Domain 4: Communication and Network Security - Review
Network Architecture and Design, Fundamentals, OSI Model, TCP/IP Model and Encapsulation (speaking of which)
Slide Deck Class Session 8 – FRSecure CISSP Mentor ProgramFRSecure
Domain 4: Communication and Network Security -Review
•Network Architecture and Design
•Fundamentals
•OSI Model
•TCP/IP Model
•Encapsulation(speaking of which)
Domain 3: Security Engineering - Review (Part 2)
Virtualization and Distributed Computing, System Vulnerabilities, Threats and Countermeasures, Cornerstone Cryptographic Concepts, History of Cryptography, Types of Cryptography and Cryptographic Attacks
Slide Deck Class Session 10 – FRSecure CISSP Mentor ProgramFRSecure
FRSecure has a goal of changing a broken industry. There are many ways to accomplish this endeavor such as setting high assessment standards, using proprietary reporting methods that are easy to understand to hiring expert talent just to name a few. However, one unique approach FRSecure uses to bring about change is our CISSP Mentor Program. By design the program is provided at no cost to anyone with an interest in the information security industry.
Domain 4: Communication and Network Security - Review
Application Layer TCP/IP Protocols and Concepts, Layer 1 Network Cabling, LAN Technologies and Protocols, LAN Physical NetworkTopologies, WAN Technologies and Protocols, Network Devices and Protocols and Network Attacks
Slide Deck Class Session 11 – FRSecure CISSP Mentor ProgramFRSecure
FRSecure has a goal of changing a broken industry. There are many ways to accomplish this endeavor such as setting high assessment standards, using proprietary reporting methods that are easy to understand to hiring expert talent just to name a few. However, one unique approach FRSecure uses to bring about change is our CISSP Mentor Program. By design the program is provided at no cost to anyone with an interest in the information security industry.
Domain 4: Communication and Network Security - Review
Network Architecture and Design, Fundamentals, OSI Model, TCP/IP Model and Encapsulation (speaking of which)
Slide Deck Class Session 8 – FRSecure CISSP Mentor ProgramFRSecure
Domain 4: Communication and Network Security -Review
•Network Architecture and Design
•Fundamentals
•OSI Model
•TCP/IP Model
•Encapsulation(speaking of which)
Domain 3: Security Engineering - Review (Part 2)
Virtualization and Distributed Computing, System Vulnerabilities, Threats and Countermeasures, Cornerstone Cryptographic Concepts, History of Cryptography, Types of Cryptography and Cryptographic Attacks
Slide Deck Class Session 10 – FRSecure CISSP Mentor ProgramFRSecure
FRSecure has a goal of changing a broken industry. There are many ways to accomplish this endeavor such as setting high assessment standards, using proprietary reporting methods that are easy to understand to hiring expert talent just to name a few. However, one unique approach FRSecure uses to bring about change is our CISSP Mentor Program. By design the program is provided at no cost to anyone with an interest in the information security industry.
Domain 4: Communication and Network Security - Review
Application Layer TCP/IP Protocols and Concepts, Layer 1 Network Cabling, LAN Technologies and Protocols, LAN Physical NetworkTopologies, WAN Technologies and Protocols, Network Devices and Protocols and Network Attacks
Slide Deck Class Session 11 – FRSecure CISSP Mentor ProgramFRSecure
FRSecure has a goal of changing a broken industry. There are many ways to accomplish this endeavor such as setting high assessment standards, using proprietary reporting methods that are easy to understand to hiring expert talent just to name a few. However, one unique approach FRSecure uses to bring about change is our CISSP Mentor Program. By design the program is provided at no cost to anyone with an interest in the information security industry.
Domain 3: Security Engineering
Virtualization and Distributed Computing
System Vulnerabilities, Threats and Countermeasures
Cornerstone Cryptographic Concepts
History of Cryptography
Types of Cryptography
Cryptographic Attacks
Implementing Cryptography
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
Organizations get penetration tests year after year, yet companies still get breached because they’re STILL missing the basics.Traditional penetration tests are failing to prepare organizations for the threats they actually face. They’ve become a commodity of compliance and box-checking. Remediation steps rarely include management objectives. General lack of excitement for Blue Team functions. Red team is sexy, but just a tool. Do you even have a JBOSS server? (Then why are you seeing alerts for it?)
How to prepare for the CISSP Exam. A presentation created by the (ISC)2 Hellenic Chapter to assist and instruct those in Greece interested in pursuing the CISSP Certification.
The (ISC)2 Hellenic Chapter Team
Kill Chain Model for Use Cases Assist in Incident Response
1- Situational Awareness
Outbound Protocols
Outbound protocols by size
Top destination Countries
Top destination Countries by size
2- Reconnaissance
Port scan activity
ICMP query
3- Weaponization and Delivery
Injection
Cross Site Scripting
Cross Site Request Forgery
Failure to Restrict URL
Downloaded binaries
Top email subjects
Domains mismatching
Malicious or anomalous Office/Java/Adobe files
Suspicious Web pages (iframe + [pdf|html|js])
The Finest Penetration Testing Framework for Software-Defined NetworksPriyanka Aash
Software-Defined Networking (SDN) is getting attention for the next-generation networking today. The key concept of SDN is to decouple the control logic from the traditional network devices so that network developers can design innovative network functions in a more flexible and programmable way. However, SDN is not always bringing advantages to us. Security experts have constantly raised security concerns about SDN, and some vulnerabilities have been uncovered in the real world. If SDN is not secure, how can we measure the security level of SDN environments?
In this talk, we introduce a powerful penetration testing tool for SDN called DELTA, which is officially supported by Open Networking Foundation (ONF). First, DELTA can automate diverse published attack scenarios against various SDN components from testing to evaluating. Also, to discover unknown vulnerabilities that may exist in SDN, DELTA leverages a blackbox fuzzing technique that randomizes different control flows in SDN. It enables us to systemically reveal unknown security issues rather than the empirical and ad-hoc methods that most previous studies use. By using DELTA, anyone can easily and thoroughly test not only popular open source SDN controllers (i.e., ONOS, OpenDaylight, Floodlight, and Ryu), but also SDN-enabled switches (i.e., OpenvSwitch, HP, and Pica8) in the real world.
We will show nine new attack cases that have been found by DELTA but never been announced before.
Also, we will discuss:
- What control flows are in SDN, and why those are important as a key feature compared to the traditional networks.
- What key components and workflow of DELTA to attack the real SDN components.
- Which nine new attack cases have been discovered by DELTA, and we will demonstrate it. For example, one of the new attacks violates the table condition, leading to the black hole of handling packets in the switch.
Threat Dissection - Alberto Soliño Testa Research Director, Core SecurityCore Security
Anatomy 101 of how and what threats actually do in your network. In this session, we will pick a well-known threat and go through the cycle of how actors behave and how security teams can deter, detect, respond and validate using Core Security products.
Domain 3: Security Engineering
Virtualization and Distributed Computing
System Vulnerabilities, Threats and Countermeasures
Cornerstone Cryptographic Concepts
History of Cryptography
Types of Cryptography
Cryptographic Attacks
Implementing Cryptography
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
Organizations get penetration tests year after year, yet companies still get breached because they’re STILL missing the basics.Traditional penetration tests are failing to prepare organizations for the threats they actually face. They’ve become a commodity of compliance and box-checking. Remediation steps rarely include management objectives. General lack of excitement for Blue Team functions. Red team is sexy, but just a tool. Do you even have a JBOSS server? (Then why are you seeing alerts for it?)
How to prepare for the CISSP Exam. A presentation created by the (ISC)2 Hellenic Chapter to assist and instruct those in Greece interested in pursuing the CISSP Certification.
