsulation - treats a process as a “black box”
• Time multiplexing - multiplexes system resources between multiple processes,
each with a dedicated slice of time
62. CISSP Mentor Program Session #4
Secure Hardware Architecture
Memory Protection
• Preventing processes from accessing memory space belonging to another
• Memory protection is required for multi-user systems
Hardware Segmentation
• Completely separate hardware
Virtual Memory
• Virtual address mapping between applications and hardware memory
63. CISSP Mentor Program Session #4
Secure Hardware Architecture
Memory Protection
• Preventing processes from accessing memory space belonging to another
• Memory protection is required for multi-user systems
Swapping and Paging
• Uses virtual memory to copy contents in primary memory (RAM) to or from
secondary memory (not directly addressable by the CPU, on disk)
• Kernel accessing memory in swap space results in a page fault
64. CISSP Mentor Program Session #4
Secure Hardware Architecture
BIOS
• Basic Input Output System
• contains code in firmware that is executed when a PC is powered on
• 1st thing it does is run the Power On Self-Test (POST)
• POST finds the boot sector that contains machine code for the OS kernel
• Kernel loads and executes into the OS
65. CISSP Mentor Program Session #4
Secure Hardware Architecture
WORM Storage
• Write Once Read Many
• Usually used for record retention and high integrity information
• CD-Rs, DVD-Rs, etc.
• Not CD-RWs or DVD-RWs
66. CISSP Mentor Program Session #4
Secure Operating System and Software Architecture
Trusted Platform Module (or TPM)
• Developed and updated by the Trusted Computing Group
• Processor that can provide additional security capabilities in hardware
• Usually on the motherboard
• Hardware-based encryption (fast)
• Boot integrity – protecting against rootkits and kernel bypass attacks
67. CISSP Mentor Program Session #4
Secure Operating System and Software Architecture
Kernel
• Heart (or core) of the operating system, usually running at ring 0
• Interface between the operating system and hardware
• Monolithic kernel - compiled into one static executable and the entire kernel
runs in supervisor mode; requires recompiling to add new features
• Microkernel – a modular kernel; can add functionality via loadable kernel
modules
68. CISSP Mentor Program Session #4
Secure Operating System and
Software Architecture
Kernel
• Reference monitor – core function of
the kernel; mediates all access between
subjects and objects
• Always enabled and cannot be
bypassed
69. CISSP Mentor Program Session #4
Secure Operating System and Software Architecture
Users and File Permissions
• Types of permissions available depend on the file system being used
• Linux and UNIX permissions
• Read (“r”)
• Write (“w”)
• Execute (“x”)
• permissions may be set separately to the owner, group, or world
70. CISSP Mentor Program Session #4
Secure Operating System and Software Architecture
Users and File Permissions
Linux and UNIX permissions - output of a Linux “ls –la /etc”
71. CISSP Mentor Program Session #4
Secure Operating System and Software Architecture
Users and File Permissions
• Types of permissions available depend on the file system being used
• Microsoft NTFS Permissions
• Read
• Write
• Read and execute
• Modify
• Full control (read, write, execute, modify, and in addition the ability to change the
permissions.)
72. CISSP Mentor Program Session #4
Secure Operating System and Software Architecture
Users and File Permissions
73. Questions?
We made it through Class #4!
We’re leaving off at “Virtualization and Distributed Computing”
No Quiz, so we’ll have no problem catching up…
Homework for Tuesday (5/10)
◦ Continue reading Chapter 4/Domain 3: Security Engineering (Engineering and
Management of Security) – We will cover the rest of this chapter and it will be
a lot of information!
◦ Come with questions!
Have a great evening, talk to you Tuesday!