Domain 4: Communication and Network Security - Review
Network Architecture and Design, Fundamentals, OSI Model, TCP/IP Model and Encapsulation (speaking of which)
Slide Deck Class Session 8 – FRSecure CISSP Mentor ProgramFRSecure
Domain 4: Communication and Network Security -Review
•Network Architecture and Design
•Fundamentals
•OSI Model
•TCP/IP Model
•Encapsulation(speaking of which)
Domain 4: Communication and Network Security - Review
Application Layer TCP/IP Protocols and Concepts, Layer 1 Network Cabling, LAN Technologies and Protocols, LAN Physical NetworkTopologies, WAN Technologies and Protocols, Network Devices and Protocols and Network Attacks
Domain 3: Security Engineering - Review (Part 2)
Virtualization and Distributed Computing, System Vulnerabilities, Threats and Countermeasures, Cornerstone Cryptographic Concepts, History of Cryptography, Types of Cryptography and Cryptographic Attacks
Slide Deck Class Session 10 – FRSecure CISSP Mentor ProgramFRSecure
FRSecure has a goal of changing a broken industry. There are many ways to accomplish this endeavor such as setting high assessment standards, using proprietary reporting methods that are easy to understand to hiring expert talent just to name a few. However, one unique approach FRSecure uses to bring about change is our CISSP Mentor Program. By design the program is provided at no cost to anyone with an interest in the information security industry.
Slide Deck Class Session 8 – FRSecure CISSP Mentor ProgramFRSecure
Domain 4: Communication and Network Security -Review
•Network Architecture and Design
•Fundamentals
•OSI Model
•TCP/IP Model
•Encapsulation(speaking of which)
Domain 4: Communication and Network Security - Review
Application Layer TCP/IP Protocols and Concepts, Layer 1 Network Cabling, LAN Technologies and Protocols, LAN Physical NetworkTopologies, WAN Technologies and Protocols, Network Devices and Protocols and Network Attacks
Domain 3: Security Engineering - Review (Part 2)
Virtualization and Distributed Computing, System Vulnerabilities, Threats and Countermeasures, Cornerstone Cryptographic Concepts, History of Cryptography, Types of Cryptography and Cryptographic Attacks
Slide Deck Class Session 10 – FRSecure CISSP Mentor ProgramFRSecure
FRSecure has a goal of changing a broken industry. There are many ways to accomplish this endeavor such as setting high assessment standards, using proprietary reporting methods that are easy to understand to hiring expert talent just to name a few. However, one unique approach FRSecure uses to bring about change is our CISSP Mentor Program. By design the program is provided at no cost to anyone with an interest in the information security industry.
Slide Deck Class Session 11 – FRSecure CISSP Mentor ProgramFRSecure
FRSecure has a goal of changing a broken industry. There are many ways to accomplish this endeavor such as setting high assessment standards, using proprietary reporting methods that are easy to understand to hiring expert talent just to name a few. However, one unique approach FRSecure uses to bring about change is our CISSP Mentor Program. By design the program is provided at no cost to anyone with an interest in the information security industry.
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesPriyanka Aash
Computer malware in all its forms is nearly as old as the first PCs running commodity OSes, dating back at least 30 years. However, the number and the variety of "computing devices" dramatically increased during the last several years. Therefore, the focus of malware authors and operators slowly but steadily started shifting or expanding towards Internet of Things (IoT) malware.
Unfortunately, at present there is no publicly available comprehensive study and methodology that collects, analyses, measures, and presents the (meta-)data related to IoT malware in a systematic and a holistic manner. In most cases, if not all, the resources on the topic are available as blog posts, sparse technical reports, or Systematization of Knowledge (SoK) papers deeply focused on a particular IoT malware strain (e.g., Mirai). Some other times those resources are already unavailable, or can become unavailable or restricted at any time. Moreover, many of such resources contain errors (e.g., wrong CVEs), omissions (e.g., hashes), limited perspectives (e.g., network behaviour only), or otherwise present incomplete or inaccurate analysis. Hence, all these factors leave unattended the main challenges of analysing, tracking, detecting, and defending against IoT malware in a systematic, effective and efficient way.
This work attempts to bridge this gap. We start with mostly manual collection, archival, meta-information extraction and cross-validation of more than 637 unique resources related to IoT malware families. These resources relate to 60 1 IoT malware families, and include 260 resources related to 48 unique vulnerabilities used in the disclosed or detected IoT malware attacks. We then use the extracted information to establish as accurately as possible the timeline of events related to each IoT malware family and relevant vulnerabilities, and to outline important insights and statistics. For example, our analysis shows that the mean and median CVSS scores of all analyzed vulnerabilities employed by the IoT malware families are quite modest yet: 6.9 and 7.1 for CVSSv2, and 7.5 and 7.5 for CVSSv3 respectively. Moreover, the public knowledge to defend against or prevent those vulnerabilities could have been used, on average, at least 90 days before the first malware samples were submitted for analysis. Finally, to help validate our work as well as to motivate its continuous growth and improvement by the research community, we open-source our datasets and release our IoT malware analysis framework and our IoT malware analysis framework.
The Finest Penetration Testing Framework for Software-Defined NetworksPriyanka Aash
Software-Defined Networking (SDN) is getting attention for the next-generation networking today. The key concept of SDN is to decouple the control logic from the traditional network devices so that network developers can design innovative network functions in a more flexible and programmable way. However, SDN is not always bringing advantages to us. Security experts have constantly raised security concerns about SDN, and some vulnerabilities have been uncovered in the real world. If SDN is not secure, how can we measure the security level of SDN environments?
In this talk, we introduce a powerful penetration testing tool for SDN called DELTA, which is officially supported by Open Networking Foundation (ONF). First, DELTA can automate diverse published attack scenarios against various SDN components from testing to evaluating. Also, to discover unknown vulnerabilities that may exist in SDN, DELTA leverages a blackbox fuzzing technique that randomizes different control flows in SDN. It enables us to systemically reveal unknown security issues rather than the empirical and ad-hoc methods that most previous studies use. By using DELTA, anyone can easily and thoroughly test not only popular open source SDN controllers (i.e., ONOS, OpenDaylight, Floodlight, and Ryu), but also SDN-enabled switches (i.e., OpenvSwitch, HP, and Pica8) in the real world.
We will show nine new attack cases that have been found by DELTA but never been announced before.
Also, we will discuss:
- What control flows are in SDN, and why those are important as a key feature compared to the traditional networks.