The (ISC)2 Hellenic Chapter Team
Kill Chain Model for Use Cases Assist in Incident Response
1- Situational Awareness
Outbound Protocols
Outbound protocols by size
Top destination Countries
Top destination Countries by size
2- Reconnaissance
Port scan activity
ICMP query
3- Weaponization and Delivery
Injection
Cross Site Scripting
Cross Site Request Forgery
Failure to Restrict URL
Downloaded binaries
Top email subjects
Domains mismatching
Malicious or anomalous Office/Java/Adobe files
Suspicious Web pages (iframe + [pdf|html|js])
The Finest Penetration Testing Framework for Software-Defined NetworksPriyanka Aash
Software-Defined Networking (SDN) is getting attention for the next-generation networking today. The key concept of SDN is to decouple the control logic from the traditional network devices so that network developers can design innovative network functions in a more flexible and programmable way. However, SDN is not always bringing advantages to us. Security experts have constantly raised security concerns about SDN, and some vulnerabilities have been uncovered in the real world. If SDN is not secure, how can we measure the security level of SDN environments?
In this talk, we introduce a powerful penetration testing tool for SDN called DELTA, which is officially supported by Open Networking Foundation (ONF). First, DELTA can automate diverse published attack scenarios against various SDN components from testing to evaluating. Also, to discover unknown vulnerabilities that may exist in SDN, DELTA leverages a blackbox fuzzing technique that randomizes different control flows in SDN. It enables us to systemically reveal unknown security issues rather than the empirical and ad-hoc methods that most previous studies use. By using DELTA, anyone can easily and thoroughly test not only popular open source SDN controllers (i.e., ONOS, OpenDaylight, Floodlight, and Ryu), but also SDN-enabled switches (i.e., OpenvSwitch, HP, and Pica8) in the real world.
We will show nine new attack cases that have been found by DELTA but never been announced before.
Also, we will discuss:
- What control flows are in SDN, and why those are important as a key feature compared to the traditional networks.
- What key components and workflow of DELTA to attack the real SDN components.
- Which nine new attack cases have been discovered by DELTA, and we will demonstrate it. For example, one of the new attacks violates the table condition, leading to the black hole of handling packets in the switch.
Threat Dissection - Alberto Soliño Testa Research Director, Core SecurityCore Security
Anatomy 101 of how and what threats actually do in your network. In this session, we will pick a well-known threat and go through the cycle of how actors behave and how security teams can deter, detect, respond and validate using Core Security products.
Domain 1: Security and Risk Management – Review
Information Security Governance, Administrative Controls, Risk Analysis: ALE, TCO, ROI (or ROSI), Legal Systems and Ethics
HHS Ransomware and Breach Guidance - Brad NighFRSecure
A recent U.S. Government inter-agency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000 daily ransomware attacks reported in 2015). Ransomware attack prevention from a healthcare perspective is vitally important due to recent changes in HHS guidance. To understand what this means practically, FRSecure offers some valuable resources that discusses what constitutes a ransomware breach, non-compliance consequences and easy steps that can be implemented to reduce organizational risk of a Ransomware breach.
Welcome to the CISSP Mentor Program! What is the CISSP Mentor Program • History: 1st class was 2010; 6 students • Today’s class; 80 students. Why do we do it • Success Stories • Heck, it’s free! If you aren’t satisfied, we’ll refund everything you paid us. We need MORE good information security people!
Slide Deck - CISSP Mentor Program Class Session 1FRSecure
FRSecure has a goal of changing a broken industry. There are many ways to accomplish this endeavor such as setting high assessment standards, using proprietary reporting methods that are easy to understand to hiring expert talent just to name a few. However, one unique approach FRSecure uses to bring about change is our CISSP Mentor Program. By design the program is provided at no cost to anyone with an interest in the information security industry.
Abstract: Security is playing an important and crucial role in the field of network communication system and internet. Here, lot of encryption algorithms were developed and so far .Though many algorithms are used now a days, there is a lack of security in message transformation. Security can be improved by making some modifications in traditional algorithms. Algorithms are DES, RSA, ECC algorithm etc. Among this it is preferred to do some modifications in RSA Algorithm. So, the changes applied in these algorithms, security will be better than the previous.
Keywords: Encryption, Decryption, DES, RSA, ECC, Plain Text, Cipher Text.
Title: Improving Network Security by Modifying RSA Algorithm
Author: KANNIKA PARAMESHWARI B, KRITHIKA M, KARTHI P
ISSN 2350-1022
International Journal of Recent Research in Mathematics Computer Science and Information Technology
Paper Publications
A comparative study of symmetric key algorithm des, aes and blowfish for vide...pankaj kumari
Cryptography means storing and transmitting data or information in a particular form that allow to be kept secret.
Symmetric key cryptography:- Both sender and receiver share the secret key.The symmetric key is kept private.both parties use the same key for encryption and decryption.
Asymmetric key cryptography:- Asymmetric key cryptography uses public or private key for encryption and decryption.Public key is kept by publically and private is kept secret.sender use the public key to send message and receiver use the private or secret key to decrypt the message.
This presentation consists of the Seminar, provided by me in the partial fulfillment of my Bachelors Degree in G B Pant Engineering College. Seminar included information about Encryption, Decryption, Cryptosystems and Authenticity in crytosystem.
Prevention of Cheating Message based on Block Cipher using Digital Envelopeiosrjce
IOSR Journal of Computer Engineering (IOSR-JCE) is a double blind peer reviewed International Journal that provides rapid publication (within a month) of articles in all areas of computer engineering and its applications. The journal welcomes publications of high quality papers on theoretical developments and practical applications in computer technology. Original research papers, state-of-the-art reviews, and high quality technical notes are invited for publications.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
Chaotic Rivest-Shamir-Adlerman Algorithm with Data Encryption Standard Schedu...journalBEEI
Cryptography, which involves the use of a cipher, describes a process of encrypting information so that its meaning is hidden and thus, secured from those who do not know how to decrypt the information. Cryptography algorithms come with the various types including the symmetric key algorithms and asymmetric key algorithms. In this paper, the authors applied the most commonly used algorithm, which is the RSA algorithm together with the Chaos system and the basic security device employed in the worldwide organizations which is the Data Encryption Standard (DES) with the objective to make a hybrid data encryption. The advantage of a chaos system which is its unpredictability through the use of multiple keys and the secrecy of the RSA which is based on integer factorization’s difficulty is combined for a more secure and reliable cryptography. The key generation was made more secure by applying the DES schedule to change the keys for encryption. The main strength of the proposed system is the chaotic variable key generator that chages the value of encrypted message whenever a different number of key is used. Using the provided examples the strength of security of the proposed system was tested and demonstrated.
This presentation introduces the Basics of Cryptography and Network Security concepts. Heavily derived from content from William Stalling's book with the same title.
Today information security is a challenging factor that touches a lot of areas, including computers and communications. Message communication is kept secure through cryptography so that an eavesdropper is not able to decipher a transmitted message. One of the oldest and simplest known algorithms for cryptography is the Caesar cipher algorithm. In this paper, three programs based on Java, C++, and Python languages have been developed to implement the Caesar cipher algorithm to aid information security students and help them understand this fundamental algorithm. A code flow chart is used for each program to describe the code’s flow. It also reveals the sequence of steps for the code’s main methods, as well as the relationships between them. Furthermore, various technical descriptions are presented in detail for each of the methods used in both the encoding and the decoding of the messages.
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
Instructions for Submissions thorugh G- Classroom.pptxJheel Barad
This presentation provides a briefing on how to upload submissions and documents in Google Classroom. It was prepared as part of an orientation for new Sainik School in-service teacher trainees. As a training officer, my goal is to ensure that you are comfortable and proficient with this essential tool for managing assignments and fostering student engagement.
Operation “Blue Star” is the only event in the history of Independent India where the state went into war with its own people. Even after about 40 years it is not clear if it was culmination of states anger over people of the region, a political game of power or start of dictatorial chapter in the democratic setup.
The people of Punjab felt alienated from main stream due to denial of their just demands during a long democratic struggle since independence. As it happen all over the word, it led to militant struggle with great loss of lives of military, police and civilian personnel. Killing of Indira Gandhi and massacre of innocent Sikhs in Delhi and other India cities was also associated with this movement.
Francesca Gottschalk - How can education support child empowerment.pptxEduSkills OECD
Francesca Gottschalk from the OECD’s Centre for Educational Research and Innovation presents at the Ask an Expert Webinar: How can education support child empowerment?
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
• The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
• The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X.
• The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
Model Attribute Check Company Auto PropertyCeline George
In Odoo, the multi-company feature allows you to manage multiple companies within a single Odoo database instance. Each company can have its own configurations while still sharing common resources such as products, customers, and suppliers.
Unit 8 - Information and Communication Technology (Paper I).pdfThiyagu K
This slides describes the basic concepts of ICT, basics of Email, Emerging Technology and Digital Initiatives in Education. This presentations aligns with the UGC Paper I syllabus.
Biological screening of herbal drugs: Introduction and Need for
Phyto-Pharmacological Screening, New Strategies for evaluating
Natural Products, In vitro evaluation techniques for Antioxidants, Antimicrobial and Anticancer drugs. In vivo evaluation techniques
for Anti-inflammatory, Antiulcer, Anticancer, Wound healing, Antidiabetic, Hepatoprotective, Cardio protective, Diuretics and
Antifertility, Toxicity studies as per OECD guidelines
Embracing GenAI - A Strategic ImperativePeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
2. CISSP Mentor Program Session #6
Tuesday was a crazy night! A bunch of information to take in.
We’re back at it tonight!
Ready to get physical (and maybe
technical)?!
3. CISSP Mentor Program Session #6
Domain 3: Security Engineering - Review
• Virtualization and Distributed Computing
• System Vulnerabilities, Threats and Countermeasures
• Cornerstone Cryptographic Concepts
• History of Cryptography
• Types of Cryptography
• Cryptographic Attacks
• Implementing Cryptography
5. CISSP Mentor Program Session #6
Domain 3: Security Engineering – Quiz Review
Julius Caesar constructed his own encryption method to hide data during
transmission or while being stored. The Caesar Cipher works in which of the
following ways?
A. Each letter in the alphabet is replaced with a letter three places beyond it.
B. Letters are randomly scrambled.
C. The message itself consists of clues to recover from different places in the physical world.
D. Replaces letters of the alphabet with letters 13 characters beyond it.
A
6. CISSP Mentor Program Session #6
Domain 3: Security Engineering – Quiz Review
Julius Caesar created one of the earliest forms of encryption. The Caesar cipher
shifts letters of the alphabet three spaces forward, thus disguising the original
message into an unrecognizable text string. Although this substitution-type of
encryption technique is simplistic compared to today's cryptography, in those
days many people could not read in the first place. ROT-13 is a cipher that shifts
letters of the alphabet 13 places forward. Transposition ciphers scramble text,
and a running key cipher uses clues in the outside world.
7. CISSP Mentor Program Session #6
Domain 3: Security Engineering – Quiz Review
PKI and PGP can provide similar functionality, but a PKI provides an actual
framework for an environment to work within. They also use different trust
structures. Which of the following best describes PGP's trust structure?
A. Certificate authorities
B. Web of trust
C. PACs
D. Hierarchical
B
8. CISSP Mentor Program Session #6
Domain 3: Security Engineering – Quiz Review
Pretty Good Privacy (PGP) is a security program focused on protecting e-mail
messages. It uses public key encryption by implementing a "Web of trust"
among users. In contrast to certificate authorities, which control the levels of
trust, PGP allows users to sign each other's public keys, thus developing a
trusted network. PKI uses a hierarchical trust structure instead of a horizontal
structure.
9. CISSP Mentor Program Session #6
Domain 3: Security Engineering – Quiz Review
Secure Socket Layer (SSL) is the most common protocol that's used for secure
Internet transactions. Which of the following is not a characteristic of SSL?
A. Originally developed by Netscape
B. Protects both the message and communication channel over the Internet via VPN service
C. Provides encryption, message integrity and server authentication
D. Uses public key encryption
B
10. CISSP Mentor Program Session #6
Domain 3: Security Engineering – Quiz Review
Secure Sockets Layer (SSL) provides data encryption over the Internet. Although
it provides encryption while the message is being sent, it does not secure the
data once it's received and decrypted. Also, it doesn't provide a true VPN service
by protecting header information. SSL uses public key encryption and was
developed originally by Netscape. Along with encryption and message integrity,
SSL also ensures server authentication and optional client authentication.
11. CISSP Mentor Program Session #6
Domain 3: Security Engineering – Quiz Review
In a 64-bit Data Encryption Algorithm (DEA) key, how many bits make up the true
key and how many bits make up parity?
A. 16 + 48 for parity
B. 48 + 16 for parity
C. 64 and no parity
D. 56 + 8 for parity
D
12. CISSP Mentor Program Session #6
Domain 3: Security Engineering – Quiz Review
DES uses a 64-bit key. The true key consists of 56 bits and parity accounts for 8
bits. DES is a block symmetric algorithm that has four distinct operating modes:
Electronic Codebook (ECB), Cipher Block Chaining (CBC), Cipher Feedback (CFB)
and Output Feedback (OFB). DES is really a standard and not an algorithm,
although we commonly referred to the algorithm as DES. The algorithm that's
used in DES is DEA, thus has the same characteristics of DES.
13. CISSP Mentor Program Session #6
Domain 3: Security Engineering – Quiz Review
Which is not true of the Advanced Encryption Standard (AES)?
A. It was developed to replace DES.
B. It uses key sizes of 64, 128 and 192.
C. It is a block symmetric cipher.
D. It uses the algorithm Rijndael.
B
14. CISSP Mentor Program Session #6
Domain 3: Security Engineering – Quiz Review
AES was developed to improve upon DES's security and flexibility. It uses 128-bit,
192-bit and 256-bit keys. Rijndael, a block symmetric cipher created by Vincent
Rijmen and Joan Daemen, was selected as the new AES algorithm.
15. CISSP Mentor Program Session #6
Domain 3: Security Engineering – Quiz Review
Different types of algorithms use different types of mathematics. The more
complex the mathematics are, the more resources that are required for
computation. Which asymmetric algorithm is the most efficient requiring the
fewest resources?
A. RSA
B. ECC
C. Blowfish
D. IDEA
B
16. CISSP Mentor Program Session #6
Domain 3: Security Engineering – Quiz Review
Elliptic Curve Cryptosystems (ECC) is the most efficient of the asymmetric
algorithms. It uses elliptic curve properties to combine group and rule
information, which requires fewer resources than the other methods.
17. CISSP Mentor Program Session #6
Domain 3: Security Engineering – Quiz Review
Which is the 128-bit algorithm that was accepted for the DES standard?
A. Skipjack
B. Data Encryption Algorithm
C. Lucifer
D. RSA
C
18. CISSP Mentor Program Session #6
Domain 3: Security Engineering – Quiz Review
In 1974, IBM created Lucifer, which would eventually become the Data
Encryption Standard (DES). DES absorbed significant controversy pertaining to
speculation that the NSA weakened the algorithm in order to have more control
at breaking the code. However, it remained the primary encryption standard for
many years until it was cracked in the late 1990s. This led to the creation of
Advanced Encryption Standard (AES). Lucifer was accepted and the key size was
reduced from 128-bit to 64-bit and renamed the Data Encryption Algorithm
(DEA).
19. CISSP Mentor Program Session #6
Domain 3: Security Engineering – Quiz Review
Which of the following is not true of RSA?