- What key components and workflow of DELTA to attack the real SDN components.
- Which nine new attack cases have been discovered by DELTA, and we will demonstrate it. For example, one of the new attacks violates the table condition, leading to the black hole of handling packets in the switch.
2012 B-Sides and ToorCon Talk Offensive Defense
Blog Post - http://blog.ioactive.com/2013/01/offensive-defense.html
Cyber-criminals have had back-end infrastructures equivalent to Virus Total to test if malware and exploits are effective against AV scanners for many years, thus showing that attackers are proactively avoiding detection when building malware. In this day of age malicious binaries are generated on demand by server-side kits when a victim visits a malicious web page, making reliance solely on hash based solutions inadequate. In the last 15 years detection techniques have evolved in an attempt to keep up with attack trends. In the last few years security companies have looked for supplemental solutions such as the use of machine learning to detect and mitigate attacks against cyber criminals. Let's not pretend attackers can't bypass each and every detection technique currently deployed. Join me as I present and review current detection methods found in most host and network security solutions found today. We will re-review the defense in depth strategy while keeping in mind that a solid security strategy consists of forcing an attacker to spend as much time and effort while needing to know a variety of skills and technologies in order to successfully pull off the attack. In the end I hope to convince you that thinking defensively requires thinking offensively.
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...CODE BLUE
Malware utilize many cryptographic algorithms.
To fight against malware, analysts have to reveal details on malware activities.
Accordingly, it is important to identify cryptographic algorithms used in malware.
In this track, I propose a faster and extensible method to automatically detect known cryptographic algorithms in malware using dynamic binary instrumentation and fuzzy hashing.
This presentation covers common cryptographic attacks, secure cryptographic implementation requirements, an overview of FIPS 140-2 and secure crypto implementation guidelines
Domain 3: Security Engineering
Virtualization and Distributed Computing
System Vulnerabilities, Threats and Countermeasures
Cornerstone Cryptographic Concepts
History of Cryptography
Types of Cryptography
Cryptographic Attacks
Implementing Cryptography
Slide Deck Class Session 11 – FRSecure CISSP Mentor ProgramFRSecure
FRSecure has a goal of changing a broken industry. There are many ways to accomplish this endeavor such as setting high assessment standards, using proprietary reporting methods that are easy to understand to hiring expert talent just to name a few. However, one unique approach FRSecure uses to bring about change is our CISSP Mentor Program. By design the program is provided at no cost to anyone with an interest in the information security industry.
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesPriyanka Aash
Computer malware in all its forms is nearly as old as the first PCs running commodity OSes, dating back at least 30 years. However, the number and the variety of "computing devices" dramatically increased during the last several years. Therefore, the focus of malware authors and operators slowly but steadily started shifting or expanding towards Internet of Things (IoT) malware.
Unfortunately, at present there is no publicly available comprehensive study and methodology that collects, analyses, measures, and presents the (meta-)data related to IoT malware in a systematic and a holistic manner. In most cases, if not all, the resources on the topic are available as blog posts, sparse technical reports, or Systematization of Knowledge (SoK) papers deeply focused on a particular IoT malware strain (e.g., Mirai). Some other times those resources are already unavailable, or can become unavailable or restricted at any time. Moreover, many of such resources contain errors (e.g., wrong CVEs), omissions (e.g., hashes), limited perspectives (e.g., network behaviour only), or otherwise present incomplete or inaccurate analysis. Hence, all these factors leave unattended the main challenges of analysing, tracking, detecting, and defending against IoT malware in a systematic, effective and efficient way.
This work attempts to bridge this gap. We start with mostly manual collection, archival, meta-information extraction and cross-validation of more than 637 unique resources related to IoT malware families. These resources relate to 60 1 IoT malware families, and include 260 resources related to 48 unique vulnerabilities used in the disclosed or detected IoT malware attacks. We then use the extracted information to establish as accurately as possible the timeline of events related to each IoT malware family and relevant vulnerabilities, and to outline important insights and statistics. For example, our analysis shows that the mean and median CVSS scores of all analyzed vulnerabilities employed by the IoT malware families are quite modest yet: 6.9 and 7.1 for CVSSv2, and 7.5 and 7.5 for CVSSv3 respectively. Moreover, the public knowledge to defend against or prevent those vulnerabilities could have been used, on average, at least 90 days before the first malware samples were submitted for analysis. Finally, to help validate our work as well as to motivate its continuous growth and improvement by the research community, we open-source our datasets and release our IoT malware analysis framework and our IoT malware analysis framework.
The Finest Penetration Testing Framework for Software-Defined NetworksPriyanka Aash
Software-Defined Networking (SDN) is getting attention for the next-generation networking today. The key concept of SDN is to decouple the control logic from the traditional network devices so that network developers can design innovative network functions in a more flexible and programmable way. However, SDN is not always bringing advantages to us. Security experts have constantly raised security concerns about SDN, and some vulnerabilities have been uncovered in the real world. If SDN is not secure, how can we measure the security level of SDN environments?
In this talk, we introduce a powerful penetration testing tool for SDN called DELTA, which is officially supported by Open Networking Foundation (ONF). First, DELTA can automate diverse published attack scenarios against various SDN components from testing to evaluating. Also, to discover unknown vulnerabilities that may exist in SDN, DELTA leverages a blackbox fuzzing technique that randomizes different control flows in SDN. It enables us to systemically reveal unknown security issues rather than the empirical and ad-hoc methods that most previous studies use. By using DELTA, anyone can easily and thoroughly test not only popular open source SDN controllers (i.e., ONOS, OpenDaylight, Floodlight, and Ryu), but also SDN-enabled switches (i.e., OpenvSwitch, HP, and Pica8) in the real world.
We will show nine new attack cases that have been found by DELTA but never been announced before.
Also, we will discuss:
- What control flows are in SDN, and why those are important as a key feature compared to the traditional networks.
- What key components and workflow of DELTA to attack the real SDN components.
- Which nine new attack cases have been discovered by DELTA, and we will demonstrate it. For example, one of the new attacks violates the table condition, leading to the black hole of handling packets in the switch.