A. Was accepted as the new Advanced Encryption Standard in the late 1990s
B. Can be used for encryption and digital signatures
C. Can be used for key exchange
D. Developed at MIT by Ron Rivest, Adi Shamir, and Leonard Adleman
A
20. CISSP Mentor Program Session #6
Domain 3: Security Engineering – Quiz Review
RSA is the de facto standard and most widely used asymmetric algorithm today.
The strength of RSA comes from factoring large numbers into their original prime
numbers. It performs encryption, digital signatures and key exchange. It works
well in Web browsers with the Secure Sockets Layer (SSL) protocol. RSA is named
after its MIT inventors, Ron Rivest, Adi Shamir, and Leonard Adelman. The
Advanced Encryption Standard (AES) algorithm uses Rijndael, a symmetric
encryption system.
21. CISSP Mentor Program Session #6
Domain 3: Security Engineering – Quiz Review
Which of the following algorithms was not considered by NIST when
determining the algorithm that was to be used for the new AES in 1997?
A. Twofish
B. MARS
C. Rinjdael
D. El Gamal
D
22. CISSP Mentor Program Session #6
Domain 3: Security Engineering – Quiz Review
The Advanced Encryption Standard (AES) uses a symmetric block algorithm. El
Gamal is a public key (asymmetric) encryption system, and thus was not
considered for the advanced standard. El Gamal is similar to RSA; however, it
utilizes discrete logarithms in a finite field.
23. CISSP Mentor Program Session #6
Domain 3: Security Engineering – Quiz Review
An attacker who has access to a large section of ciphertext, then determines
which part of it is to be decrypted, and ultimately has access to the resulting
plaintext has performed what type of attack?
A. Chosen-ciphertext
B. Known-plaintext
C. Chosen-plaintext
D. Ciphertext-only
A
24. CISSP Mentor Program Session #6
Domain 3: Security Engineering – Quiz Review
Chosen-ciphertext attacks have the highest probability of the encryption being
cracked. In this type of attack, the intruder must capture a large portion of the
ciphertext and then must be able to choose which parts of it are decrypted. That
section of text is transformed into plaintext. This translation is then analyzed in
an attempt to identify the key that was used in the encryption process.
25. CISSP Mentor Program Session #6
Domain 3: Security Engineering – Quiz Review
In 1976, Diffie and Hellman introduced what cryptography technology?
A. Electronic key distribution
B. Digital signatures
C. Symmetric key encryption
D. 256-bit key encryption capabilities
A
26. CISSP Mentor Program Session #6
Domain 3: Security Engineering – Quiz Review
The Diffie-Hellman key exchange was created as a way of exchanging public keys
and generating a session key without needing to set up a prior relationship. This
technology does not handle any form of data encryption; rather it's simply a
method of exchanging keys. Diffie and Hellman created the first asymmetric
algorithm.
27. CISSP Mentor Program Session #6
Domain 3: Security Engineering – Quiz Review
A secret key that's used for data encryption only one time is called a
__________.
A. Public key
B. Asymmetric key
C. Key exchange
D. Session key
D
28. CISSP Mentor Program Session #6
Domain 3: Security Engineering – Quiz Review
A session key improves security, because it's used only once per transmission. If
a session key wasn't used, users would apply the same symmetric key for every
message sent. Over time, attackers would be more likely to uncover this key.
However, new session keys are generated each time a transmission is initiated,
which provides a higher level of protection.
29. CISSP Mentor Program Session #6
Domain 3: Security Engineering – Quiz Review
Which key knows the trapdoor that allows for decryption to take place?
A. Session key
B. Public key
C. Private key
D. Asymmetric key
C
30. CISSP Mentor Program Session #6
Domain 3: Security Engineering – Quiz Review
A trapdoor one-way function applies the concept of factoring numbers into their
original prime numbers. Public keys encrypt a message with a built-in, one-way
function. This function is referred to as a one-way function because it's relatively
simple to encrypt, but much more difficult to decrypt without knowing the
correct trapdoor. A private key, however, knows the code of the trapdoor, and is
able decrypt the message.
31. CISSP Mentor Program Session #6
Domain 3: Security Engineering – Quiz Review
A fixed-length value used as a message fingerprint is called a __________.
A. MAC
B. Hash value
C. Message value
D. Digital signature
B
32. CISSP Mentor Program Session #6
Domain 3: Security Engineering – Quiz Review
A one-way hash is a function that changes a variable length text string into a
fixed length value or hash value. This process creates a fingerprint of the
message, which in turn is used to ensure the integrity of the message. One-way
hashing does not use keys. If the outgoing message needs confidentiality, a key
would be needed to encrypt the message itself. If a symmetric key was not going
to be used for encryption, but instead for data origin authentication, this is
referred to as a MAC.
33. CISSP Mentor Program Session #6
Domain 3: Security Engineering – Current
Events
http://www.theverge.com/2016/4/20/11466278/apple-microsoft-
google-open-letter-encryption-bill
http://www.theregister.co.uk/2016/04/14/burr_feinstein_bill_promp
ts_protests/
http://arstechnica.com/tech-policy/2016/05/encryption-is-essential-
tradecraft-of-terrorists-fbi-director-says/
34. CISSP Mentor Program Session #6
We’re done with Encryption!
Now onto Physical Security…
Remember our definition of information security:
The application of administrative, physical, and technical
controls to protect the confidentiality, integrity, and availability
of information.
35. CISSP Mentor Program Session #6
Physical Security – Unique Terms and Definitions
• Mantrap - A preventive physical control with two doors. Each door
requires a separate form of authentication to open
• Bollard—A post designed to stop a car, typically deployed in front of
building entrances
• Smart card—A physical access control device containing an integrated
circuit
• Tailgating—Following an authorized person into a building without
providing credentials
36. CISSP Mentor Program Session #6
Physical Security – Introduction
• Physical assets: people, buildings, systems, and data
• CISSP® exam considers human safety as the most critical concern of
this domain - trumps all other concerns
• Physical security protects against threats such as unauthorized access
and disasters, both man-made and natural
37. CISSP Mentor Program Session #6
Physical Security
Perimeter Defenses
• Help prevent, detect, and correct unauthorized physical access
• Should employ defense-in-depth
• Fences, doors, walls, locks, etc.
Fences
• May range from deterrents (such as 3-foot/1 meter-tall fencing) to
preventive devices (8-foot/2.4 meter)
• Should be designed to steer ingress and egress to controlled points,
such as exterior doors and gates
38. CISSP Mentor Program Session #6
Physical Security
Gates
• Range in strength from ornamental (a class I gate designed to deter access) to a class
IV gate designed to prevent a car from crashing through (such as gates at airports and
prisons)
• ASTM International's “ASTM F2200” Standard Specification for Automated Vehicular
Gate Construction at http://www.astm.org/Standards/F2200.htm
• Types of Vehicle Gates:
• Class I Residential (home use)
• Class II Commercial/General Access (parking garage)
• Class III Industrial/Limited Access (loading dock for 18-wheeler trucks)
• Class IV Restricted Access (airport or prison)
• Gates should be placed at controlled points at the perimeter - Secure sites use fences
and topography to steer traffic to these points.
39. CISSP Mentor Program Session #6
Physical Security
Bollards
• A traffic bollard is a strong post designed to stop a car
• Term derives from the short/strong posts (called mooring bollards) used to tie
ships to piers when docked
• Often installed in front of convenience stores, to prevent a confused driver
who mixes up the accelerator and brake from driving into the store.
• Used in secure facilities to prevent cars from entering (whether intentionally
or not)
• Can use large concrete planters for the same effect
• Usually placed in front of physically weak areas of a building, such as
entryways
40. CISSP Mentor Program Session #6
Physical Security
Lights
• Can act as both a detective and deterrent control
• Criminals will usually favor a poorly lighted target over a more visible one
• Should be bright enough to illuminate the desired field of vision (the area
being protected)
• Fresnel (pronounced fray-NELL) lights - Same type originally used in
lighthouses, use Fresnel lenses to aim light in a specific direction
• Light measurement:
• Lumen, the amount of light one candle creates
• Footcandles; one footcandle is one lumen per square foot
• Lux, based on the metric system, more commonly used now: one lux is one lumen per
square meter.
41. CISSP Mentor Program Session #6
Physical Security
CCTV
• Closed Circuit Television (CCTV)
• Detective device used to aid in detecting the presence of intruders in
restricted areas
• Can also be used as a deterrent device/control
• CCTVs using the normal light spectrum require sufficient visibility to
illuminate the field of view
42. CISSP Mentor Program Session #6
Physical Security
CCTV
• Infrared devices can “see in the dark” by displaying heat
• Older “tube cameras” are analog devices
• Modern cameras use CCD (Charged Couple Discharge), which is digital
• Cameras have mechanical irises that act as human irises, controlling the
amount of light that enters the lens by changing the size of the aperture
• Key issues include depth of field (the area that is in focus) and field of view
(the entire area viewed by the camera)
• More light allows a larger depth of field because a smaller aperture places
more of the image in focus
• A wide aperture (used in lower light conditions) lowers the depth of field
43. CISSP Mentor Program Session #6
Physical Security
CCTV
• Features such as pan and tilt (moving horizontally and vertically)
• Displays may display:
• Fixed camera view
• Autoscan (show a given camera for a few seconds before moving to the next)
• Multiplexing (where multiple camera feeds are fed into one display)
• Magnetic tape such as VHS is used to back up images from tube cameras
• CCD cameras use DVR (Digital Video Recorder) or NVR (Network Video
Recorder) for backups
• NVR has the advantage of allowing centralized storage of all video data
44. CISSP Mentor Program Session #6
Physical Security - Locks
• Preventive physical security control
• Used on doors and windows to prevent unauthorized physical access
• May be mechanical, such as key locks or combination locks
• May be electronic - often used with smart cards or magnetic stripe cards
Key locks
• Require a physical key to unlock
• Keys may be shared or sometimes copied, which lowers the accountability of key
locks
• A common type is the pin tumbler lock, which has two sets of pins: driver pins and
key pins.
• The correct key makes the pins line up with the shear line, allowing the lock tumbler
(plug) to turn
45. CISSP Mentor Program Session #6
Physical Security - Locks
Key locks
• Using an incorrect key results in misaligned pins, jamming
the lock plug
• Ward or Warded locks must turn a key through channels
(called wards); a “skeleton key” is designed to open
varieties of warded locks
• A spring-bolt lock is a locking mechanism which “springs” in
and out of the door jamb
• The door may be closed with the spring bolt exposed
• A deadbolt is rigid; the door cannot be closed when the
deadbolt is unlocked
• Both spring-bolt and deadbolts extend into the strike plate
in the door jamb
46. CISSP Mentor Program Session #6
Physical Security - Locks
Lock Picking
• The art of opening a lock without a key
• A set of lock picks can be used to lift the pins in a pin
tumbler lock, allowing the attacker to open the lock
without a key
• A technique called lock bumping uses a shaved-down
key which will physically fit into the lock. The attacker
inserts the shaved key and “bumps” the exposed
portion (sometimes with the handle of a screwdriver).
This causes the pins to jump, and the attacker quickly
turns the key and opens the lock.
• All key locks can be picked or bumped: the only
question is how long it will take
47. CISSP Mentor Program Session #6
Physical Security - Locks
Master and Core Keys
• Opens any lock for a given security zone in a building
• Access to the master key should be tightly controlled
• Core keys are used to remove the lock core in
interchangeable core locks (where the lock core may
be easily removed and replaced with another core)
• Once the lock core is removed, the door may often be
opened with a screwdriver
• Functional equivalent to the master key, core keys should
be kept equally secure
48. CISSP Mentor Program Session #6
Physical Security - Locks
Combination Locks
• Have dials that must be turned to specific numbers, in a specific order (alternating clockwise and
counterclockwise turns) to unlock
• A weak form of physical access control for production environments such as data centers
• Button or keypad locks also use numeric combinations
• Limited accountability due to shared combinations
• Button or keypad locks are also vulnerable because prolonged use can cause wear on the most used buttons
or keys
• Combinations may be discovered via a brute-force attack, where every possible combination is attempted
• Locks may also be compromised via shoulder surfing
• Simple locks such as pushbutton locks with limited combinations do not qualify as preventive devices; they are
deterrent ONLY
• Can be used for low-security applications such as locking an employee restroom, but should not be used to
protect sensitive data or assets
49. CISSP Mentor Program Session #6
Physical Security
Smart Cards and Magnetic Stripe Cards
• A physical access control device which is often
used for electronic locks, credit card purchases,
or dual-factor authentication systems
• “Smart” means the card contains a computer
circuit
• Smart card is also known as “Integrated Circuit
Card” (ICC).
• May be “contact” or “contactless”
50. CISSP Mentor Program Session #6
Physical Security
Smart Cards and Magnetic Stripe Cards
• Contact cards must be inserted into a smart card reader
• Contactless cards are read wirelessly
• One type of contactless card technology is Radio-Frequency
Identification (RFID)
• Contain RFID tags (also called transponders) which are read by
RFID transceivers
• Magnetic stripe card contains a magnetic stripe which stores
information
• Passive devices that contain no circuits
• Sometimes called swipe cards: they are used by swiping through a card
reader
• Many international credit cards are smart cards, while magnetic
stripe cards are more commonly used as credit cards in the United
States
51. CISSP Mentor Program Session #6
Physical Security
Smart Cards and Magnetic Stripe Cards
• The “Common Access Card” (CAC) is an example of a
worldwide smart card deployment by the U.S.
Department of Defense (DoD)
• Used for physical access control, to provide dual-factor
authentication to critical systems, to digitally sign
documents, and others
• CAC cards store data including cryptographic certificates
as part of the DoD's Public Key Infrastructure (PKI)
• Both smart and magnetic stripe may be used in
combination with electronic locks to provide physical
access control
• Better accountability when compared with mechanical
locks: audit data can be collected electronically
52. CISSP Mentor Program Session #6
Physical Security
Tailgating/piggybacking
• Occurs when an unauthorized person follows an
authorized person into a building after the
authorized person unlocks and opens the door
• Policy should forbid employees from allowing
tailgating and security awareness efforts
• Attackers attempting to tailgate often combine
social engineering techniques, such as carrying
large boxes, increasing the chances an authorized
user will “help out” by holding the door open
53. CISSP Mentor Program Session #6
Physical Security
Mantraps and Turnstiles
• Mantraps are a preventive physical control with two doors
• The first door must close and lock before the second door may be opened
• Each door typically requires a separate form of authentication to open
• The intruder is trapped between the doors after entering the mantrap
• Turnstiles are designed to prevent tailgating by enforcing a “one person per
authentication” rule
• Secure data centers may use floor-to-ceiling turnstiles with interlocking blades to
prevent an attacker from going over or under the turnstile
• Both mantraps and turnstiles must be designed to allow safe egress in case of
emergency
• No system should require authentication for egress during emergencies
54. CISSP Mentor Program Session #6
Physical Security
Contraband Checks
• Seek to identify objects that are prohibited to enter a secure perimeter (such
as an airplane)
• Secure buildings such as government or military buildings may employ
contraband checks
• Often used to detect metals, weapons, or explosives
• May also be used to detect controlled substances such as illegal drugs,
portable cameras or storage media
55. CISSP Mentor Program Session #6
Physical Security
Motion Detectors and Other Perimeter Alarms
• Ultrasonic and microwave motion detectors work like “Doppler radar” used to
predict the weather
• A wave of energy is sent out, and the “echo” is returned when it bounces off an object
• A motion detector that is 20 ft away from a wall will consistently receive an echo in the
time it takes for the wave to hit the wall and bounce back to the receiver, for example.