2012 B-Sides and ToorCon Talk Offensive Defense
Blog Post - http://blog.ioactive.com/2013/01/offensive-defense.html
Cyber-criminals have had back-end infrastructures equivalent to Virus Total to test if malware and exploits are effective against AV scanners for many years, thus showing that attackers are proactively avoiding detection when building malware. In this day of age malicious binaries are generated on demand by server-side kits when a victim visits a malicious web page, making reliance solely on hash based solutions inadequate. In the last 15 years detection techniques have evolved in an attempt to keep up with attack trends. In the last few years security companies have looked for supplemental solutions such as the use of machine learning to detect and mitigate attacks against cyber criminals. Let's not pretend attackers can't bypass each and every detection technique currently deployed. Join me as I present and review current detection methods found in most host and network security solutions found today. We will re-review the defense in depth strategy while keeping in mind that a solid security strategy consists of forcing an attacker to spend as much time and effort while needing to know a variety of skills and technologies in order to successfully pull off the attack. In the end I hope to convince you that thinking defensively requires thinking offensively.
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...CODE BLUE
Malware utilize many cryptographic algorithms.
To fight against malware, analysts have to reveal details on malware activities.
Accordingly, it is important to identify cryptographic algorithms used in malware.
In this track, I propose a faster and extensible method to automatically detect known cryptographic algorithms in malware using dynamic binary instrumentation and fuzzy hashing.
This presentation covers common cryptographic attacks, secure cryptographic implementation requirements, an overview of FIPS 140-2 and secure crypto implementation guidelines
Domain 3: Security Engineering
Virtualization and Distributed Computing
System Vulnerabilities, Threats and Countermeasures
Cornerstone Cryptographic Concepts
History of Cryptography
Types of Cryptography
Cryptographic Attacks
Implementing Cryptography
Slide Deck - CISSP Mentor Program Class Session 1FRSecure
FRSecure has a goal of changing a broken industry. There are many ways to accomplish this endeavor such as setting high assessment standards, using proprietary reporting methods that are easy to understand to hiring expert talent just to name a few. However, one unique approach FRSecure uses to bring about change is our CISSP Mentor Program. By design the program is provided at no cost to anyone with an interest in the information security industry.
HHS Ransomware and Breach Guidance - Brad NighFRSecure
A recent U.S. Government inter-agency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 (a 300% increase over the 1,000 daily ransomware attacks reported in 2015). Ransomware attack prevention from a healthcare perspective is vitally important due to recent changes in HHS guidance. To understand what this means practically, FRSecure offers some valuable resources that discusses what constitutes a ransomware breach, non-compliance consequences and easy steps that can be implemented to reduce organizational risk of a Ransomware breach.
Domain 1: Security and Risk Management – Review
Information Security Governance, Administrative Controls, Risk Analysis: ALE, TCO, ROI (or ROSI), Legal Systems and Ethics
Purple Teaming - The Collaborative Future of Penetration TestingFRSecure
Organizations get penetration tests year after year, yet companies still get breached because they’re STILL missing the basics.Traditional penetration tests are failing to prepare organizations for the threats they actually face. They’ve become a commodity of compliance and box-checking. Remediation steps rarely include management objectives. General lack of excitement for Blue Team functions. Red team is sexy, but just a tool. Do you even have a JBOSS server? (Then why are you seeing alerts for it?)
Welcome to the CISSP Mentor Program! What is the CISSP Mentor Program • History: 1st class was 2010; 6 students • Today’s class; 80 students. Why do we do it • Success Stories • Heck, it’s free! If you aren’t satisfied, we’ll refund everything you paid us. We need MORE good information security people!
Securing Text Messages Application Using MEDZatulNadia
Implementing hybrid security algorithm in securing data.
-Introduction
-Problem statement
-Objective
-Process model
-Public key cryptosystem
-Data model
-Proposed model
-Encryption and decryption process
-Proof of concept
* netbeans 8.1 *xampp *database
*java programming language
-Expected results
*performance for key generation, encryption and decryption
*graph
-References
Sensitive data is vulnerable when it is stored insecurely and transmitted over open networks. The PCI Security Council takes a hard line on protecting cardholder data and describes specific methods to comply with its standards.
Attend this webinar to better understand methods that make data theft more difficult for attackers and render stolen data unusable.
Topics covered include:
• Properly protecting stored cardholder data - encryption, hashing, masking and truncation
• Securing data during transmission - using strong cipher suites, valid certificates, and strong TLS security
• How to identify and mitigate missing encryption
Internet layer security protocol & IPsecKirti Ahirrao
Internet layer security protocol
Functions of Internet layer
Types of Protocols of Internet layer
Architecture of IPsec
Modes of IP sec
IPsec
IKE Protocol
Implementation of IKE
How to hack cryptographic protocols with Formal MethodsOfer Rivlin, CISSP
Presented at OWASP AppSec-IL conference, 2018
Video at: https://youtu.be/3G5U8HhfJlI
https://appsecisrael2018.sched.com/event/Fvqr/how-to-hack-cryptographic-protocols-with-formal-methods
The design of even the smallest security protocols is prone to vulnerabilities. For example, the security protocols of federation & connected cars networks are extremely complex. I explore the use of formal methods for automating validation and hacking cryptographic protocols
Instructions for Submissions thorugh G- Classroom.pptxJheel Barad
This presentation provides a briefing on how to upload submissions and documents in Google Classroom. It was prepared as part of an orientation for new Sainik School in-service teacher trainees. As a training officer, my goal is to ensure that you are comfortable and proficient with this essential tool for managing assignments and fostering student engagement.
The French Revolution, which began in 1789, was a period of radical social and political upheaval in France. It marked the decline of absolute monarchies, the rise of secular and democratic republics, and the eventual rise of Napoleon Bonaparte. This revolutionary period is crucial in understanding the transition from feudalism to modernity in Europe.
For more information, visit-www.vavaclasses.com
Model Attribute Check Company Auto PropertyCeline George
In Odoo, the multi-company feature allows you to manage multiple companies within a single Odoo database instance. Each company can have its own configurations while still sharing common resources such as products, customers, and suppliers.
Biological screening of herbal drugs: Introduction and Need for
Phyto-Pharmacological Screening, New Strategies for evaluating
Natural Products, In vitro evaluation techniques for Antioxidants, Antimicrobial and Anticancer drugs. In vivo evaluation techniques
for Anti-inflammatory, Antiulcer, Anticancer, Wound healing, Antidiabetic, Hepatoprotective, Cardio protective, Diuretics and
Antifertility, Toxicity studies as per OECD guidelines
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfTechSoup
In this webinar you will learn how your organization can access TechSoup's wide variety of product discount and donation programs. From hardware to software, we'll give you a tour of the tools available to help your nonprofit with productivity, collaboration, financial management, donor tracking, security, and more.