The echo will be returned more quickly when a new object (such as a person walking in
range of the sensor) reflects the wave
• Active sensors - means they actively send energy
56. CISSP Mentor Program Session #6
Physical Security
Motion Detectors and Other Perimeter Alarms
• A photoelectric motion sensor sends a beam of light
across a monitored space to a photoelectric sensor
• The sensor alerts when the light beam is broken
• Also an active sensor
• A passive sensor is a “read-only” device; example is
a passive infrared (PIR) sensor that detects infrared
energy created by body heat.
57. CISSP Mentor Program Session #6
Physical Security
Motion Detectors and Other Perimeter Alarms
• Perimeter alarms include magnetic door and window
alarms
• Include matched pairs of sensors on the wall, as well as
window/door
• An electrical circuit flows through the sensor pairs as long as
the door or window is closed; the circuit breaks when either is
opened
• Often armed for secured areas as well as in general areas
during off hours such as nights or weekends
• Once armed, a central alarm system will alert when any door
or window is opened
58. CISSP Mentor Program Session #6
Physical Security
Doors and Windows
• Attackers will often target the “weakest link in the chain”
• Examples of “weakest link” design include a concrete wall with a hollow-core
door, or a gypsum wall with a steel door.
• Door hinges should face inward, or be otherwise protected
• Doors with internal motion sensors should never include mail slots
59. CISSP Mentor Program Session #6
Physical Security
Doors and Windows
• Externally-facing emergency doors should be marked for emergency use only and
equipped with panic bars. The use of a panic bar should trigger an alarm.
• Glass windows are structurally weak and can be dangerous when shattered. Bullet-
proof or explosive-resistant glass can be used for secured areas. Wire mesh or
security film can lower the danger of shattered glass and provide additional strength.
Use of simple glass windows in a secure perimeter requires a compensating control
such as window burglar alarms.
• Alternatives to glass windows include polycarbonate such as Lexan and acrylic such
as Plexiglass. Lexan is used in race cars and airplanes for is strength and shatter
resistance.
60. CISSP Mentor Program Session #6
Physical Security
Walls, floors, and ceilings
• Walls around any internal secure perimeter such as a data center should be “slab to slab”
• Raised floors and drop ceilings can obscure where the walls truly start and stop
• Any wall protecting a secure perimeter (whether internal or external) should be strong
enough to resist cutting
• Simple gypsum “sheetrock” walls can be cut open with a sharp tool such as a carpet knife,
and should not be used for secure perimeters
• Walls should have an appropriate fire rating (the amount of time required to fail due to a fire)
• The National Fire Protection Agency (NFPA) 75: Standard for the Protection of Information Technology Equipment states “The
computer room shall be separated from other occupancies within the building by fire-resistant rated walls, floor, and ceiling
constructed of noncombustible or limited combustible materials. The fire resistant rating shall be commensurate with the
exposure, but not less than one hour.”
61. CISSP Mentor Program Session #6
Physical Security
Guards
• A dynamic control
• May aid in inspection of access credentials, monitor CCTVs, monitor environmental
controls, respond to incidents, act as a deterrent (all things being equal, criminals are
more likely to target an unguarded building over a guarded building), and more
• Professional guards have attended advanced training and/or schooling; amateur
guards (sometimes derogatively called “Mall Cops”) have not
• Term “pseudo guard” means an unarmed security guard
• Guard's orders should be complete and clear
• Guards are often attacked via social engineering, so this threat should be directly
addressed via security awareness and training.
62. CISSP Mentor Program Session #6
Physical Security
Dogs
• Often used in controlled areas, such as between the exterior building wall and
a perimeter fence
• Primarily serve as both deterrent and detective controls
• A site without dogs is more likely to be physically attacked than a site with
dogs (deterrent), and dogs alert security guards through barking (detective)
• The primary drawback to using dogs as a perimeter control is legal liability
63. CISSP Mentor Program Session #6
Physical Security
Site selection, design, and configuration
• Describes the process of building a secure facility such as a data center, from
the site selection process through the final design
• The exam could pose a scenario where you are asked about any part of the
site selection process, beginning with the land the data center will be built on
• Site selection is the “greenfield” process of choosing a site to construct a
building or data center. A “greenfield” is an undeveloped lot of land.
64. CISSP Mentor Program Session #6
Physical Security
Topography
• The physical shape of the land: hills, valleys, trees, etc.
• Highly secure sites such as military installations will leverage (and sometimes alter)
the topography of the site as a defensive measure
• Can be used to steer ingress and egress to controlled points
Utility Reliability
• Electrical outages are among the most common of all failures and disasters
• Uninterruptible Power Supplies (UPSs) will provide protection against electrical
failure for a short period (usually hours or less)
• Generators provide longer protection, but will require refueling in order to operate
for extended periods.
65. CISSP Mentor Program Session #6
Physical Security
Crime
• Local crime rates also factor into site selection
• The primary issue is employee safety: all employees have the right to a safe
working environment
• Additional issues include theft of company assets
66. CISSP Mentor Program Session #6
Physical Security
Site Design and Configuration Issues
Site design cannot compensate for poor site selection decisions
Site Marking
• Data centers are not externally marked
• Attention-avoiding details such as muted building design
The Netflix DVD service avoids site marking of its service centers, which look like nondescript
warehouses in regular office parks. There are no Netflix signs or corporate logos to be seen.
Assuming a low profile avoids drawing unwanted attention to the warehouses, which adds
defense-in-depth protection to the valuable contents inside. As an additional bonus, this
encourages subscribers to return DVDs via postal mail (as opposed to attempting to return
DVDs by dropping them off in person).
67. CISSP Mentor Program Session #6
Physical Security
Shared Tenancy and Adjacent Buildings
• Other tenants in a building case pose security issues: they are already behind the physical
security perimeter
• Their physical security controls will impact yours: a tenant's poor visitor security practices can
endanger your security
• Adjacent buildings pose a similar risk
• Attackers can enter a less secure adjacent building and use that as a base to attack an
adjacent building, often breaking in through a shared wall
• Many bank heists have been pulled off this way; including the theft of over $20 million dollars
from British Bank of the Middle East in 1976 (the attackers blasted a hole through the shared
wall of an adjacent church) http://www.dailymail.co.uk/home/moslive/article-
459185/Soldiers-Fortune.html
• Another security risk associated with shared tenancy (or neighbors who are physically close)
is wireless security
68. CISSP Mentor Program Session #6
Physical Security
Shared Demarc
• demarc (the demarcation point, where the ISP's (Internet Service Provider)
responsibility ends and the customer's begins)
• Most buildings have one demarc area, where all external circuits enter the
building
• Should employ strong physical access control, including identifying,
authenticating, and authorizing all access
• For very secure sites, construction of multiple segregated demarcs is
recommended.
69. CISSP Mentor Program Session #6
Physical Security
System Defenses
• One of the last lines of defense in a defense-in-depth strategy
• Assume an attacker has physical access to a device or media containing sensitive information
Asset Tracking
• You cannot protect your data unless you know where (and what) it is
• Data such as serial numbers and model numbers are useful in cases of loss due to theft or disaster.
Port Controls
• Computers may contain multiple “ports” which may allow copying data to or from a system
• USB drives can be small (some are smaller than a piece of chewing gum) and inexpensive and may hold dozens
of gigabytes or more
• Small enough to evade perimeter contraband checks
• Ports can be physically disabled
• Ports may also be electronically locked via system policy
70. CISSP Mentor Program Session #6
Physical Security
Drive and Tape Encryption
• Drive and tape encryption protect data at rest
• One of the few controls which will protect data after physical security has been
breached
• Recommended for all mobile devices and media containing sensitive information
which may physically leave a site or security zone
• Whole-disk encryption of mobile device hard drives is recommended
• Disk encryption/decryption may occur in software or hardware
• Many breach notification laws concerning Personally Identifiable Information (PII)
contain exclusions for lost data that is encrypted
71. CISSP Mentor Program Session #6
Physical Security
Media Storage and Transportation
• All sensitive backup data should be stored offsite, whether transmitted offsite via
networks, or physically moved as backup media
• Sites using backup media should follow strict procedures for rotating media offsite
• Always use bonded and insured company for offsite media storage
• The company should employ secure vehicles and store media at a secure site
• Ensure that the storage site is unlikely to be impacted by the same disaster that may
strike the primary site, such as a flood, earthquake, or fire
• Never use informal practices, which as storing backup media at employee's houses
72. CISSP Mentor Program Session #6
Physical Security
Media Cleaning and Destruction
• All forms of media should be securely cleaned or destroyed before disposal to
prevent object reuse
• Objects may be physical (such as paper files in manila folders) or electronic (data on a
hard drive)
• Attacks range from nontechnical attacks such as dumpster diving (searching for
information by rummaging through unsecured trash) to technical attacks such as
recovering information from unallocated blocks on a disk drive
• All cleaning and destruction actions should follow a formal policy, and all such activity
should be documented, including the serial numbers of any hard disks, type of data
they contained, date of cleaning or destruction, and personnel performing these
actions
73. CISSP Mentor Program Session #6
Physical Security
Environmental Controls
• Designed to provide a safe environment for personnel and equipment
• Power, HVAC, and fire safety are considered environmental controls
Electricity
• Reliable electricity is critical for any data center
• One of the top priorities when selecting, building, and designing a site
74. CISSP Mentor Program Session #6
Physical Security
Types of Electrical Faults
• All types of electrical faults can impact availability and integrity
• The following are common types of electrical faults:
• Blackout: prolonged loss of power
• Brownout: prolonged low voltage
• Fault: short loss of power
• Surge: prolonged high voltage
• Spike: temporary high voltage
• Sag: temporary low voltage
75. CISSP Mentor Program Session #6
Physical Security
Surge Protectors, UPSs, and Generators
Provide protection against one electrical failures
Surge Protectors
• Protect equipment from damage due to electrical surges
• Contain a circuit or fuse which is tripped during a power spike or surge, shorting the power or regulating it down to acceptable levels
Uninterruptible Power Supplies
• Provide temporary backup power in the event of a power outage
• May also “clean” the power, protecting against surges, spikes, and other forms of electrical faults
• Backup power is provided via batteries or fuel cells
• Provide power for a limited period of time, and can be used as a bridge to generator power; generators typically take a short period of time to start up and begin providing power
Generators
• Designed to provide power for longer periods of times than UPSs
• Will run as long as fuel is available
• Sufficient fuel should be stored onsite for the period the generator is expected to provide power
• Refueling strategies should consider a disaster's effect on fuel supply and delivery
• Generators should not be placed in areas which may flood or otherwise be impacted by weather events
• Should be tested and serviced regularly.
• http://www.cumminspower.com/www/literature/technicalpapers/PT-7006-Standby-Katrina-en.pdf
76. CISSP Mentor Program Session #6
Physical Security
EMI
• All electricity generates magnetism, so any electrical conductor emits
Electromagnetic Interference (EMI)
• Network cables that are poorly shielded or run too closely together may suffer
crosstalk, where magnetism from one cable “crosses” over to another nearby
cable
• Crosstalk can be mitigated via proper network cable management
• Never route power cables close to network cables
77. CISSP Mentor Program Session #6
Physical Security
HVAC
• Keep the air at a reasonable temperature and humidity
• Operate in a closed loop, recirculating treated air (helps reduce dust and other airborne
contaminants)
Positive Pressure and Drains
• All HVAC units should employ positive pressure and drainage
• Means air and water should be expelled from the building
• Untreated air should never be “inhaled” into the building, and water should drain away from the
building
• A common malfunction of HVAC units is condensation of water pooling into the building, often
going under raised floors where it may not be detected
• Positive drains are designed to avoid this problem
• Location of all gas and water lines, as well as all drains, should be formally documented.
78. CISSP Mentor Program Session #6
Physical Security
Heat and Humidity
• Humidity levels of 40-55% are recommended
• A commonly recommended “set point” temperature range for a data center is 68-77 °F (20-25
°C)
• With sufficient data center airflow, higher temperatures can be used
• Can result in energy savings; however, the data center may heat to dangerous levels more quickly in the
event of HVAC failure
Note - Many sources cite 68-72 °F (20-22 °C) as the optimum data center temperature range; in
2004, the American Society of Heating, Refrigerating and Air-Conditioning Engineers (ASHRAE)
recommended up to 77 °F/25 °C.
• (Green) As a result, the 2008 ASHRAE recommendations allow a much wider range:
temperature of 18 °C (64.4 °F) to 27 °C (80.6 °F) and humidity from 25% to 60%, depending on
the dew point. Higher set points require adequate airflow. Details may be found at
http://tc99.ashraetcs.org
79. CISSP Mentor Program Session #6
Physical Security
Static and Corrosion
• Sudden static discharge can cause damage from system reboots to chip or disk
damage
• Static is mitigated by maintaining proper humidity, proper grounding all circuits in a
proper manner, and using antistatic sprays, wrist straps, and work surfaces
• Personnel working with sensitive computer equipment such as boards, modules, or
memory chips should ground themselves before performing any work.
• High humidity levels can allow the water in the air to condense onto (and into)
equipment, which may lead to corrosion.
• Both static and corrosion are mitigated by maintaining proper humidity levels.
80. CISSP Mentor Program Session #6
Physical Security
Airborne Contaminants
• Dust is a common problem: airborne dust particles can be drawn into
computer enclosures, where they become trapped
• Built-up dust can cause overheating and static buildup
• CPU fans can be impeded by dust buildup, which can lead to CPU failure due
to overheating
• Other contaminants can cause corrosion or damaging chemical reactions.
81. CISSP Mentor Program Session #6
Physical Security
Heat, Flame, and Smoke Detectors
• Three methods for detecting fire
• Typically alert locally, and may also be centrally monitored by a fire alarm system
• An audible alarm and flashing lights should be used, so that both deaf and blind
personnel will be aware of the alarm
Heat Detectors
• Alert when temperature exceeds an established safe baseline
• May trigger when a specific temperature is exceeded or when temperature changes
at a specific rate (such as “10 °F in less than 5 minutes”)
82. CISSP Mentor Program Session #6
Physical Security
Smoke Detectors
• Work through two primary methods: ionization and photoelectric
• Ionization-based smoke detectors contain a small radioactive source which creates a small electric charge
• Photoelectric sensors work in a similar fashion, except that they contain an LED (Light Emitting Diode) and a
photoelectric sensor that generates a small charge while receiving light
• Both types of alarm alert when smoke interrupts the radioactivity or light, lowering or blocking the electric
charge
• Dust should always be avoided in data centers. Small airborne dust particles can trigger smoke detectors just
as smoke does, leading to false alarms.
Flame Detectors
• Detect infrared or ultraviolet light emitted in fire
• One drawback to this type of detection is that the detector usually requires line-of-site to detect the flame;
smoke detectors do not have this limitation
83. CISSP Mentor Program Session #6
Physical Security
Safety Training and Awareness
• Training provides a skill set such as learning to operate an emergency power system
• Awareness changes user behavior (“Don't let anyone follow you into the building
after you swipe your access card”)
Evacuation Routes
• Evacuation routes should be prominently posted
• All personnel should be advised of the quickest evacuation route from their areas
• Guests should be advised of evacuation routes as well
• All sites should use a meeting point, where all personnel will meet in the event of
emergency
84. CISSP Mentor Program Session #6
Physical Security
Evacuation Roles and Procedures
• The two primary evacuation roles are safety warden and meeting point leader
• The safety warden ensures that all personnel safely evacuate the building in the
event of an emergency or drill
• The meeting point leader assures that all personnel are accounted for at the
emergency meeting point
• Special care should be given to any personnel with handicaps, which could affect
egress during an emergency
• Elevators should never be used during a fire
• All sites should have mitigating controls to allow safe egress for all personnel
85. CISSP Mentor Program Session #6
Physical Security
ABCD Fires and Suppression
• Fire suppression systems are
used to extinguish fires
• Different types of fires require
different suppressive agents
• Class K fires are kitchen fires,
such as burning oil or grease.