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
• The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
• The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X.
• The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
Honest Reviews of Tim Han LMA Course Program.pptxtimhan337
Personal development courses are widely available today, with each one promising life-changing outcomes. Tim Han’s Life Mastery Achievers (LMA) Course has drawn a lot of interest. In addition to offering my frank assessment of Success Insider’s LMA Course, this piece examines the course’s effects via a variety of Tim Han LMA course reviews and Success Insider comments.
1. FRSecure 2017 CISSP
Mentor Program
EVAN FRANCEN, PRESIDENT & CEO – FRSECURE
BRAD NIGH, SENIOR INFORMATION SECURITY ANALYST - FRSECURE
CLASS SESSION #8
2. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security - Review
• Network Architecture and Design
• Fundamentals
• OSI Model
• TCP/IP Model
• Encapsulation (speaking of which)
3. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security - Review
Encapsulation (speaking of which)
5. CISSP Mentor Program Session #8
Domain 3: Security Engineering – Cryptography Quiz Review
1. If a cryptosystem is using a key size of 8, what is the keyspace size?
a. 32
b. 256
c. 16
d. 64
B
6. CISSP Mentor Program Session #8
Domain 3: Security Engineering – Cryptography Quiz Review
2. Which of the following is a requirement for a secure Vernam cipher?
a. The pad must be used one time
b. The private key must be only known to the owner
c. A symmetric key must be encrypted with an asymmetric key
d. It needs to hide the existence of a message
A
7. CISSP Mentor Program Session #8
Domain 3: Security Engineering – Cryptography Quiz Review
3. There are different binary mathematical functions; which of the following
is a true rule of the exclusive OR function?
a. Same value XOR same value equals one
b. 1 XOR 1 = 1
c. 1 XOR 0 = 1
d. 0 XOR 0 = 1
C
8. CISSP Mentor Program Session #8
Domain 3: Security Engineering – Cryptography Quiz Review
4. Which of the following is not addressed by the Wassenaar Agreement?
a. Products exported to terrorist countries
b. Asymmetric algorithms
c. Intangibles that could be downloaded from the Internet
d. Symmetric algorithms
C
9. CISSP Mentor Program Session #8
Domain 3: Security Engineering – Cryptography Quiz Review
5. Which of the following is a true difference between an asymmetric and
symmetric algorithm?
a. Asymmetric algorithms are best implemented in hardware and
asymmetric in software
b. Asymmetric algorithms are more vulnerable to frequency analysis attacks
c. Asymmetric algorithms are slower because they use substitution and
transposition
d. Symmetric algorithms are faster because they use substitution and
transposition D
10. CISSP Mentor Program Session #8
Domain 3: Security Engineering – Cryptography Quiz Review
6. How are a one-time pad and a stream cipher similar?
a. They both XOR bits for their encryption process
b. They are both vulnerable to linear frequency cryptanalysis attacks
c. They are both block ciphers
d. They are both asymmetric algorithms A
11. CISSP Mentor Program Session #8
Domain 3: Security Engineering – Cryptography Quiz Review
7. Both block and stream algorithms use initialization vectors. Which of the
following is not a reason that they are used?
a. They ensure that two identical plaintext values result in different
ciphertext values when encrypted with the same key
b. They are used to add randomness to the encryption process.
c. They provide extra protection in case an implementation is using the
same symmetric key more than one time
d. They are XORed to the plaintext after the encryption to ensure more
randomness to the process
D
12. CISSP Mentor Program Session #8
Domain 3: Security Engineering – Cryptography Quiz Review
8. How are symmetric and asymmetric keys used together?
a. An asymmetric key encrypts bulk and symmetric keys encrypt a small
amount of data
b. An asymmetric key is used and then encrypted with a symmetric key
c. An asymmetric key encrypts the symmetric key
d. A symmetric key encrypts data and then the asymmetric key encrypts
both of them
C
13. CISSP Mentor Program Session #8
Domain 3: Security Engineering – Cryptography Quiz Review
9. Which of the following security services are provided if a sender encrypts
data with her private key?
a. Confidentiality
b. Authentication
c. Corruption
d. Integrity
A (and B)
14. CISSP Mentor Program Session #8
Domain 3: Security Engineering – Cryptography Quiz Review
10. The Vigenere cipher was developed in the 16th century in France. Which
of the following is a correct characteristic of this algorithm?
a. It uses one-time pads
b. It was used in World War II
c. It requires a messenger to take the right size rod to the destination
d. It uses a secret word as the key
D
15. CISSP Mentor Program Session #8
Domain 3: Security Engineering – Cryptography Quiz BONUS
What is Kerckhoff’s principle and why is it relevant?
a. The only secret portion to a cryptosystem should be the key so that
the algorithms can be stronger
b. A public key needs to be associated with an individual’s identity for
true non-repudiation
c. More than one alphabet should be used in substitution ciphers to
increase the workfactor
d. One-time pads should be just as long as the message, otherwise
patterns will be shown
A
16. CISSP Mentor Program Session #8
Domain 3: Security Engineering – Cryptography Quiz BONUS
Encrypt “Pizza is good every night of the week” using ROT-7
Wpggh pz nvvk lclyf upnoa vm aol dllr
17. CISSP Mentor Program Session #8
Domain 3: Security Engineering – Cryptography Quiz BONUS
Encrypt “Information security is fun” using the Vigenere Cipher with the key
“rabbit”
Zngpzfrtjpv lvcvsqmp it gcg
18. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
UDP
• User Datagram Protocol
• A simpler and faster cousin to TCP
• No handshake, session, or reliability
• Informally called “Send and Pray”
• Has a simpler and shorter 8-byte header
• Fields include:
• Source IP
• Destination IP
• Packet length (header and data)
• Simple (and optional) checksum - if used, the checksum provides limited integrity to the UDP header and data
• Operates at Layer 4
• Commonly used for applications that are “lossy” (can handle some packet loss), such as streaming audio and
video
• Also used for query-response applications, such as DNS queries.
19. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
ICMP
• Internet Control Message Protocol
• Helper protocol that helps Layer 3 (IP)
• ICMP is used to troubleshoot and report error conditions
• No concept of ports, but instead uses types and codes
• Commonly-used ICMP types are echo request and echo reply (used for
ping) and time to live exceeded in transit (used for traceroute)
20. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
ICMP
21. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
ICMP - Ping
• Named after sonar used to “ping” submarines
• Sends an ICMP Echo Request to a node and listens for an ICMP Echo Reply
• Designed to determine whether a node is up or down
• Attackers use ICMP to map target networks; many sites filter types of ICMP
such as Echo Request and Echo Reply
• An unanswered ping (an ICMP Echo Request with no Echo Reply) does not
mean a host is down. The node may be down, or the node may be up and the
Echo Request or Echo Reply may have been filtered at some point.
22. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
ICMP - Traceroute
• Uses ICMP Time Exceeded messages to trace a network route
• The Time to Live field is used to avoid routing loops: every time a packet passes through a
router, the router decrements the TTL field. If the TTL reaches zero, the router drops the
packet and sends an ICMP Time Exceeded message to the original sender
• Client’s traceroute client sends a packet to the server with a TTL of 1. The router A
decrements the TTL to 0, drops the packet, and sends an ICMP Time Exceeded message to
the client. Router A is now identified.
• The client then sends a packet with a TTL of 2 to the server. Router A decrements the TTL
to 1 and passes the packet to router B. Router B decrements the TTL to 0, drops it, and
sends an ICMP Time Exceeded message to the client. Router B is now identified.
• This process continues until the server is reached
• Most traceroute clients (such as UNIX and Cisco) send UDP packets outbound
23. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
ICMP - Traceroute
24. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Application Layer TCP/IP Protocols and Concepts
• TCP/IP’s Application Layer - combines the Presentation, Session, and
Application Layers of the OSI model
• Only standardizes communication and depends upon the underlying
transport layer protocols to establish host-to-host data transfer
channels and manage the data exchange
25. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Telnet
• Provides terminal emulation over a network
• “Terminal” means text-based VT100-style terminal access
• Telnet servers listen on TCP port 23
• Weak because it provides no confidentiality: all data transmitted during a
telnet session is plaintext, including the username and password used to
authenticate to the system
• Also has limited integrity: attackers with write access to a network can alter
data, or even seize control of Telnet sessions
• Secure Shell (SSH) provides secure authentication, confidentiality, and
integrity and is a recommended replacement for Telnet.
26. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
FTP
• Used to transfer files to and from servers
• FTP has no confidentiality or integrity and should not be used to transfer sensitive data over insecure channels
• FTP uses two ports:
• The control connection (where commands are sent) is TCP port 21
• “Active FTP” uses a data connection (where data is transferred) which originates from TCP port 20
• The two socket pairs (the next two examples use arbitrary ephemeral ports):
• Client:1025→Server:21 (Control Connection)
• Server:20→Client: 1026 (Data Connection)
• Client:1025→Server:21 (Control Connection)
• Client 1026→Server:1025 (Data Connection)
• The data connection originates from the server, in the opposite direction of the control channel. Many firewalls
will block the active FTP data connection for this reason, breaking Active FTP. Passive FTP addresses this issue by
keeping all communication from client to server:
• The FTP server tells the client which listening data connection port to connect to; the client then makes a second
connection. Passive FTP is more likely to pass through firewalls cleanly, since it flows in classic client-server
direction.
27. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
TFTP
• Trivial File Transfer Protocol
• UDP port 69
• Simple way to transfer files; often used for saving router configurations
or “bootstrapping” (downloading an operating system) via a network
by diskless workstations
• No authentication or directory structure: files are read from and
written to one directory, usually called /tftpboot.
• No confidentiality or integrity
28. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
SSH
• Designed as a secure replacement for Telnet, FTP, and the UNIX “R”
commands (rlogin, rshell, etc)
• Provides confidentiality, integrity, and secure authentication, among other
features
• Includes SFTP (SSH FTP) and SCP (Secure Copy) for transferring files
• Can also be used to securely tunnel other protocols, such as HTTP
• SSH servers listen on TCP port 22 by default
• SSH version 1 was the original version, which has since been found vulnerable
to man-in-the middle attacks
• SSH version 2 is the current version of the protocol, and is recommended over
SSHv1, or Telnet, FTP, etc.
29. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
SMTP, POP, and IMAP
• SMTP is the Simple Mail Transfer Protocol
• Used to transfer email between servers
• Servers listen on TCP port 25
• POPv3 (Post Office Protocol) and IMAP (Internet Message Access
Protocol) are used for client-server email access, which use TCP ports
110 and 143, respectively
30. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
DNS
• Domain Name System
• A distributed global hierarchical database that translates names to IP
addresses, and vice versa
• Uses both TCP and UDP: small answers use UDP port 53; large answers (such
as zone transfers) use TCP port 53
• Authoritative name servers provide the “authoritative” resolution for names
within a given domain
• Recursive name servers will attempt to resolve names that it does not already
know
• Caching name servers will temporarily cache names previously resolved
31. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
DNS
32. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
DNS Weaknesses
• DNS uses the unreliable UDP protocol for most requests, and native DNS
provides no authentication. The security of DNS relies on a 16-bit source port
and 16-bit DNS query ID. Attackers who are able to blindly guess both
numbers can forge UDP DNS responses.
• A DNS cache poisoning attack is an attempt to trick a caching DNS server into
caching a forged response. If bank.example.com is at 192.0.2.193, and
evil.example.com is at 198.18.8.17, an attacker may try to poison a DNS
server’s cache by sending the forged response of “bank.example.com is at
198.18.8.17.” If the caching DNS name server accepts the bogus response, it
will respond with the poisoned response for subsequent bank.example.com
requests (until the record expires).
33. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
DNSSEC
• Domain Name Server Security Extensions provides authentication and
integrity to DNS responses via the use of public key encryption
• DNSSEC does not provide confidentiality: it acts like a digital signature
for DNS responses
• See http://www.kb.cert.org/vuls/id/800113 for more details on the
improved cache poisoning attack and defenses
34. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
SNMP
• Simple Network Management Protocol, primarily used to monitor network devices
• Network monitoring software such as HP OpenView and MRTG use SNMP to poll
SNMP agents on network devices, and report interface status (up/down), bandwidth
utilization, CPU temperature, and many more metrics
• SNMP agents use UDP port 161
• SNMPv1 and v2c use read and write community strings to access network devices
(clear text)
• Many devices use default community strings such as “public” for read access, and
“private” for write access (bad)
• SNMPv3 was designed to provide confidentiality, integrity, and authentication to
SNMP via the use of encryption
35. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
HTTP and HTTPS
• HTTP (Hypertext Transfer Protocol) - Used to transfer unencrypted
Web-based data
• HTTPS (Hypertext Transfer Protocol Secure) - transfers encrypted Web-
based data via SSL/TLS
• HTTP uses TCP port 80
• HTTPS uses TCP port 443
36. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
BOOTP and DHCP
• BOOTP is the Bootstrap Protocol
• Used for bootstrapping via a network by diskless systems
• Many system BIOSs now support BOOTP directly, allowing the BIOS to load the operating system via a network without
a disk
• Startup occurs in two phases:
• Use BOOTP to determine the IP address and OS image name
• Use TFTP to download the operating system
• DHCP is Dynamic Host Configuration Protocol
• Designed to replace and improve on BOOTP by adding additional features
• Allows more configuration options, as well as assigning temporary IP address leases to systems
• Systems can be configured to receive IP address leases, DNS servers, and default gateways, among other information.
• Both BOOTP and DHCP use the same ports:
• UDP port 67 for servers
• UDP port 68 for clients
37. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Layer 1 Network Cabling
• Simplest part of the OSI model
• Fundamental network cabling terms to understand:
• Electro Magnetic Interference (EMI) is interference caused by magnetism created
by electricity
• Any unwanted signal (such as EMI) on a network cable is called noise
• Crosstalk occurs when a signal crosses from one cable to another
• Attenuation is the weakening of signal as it travels further from the source
38. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Layer 1 Network Cabling - Twisted Pair Cabling
Unshielded Twisted Pair (UTP)
• Uses pairs of wire twisted together
• Twisting them together dampens the magnetism and makes cabling
less susceptible to EMI
39. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Layer 1 Network Cabling - Twisted Pair Cabling
Unshielded Twisted Pair (UTP)
• Cables are classified by categories according to rated speed
• Tighter twisting results in more dampening:
• Category 6 UTP cable designed for gigabit networking has far tighter twisting than a
Category 3 fast Ethernet cable
• Cisco Press also has a good summary at
http://www.ciscopress.com/articles/article.asp?p=31276
40.
41.
42. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Layer 1 Network Cabling - Coaxial Cabling
• Coaxial cables are often used for satellite and cable TV service
• More resistant to EMI, allows higher bandwidth and longer
connections compared with twisted pair cable.
• Two older types of coaxial cable are Thinnet and Thicknet, used for
Ethernet bus networking.
44. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Layer 1 Network Cabling - Fiber Optic Network Cable
• Uses light to carry information
• Can be used to transmit via long distances: past 50 miles
• Advantages are speed, distance, and immunity to EMI
• Disadvantages include cost and complexity
• Multimode fiber carrier
• Uses multiple modes (paths) of light, resulting in light dispersion
• Used for shorter distances
• Single-mode fiber
• Uses a single strand of fiber, and the light uses one mode (path) down the center of the fiber
• Used for long-haul, high-speed networking
• Multiple signals may be carried via the same fiber using Wavelength Division Multiplexing (WDM)
• Multiple light “colors” are used to transmit different channels of information on the same fiber
• Combined speeds of over a terabit/second can be achieved when WDM is used to carry 10-gigabits per color
46. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
LAN Technologies and Protocols - Ethernet
• Most common local area networking technology
• Transmits network data in frames
• Originally used a physical bus topology, and later added support for
physical star
• Describes Layer 1 issues such as physical medium and Layer 2 issues
such as frames
• Baseband (one channel)
47.
48. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
LAN Technologies and Protocols - Ethernet
• Carrier Sense Multiple Access (CSMA) addresses collisions
• Carrier Sense Multiple Access with Collision Detection (CSMA/CD):
• 1. Monitor the network to see if it is idle
• 2. If the network is not idle, wait a random amount of time
• 3. If the network is idle, transmit
• 4. While transmitting, monitor the network
• 5. If more current is detected than sent, another station must also be sending a) Send Jam signal to tell all nodes to stop
transmitting b) Wait a random amount of time before retransmitting
• CSMA/CD is used for systems that can send and receive simultaneously, such as wired Ethernet
• CSMA/CA (Collision Avoidance) is used for systems such as 802.11 wireless that cannot send and
receive simultaneously
• CSMA/CA relies on receiving an acknowledgement from the receiving station: if no
acknowledgement is received, there must have been a collision, and the node will wait and
retransmit
49. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
LAN Technologies and Protocols - ARCNET & Token Ring
• ARCNET (Attached Resource Computer Network) and Token Ring are
two legacy LAN technologies
• Pass network traffic via tokens
• Possession of a token allows a node to read or write traffic on the
network
• No collisions - Predictable network behavior
• ARCNET ran at 2.5 mbps and popularized the star topology
• The last version of Token Ring ran at 16 mbps using a physical
star/logical ring topology
50. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
LAN Technologies and Protocols - FDDI
• Fiber Distributed Data Interface
• Legacy LAN technology
• Logical network ring via a primary and secondary counter-rotating fiber
optic ring
• Secondary ring was typically used for fault tolerance
• A single FDDI ring runs at 100 megabits
• Uses a “token bus,” a different token-passing mechanism than Token
Ring
51. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
LAN Physical Network Topologies - Bus
• Connects network nodes in a string
• Each node inspects the data as it passes along the bus
• Fragile: should the network cable break anywhere along the bus, the
entire bus would go down
52. CISSP Mentor Program Session #8
Domain 4: Communication and
Network Security
LAN Physical Network Topologies - Tree
• Also called hierarchical network
• A network with a root node, and branch
nodes that are at least three levels deep
(two levels would make it a star)
• The root node controls all tree traffic
• Legacy network design; the root node was
often a mainframe
53. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
LAN Physical Network Topologies - Ring
• Connects network nodes in a ring
• Logical ring, physical star
• MAU/MSAU
54. CISSP Mentor Program Session #8
Domain 4: Communication and Network
Security
LAN Physical Network Topologies - Star
• The dominant physical topology for LANs
• First popularized by ARCNET, and later adopted by
Ethernet
• Each node is connected directly to a central device
such as a hub or a switch
56. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
LAN Physical Network Topologies - Mesh
• Interconnects network nodes to each other
• Full mesh and partial mesh
• Superior availability and are often used for highly available (HA) server
clusters
57. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
WAN Technologies and Protocols - T1s, T3s, E1s, E3s
• T Carriers (United States)
• E Carriers (Europe)
• T1:
• Dedicated 1.544-megabit circuit
• Twenty-four 64-bit DS0 (Digital Signal 0) channels (such as 24 circuit-switched phone calls)
• DS1 (Digital Signal 1) and T1 are often used interchangeably
• DS1 describes the flow of bits (via any medium, such as copper, fiber, wireless, etc.); a T1 is a
copper telephone circuit that carries a DS1.