Wet chemicals are used to
extinguish class K fires.
86. CISSP Mentor Program Session #6
Physical Security
Types of Fire Suppression Agents
• Always consult local fire code before implementing a fire suppression system
• All fire suppression agents work via four methods (sometimes in
combination):
• reducing the temperature of the fire,
• reducing the supply of oxygen,
• reducing the supply of fuel,
• interfering with the chemical reaction within fire
87. CISSP Mentor Program Session #6
Physical Security
Types of Fire Suppression Agents
Water
• Suppresses fire by lowering the temperature below the kindling point (also
called the ignition point)
• Safest of all suppressive agents, and recommended for extinguishing common
combustible fires such as burning paper or wood
• It is important to cut electrical power when extinguishing a fire with water to
reduce the risk of electrocution
88. CISSP Mentor Program Session #6
Physical Security
Types of Fire Suppression Agents
Soda Acid
• Old giant brass fire extinguishers
• Suppress fire by lowering temperature, soda acid also has additional
suppressive properties beyond plain water: it creates foam which can float on
the surface of some liquid fires, starving the oxygen supply
89. CISSP Mentor Program Session #6
Physical Security
Types of Fire Suppression Agents
Dry Powder
• Dry powder (such as sodium chloride) works by lowering temperature and
smothering the fire, starving it of oxygen.
• Dry powder is primarily used to extinguish metal fires (flammable metals
include sodium, magnesium, and many others)
90. CISSP Mentor Program Session #6
Physical Security
Types of Fire Suppression Agents
Wet Chemical
• Primarily used to extinguish kitchen fires (type K fires in the U.S.; type F in
Europe)
• May also be used on common combustible fires (type A)
• The chemical is usually potassium acetate mixed with water. This covers a
grease or oil fire in a soapy film which lowers the temperature.
91. CISSP Mentor Program Session #6
Physical Security
Types of Fire Suppression Agents
CO2
• Fires may be smothered by removing the oxygen: this is how CO2 fire suppression
works.
• A risk associated with CO2 is it is odorless and colorless, and our bodies will breathe
it as air. By the time we begin suffocating due to lack of oxygen, it is often too late.
• CO2 is dangerous suppressive agent, which is only recommended in unstaffed areas
such as electrical substations
• Any personnel entering a CO2-protected area should be trained for CO2 safety;
additional safety controls (such as oxygen tanks) are usually recommended
92. CISSP Mentor Program Session #6
Physical Security
Types of Fire Suppression Agents
Halon and Halon Substitutes
• Extinguishes fire via a chemical reaction that consumes energy and lowers the temperature of the fire
• Halon is being phased out, and a number of replacements with similar properties are now used
Montreal Accord
• Halon has ozone-depleting properties
• The 1989 Montreal Protocol (formally called the “Montreal Protocol on Substances That Deplete the Ozone
Layer”) banned production and consumption of new halon in developed countries by January 1, 1994.
• Existing halon systems may be used. While new halon is not being produced, recycled halon may be used
• There are exceptions for certain critical uses, such as airplanes and submarines. See http://ozone.unep.org for
more information on the Montreal Protocol.
93. CISSP Mentor Program Session #6
Physical Security
Types of Fire Suppression Agents
Halon Replacements
Recommended replacements for halon include the following systems:
• Argon
• FE-13
• FM-200
• Inergen
FE-13 is the newest of these agents, and comparatively safe. It may be breathed in
concentrations of up to 30%. Other halon replacements are typically only safe up to
10-15% concentration.
94. CISSP Mentor Program Session #6
Physical Security
Count-down Timers
• CO2, halon, and halon substitutes such as FM-200 are considered gas-based systems.
• All gas systems should use a countdown timer (both visible and audible) before gas is
released
• Allow personnel evacuation before release
• A secondary effect is to allow personnel to stop the release in case of false alarm.
Note - Water is usually the recommended fire suppression agent. Water (in the
absence of electricity) is the safest suppression agent for people.
95. CISSP Mentor Program Session #6
Physical Security
Sprinkler Systems
• All sprinkler systems should be combined with a fire alarm that alerts people to
evacuate
• Safe evacuation is the primary goal of fire safety.
Wet Pipe
• Wet pipes have water right up to the sprinkler heads: the pipes are “wet.”
• The sprinkler head contains a metal (common in older sprinklers) or small glass bulb
designed to melt or break at a specific temperature
• The sprinkler head opens and water flows
• Each head will open independently as the trigger temperature is exceeded.
96. CISSP Mentor Program Session #6
Physical Security
Wet Pipe
• Bulbs come in different colors, which indicate the ceiling temperature which will trigger the
bulb to burst and open the sprinkler head
• The colors used are
• orange (135 °F/57 °C),
• red (155 °F/68 °C),
• yellow (175 °F/79 °C),
• green (200 °F/93 °C),
• blue (286 °F/141 °C)
NFPA 13: Standard for the Installation of Sprinkler Systems describes the color conventions
used for these sprinkler heads. See:
http://www.nfpa.org/aboutthecodes/AboutTheCodes.asp?DocNum=13
97. CISSP Mentor Program Session #6
Physical Security
Dry Pipe
• Also have closed sprinkler heads: the difference is the pipes are filled with compressed air
• Water is held back by a valve that remains closed as long as sufficient air pressure remains in
the pipes
• As the dry pipe sprinkler heads open, the air pressure drops in each pipe, allowing the valve
to open and send water to that head
• Dry pipes are often used in areas where water may freeze, such as parking garages.
Deluge
• Similar to dry pipes, except the sprinkler heads are open and larger than dry pipe heads
• The pipes are empty at normal air pressure; the water is held back by a deluge valve
• The valve is opened when a fire alarm (which may monitor smoke or flame sensors) triggers.
98. CISSP Mentor Program Session #6
Physical Security
Pre-Action
• Combination of wet, dry, or deluge systems, and require two separate triggers to
release water
• Single interlock systems release water into the pipes when a fire alarm triggers
• The water releases once the head opens
• Double interlock systems use compressed air (same as dry pipes): the water will not
fill the pipes until both the fire alarm triggers and the sprinkler head opens
• Preaction systems are used in areas such as museums, where accidental discharge
would be expensive.
• Double-interlock systems are used in cold areas such as freezers to avoid frozen pipes
99. CISSP Mentor Program Session #6
Physical Security
Portable Fire Extinguishers
• Should be marked with the type of fire they are designed to extinguish
• Should be small enough to be operated by any personnel who may need to
use one
• Use the “PASS” method to extinguish a fire with a portable fire extinguisher:
• Pull the pin
• Aim low
• Squeeze the pin
• Sweep the fire
100. CISSP Mentor Program Session #6
Domain 4: Communication and Network Security (Designing and
Protecting Network Security)
• Network Architecture and Design
• Secure Network Devices and Protocols
• Secure Communications
101. Questions?
We made it through Class #6!
Domain 3 is finally complete!
Quizzes coming (I PROMISE!); one for Encryption and one for Physical Security
Homework for Thursday (5/12)
◦ Begin reading Chapter Domain 4: Communication and Network Security (Designing
and Protecting Network Security) – We will get through this domain in two classes
◦ It’s going to get technical
◦ Come with questions!
Have a great evening, talk to you Tuesday – From FRSecure’s Office!