• T3:
• 28 bundled T1s
• 44.736-megabit circuit
• T3 and DS3 (Digital Signal 3) are also used interchangeably
58. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
WAN Technologies and Protocols - T1s, T3s, E1s, E3s
• E1:
• Dedicated 2.048-megabit circuit
• 30 channels
• E3:
• 24 E1s
• 34.368 megabits.
• T1 and T3 speeds are often rounded off to 1.5 and 45 megabits
• SONET (Synchronous Optical Networking) carries multiple T-carrier circuits via
fiber optic cable
• SONET uses a physical fiber ring for redundancy.
59. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
WAN Technologies and Protocols - Frame Relay
• Packet-switched Layer 2 WAN protocol
• Provides no error recovery
• Focuses on speed
• Higher layer protocols carried by Frame Relay, such as TCP/IP can be used to provide
reliability
• Multiplexes multiple logical connections over a single physical connection to create
Virtual Circuits
• PVC (Permanent Virtual Circuit) is always connected, analogous to a real dedicated circuit like a T1.
• SVC (Switched Virtual Circuit) sets up each “call,” transfers data, and terminates the connection
after an idle timeout.
• Frame Relay is addressed locally via Data Link Connection Identifiers (DLCI,
pronounced “delsee”).
60. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
WAN Technologies and Protocols - X.25
• An older packet-switched WAN protocol
• Provided a cost-effective way to transmit data over long distances in
the 1970s though early 1990s
• The global packet switched X.25 network is separate from the global IP-
based Internet
• Performs error correction which can add latency on long links
• Can carry other protocols such as TCP/IP
61. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
WAN Technologies and Protocols - ATM
• Asynchronous Transfer Mode (ATM)
• WAN technology that uses fixed length cells
• ATM cells are 53 bytes long, with a 5-byte header and 48-byte data
portion
• SMDS (Switched Multimegabit Data Service) is older and similar to
ATM, also using 53-byte cells
62. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
WAN Technologies and Protocols - MPLS
• Multiprotocol Label Switching (MPLS)
• Forwards WAN data via labels, via a shared MPLS cloud network
• Can carry many types of network traffic, including ATM, Frame relay, IP,
and others
• Decisions are based on labels, and not encapsulated header data (such
as an IP header)
• Can carry voice and data, and be used to simplify WAN routing
63. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
WAN Technologies and Protocols - SDLC and HDLC
• Synchronous Data Link Control (SDLC)
• Synchronous Layer 2 WAN protocol
• Uses polling to transmit data
• Polling is similar to token passing; the difference is a primary node polls secondary
nodes, which can transmit data when polled
• Combined nodes can act as primary or secondary
• SDLC supports NRM transmission only (see next slide)
64. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
WAN Technologies and Protocols - SDLC and HDLC
• High-Level Data Link Control (HDLC)
• Successor to SDLC
• Adds error correction and flow control, as well as two additional modes (ARM and ABM)
• The three modes of HDLC are:
• Normal Response Mode (NRM)—Secondary nodes can transmit when given
permission by the primary
• Asynchronous Response Mode (ARM)—Secondary nodes may initiate communication
with the primary
• Asynchronous Balanced Mode (ABM)—Combined mode where nodes may act as
primary or secondary, initiating transmissions without receiving permission
65. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Network devices and protocols - Repeaters and Hubs
• Layer 1 devices
• Repeater receives bits on one port, and “repeats” them out the other port
• Repeater has no understanding of protocols; it only repeats bits
• Repeaters are often used to extend the length of a network
• A hub is a repeater with more than two ports
• Hubs receive bits on one port and repeat them across all other ports
• No traffic isolation and no security: all nodes see all traffic sent by the hub
• Half-duplex devices: they cannot send and receive simultaneously
• One “collision domain”: any node may send colliding traffic with another
• Unsuitable for most modern purposes
66. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Network devices and protocols - Repeaters and Hubs
• Layer 1 devices
• Repeater receives bits on one port, and “repeats” them out the other port
• Repeater has no understanding of protocols; it only repeats bits
• Repeaters are often used to extend the length of a network
• A hub is a repeater with more than two ports
• Hubs receive bits on one port and repeat them across all other ports
• No traffic isolation and no security: all nodes see all traffic sent by the hub
• Half-duplex devices: they cannot send and receive simultaneously
• One “collision domain”: any node may send colliding traffic with another
• Unsuitable for most modern purposes
67. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Network devices and protocols - Repeaters and Hubs
68. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Network devices and protocols - Bridges
• Layer 2 devices
• Has two ports and connects network segments together
• Provides traffic isolation and makes forwarding decisions by learning
the MAC addresses of connected nodes.
• Two collision domains
69. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Network devices and protocols - Switches
• A bridge with more than two ports
• Best practice to only connect one device per switch port
• Provides traffic isolation by associating the MAC address of each
computer and server with its port
• Shrinks the collision domain to a single port
• Trunks are used to connect multiple switches
70. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Network devices and protocols – Switches (VLANs)
• Virtual LAN, which can be thought of as a virtual switch
• Inter-VLAN communication requires layer 3 routing.
71. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Network devices and protocols – Switches (SPAN ports)
• Mirroring traffic from multiple switch ports to one “SPAN port”
• SPAN is a Cisco term; HP switches use the term “Mirror port”
• Typically used for Intrusion Detection and/or Prevention
• One drawback to using a switch SPAN port is port bandwidth overload
72. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Network devices and protocols – Switches (TAPs)
• “Test Access Port”
• Provides a way to “tap” into network traffic, and see all unicast streams
on a network
• The preferred way to provide promiscuous network access to a sniffer
or Networked Intrusion Detection System.
• Can “fail open,” so that network traffic will pass in the event of a
failure: this is not true for hubs or switch SPAN ports
73. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Network devices and protocols – Routers
• Layer 3 devices
• Route traffic from one LAN to another
• IP-based routers make routing decisions based on the source and destination
IP addresses.
NOTE: In the real world, one chassis, such as a Cisco 6500, can be many devices
at once: a router, a switch, a firewall, a NIDS, etc. The exam is likely to give
more clear-cut examples: a dedicated firewall, a dedicated switch, etc. If the
exam references a multifunction device, that will be made clear. Regardless, it
is helpful on the exam to think of these devices as distinct concepts.
74. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Network devices and protocols – Routers (Static and Default
Routes)
• Static routes
• Routes to other networks
• Manually entered into the routing table
• Good for simple routing needs and fixed networks with little or no redundancy
• Default routes
• A route to other networks that are not known.
• If no other routes to a network exist, the default route is used.
76. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Network devices and protocols – Routers (Routing Protocols)
The network depicted previously has redundant paths between all four sites. Should
any single circuit or site go down, at least one alternate path is available. The fastest
circuits are the 45-megabit T3s which connect the data center to each office.
Additional 1.5 megabit T1s connect Office A to B, and B to C.
Should the left-most T3 circuit go down, between the Data Center and Office A, there
are multiple paths available from the data center to Office A: the fastest is the T3 to
Office B, and then the T1 to office A.
You could use static routes for this network, preferring the faster T3s over the slower
T1s. The problem: what happens if a T3 goes down? Static routes would require
manual reconfiguration.
77. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Network devices and protocols – Routers (Distance Vector
Routing Protocols)
• Metrics are used to determine the “best” route across a network
• Simplest metric is hop count – number of routers to a destination
network
• Does not account for link speed between networks
• Prone to routing loops
78. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Network devices and protocols – Routers (RIP)
• A distance vector routing protocol
• Uses hop count as its metric
• Does not have a full view of a network: it can only “see” directly connected routers
• Convergence is slow
• Sends routing updates every 30 seconds, regardless of routing changes
• Maximum hop count is 15; 16 is considered “infinite.”
• RIPv1 can route classful networks only
• RIPv2 added support for CIDR
• Uses split horizon to help avoid routing loops - means that a router will not “argue back”
• Uses a hold-down timer to avoid “flapping” (repeatedly changing a route’s status from up
to down)
79. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Network devices and protocols – Routers (Link State Routing
Protocols)
Protocols factor in additional metrics for determining the best route, including
bandwidth
• OSPF
• Open Shortest Path First (OSPF)
• An open link state routing protocol
• Routers learn the entire network topology for their “area” (the portion of the
network they maintain routes for, usually the entire network for small networks)
• Routers send event-driven updates
• Far faster convergence than distance vector protocols such as RIP
80. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Network devices and protocols – Routers (BGP)
• Border Gateway Protocol
• The routing protocol used on the Internet
• Routes between autonomous systems, which are networks with multiple
Internet connections
• Has some distance vector properties, but is formally considered a path vector
routing protocol
Note - The exam strongly prefers open over proprietary
standards, which is why proprietary routing protocols like
Cisco’s EIGRP are not covered.
81. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Network devices and protocols – Firewalls
• Filter traffic between networks
• TCP/IP packet filter and stateful firewalls make decisions based on layers 3
and 4 (IP addresses and ports)
• Proxy firewalls can also make decisions based on layers 5-7
• Firewalls are multi-homed: they have multiple NICs connected to multiple
different networks
82. CISSP Mentor Program Session #8
Domain 4: Communication and Network
Security
Network devices and protocols –
Firewalls (Packet Filter)
• A simple and fast firewall
• No concept of “state”: each filtering decision must
be made on the basis of a single packet
• No way to refer to past packets to make current
decisions
• Lack of state makes packet filter firewalls less
secure, especially for session less protocols like UDP
and ICMP
83. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Network devices and protocols – Firewalls (Stateful)
• A state table that allows the firewall to compare current packets to previous
ones
• Slower than packet filters, but are far more secure
84. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Network devices and protocols – Proxy Firewalls
• Firewalls that act as intermediary servers
• Proxies terminate connections
85. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Network devices and protocols – Proxy Firewalls
Application-Layer Proxy Firewalls
• Operate up to Layer 7
• Can make filtering decisions based on application-layer data, such as HTTP
traffic, in addition to layers 3 and 4
• Must understand the protocol that is proxied, so dedicated proxies are often
required for each protocol: an FTP proxy for FTP traffic, an HTTP proxy for
Web traffic, etc.
• Allows tighter control of filtering decisions
86. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Network devices and protocols – Proxy Firewalls
Circuit-Level Proxies Including SOCKS
• Operate at Layer 5 (session layer) - allows circuit-level proxies to filter more
protocols: there is no need to understand each protocol; the application-layer
data is simply passed along
• Most popular example of a circuit-level proxy is SOCKS
• SOCKS uses TCP port 1080
• Some applications must be “socksified” to pass via a SOCKS proxy
• SOCKS5 is current version of the protocol
• Cannot make filtering decisions based on application layer data, such as
explicit Web content
87. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Fundamental Firewall Designs - Bastion Hosts
• Any host placed on the Internet which is not protected by another device
(such as a firewall)
• Hosts must protect themselves, and be hardened to withstand attack
• Hosts usually provide a specific service, and all other services should be
disabled
88. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Fundamental Firewall Designs - Dual-Homed Host
• Two network interfaces: one connected to a trusted network, and the other
connected to an untrusted network, such as the Internet
• Host does not route: a user wishing to access the trusted network from the
Internet, would log into the dual-homed host first, and then access the
trusted network from there
• Common design before modern firewalls in the 1990s
89. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Fundamental Firewall Designs - Screened Host Architecture
• An older flat network design using one router to filter external traffic to and
from a bastion host via an access control list (ACL)
• The bastion host can reach other internal resources, but the router ACL
forbids direct internal/external connectivity
90. CISSP Mentor Program Session #8
Domain 4: Communication and Network
Security
Fundamental Firewall Designs - Screened
Host Architecture
• An older flat network design using one router to
filter external traffic to and from a bastion host via
an access control list (ACL)
• The bastion host can reach other internal resources,
but the router ACL forbids direct internal/external
connectivity
• Difference between dual-homed host and screened
host design is screened host uses a screening router,
which filters Internet traffic to other internal systems
• A failure of the bastion host puts the entire trusted
network at risk
91. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Fundamental Firewall Designs - DMZ Networks and Screened
Subnet Architecture
• DMZ is “Demilitarized Zone” network
• Hosts that receive traffic from untrusted networks such as the Internet should
be placed on DMZ networks
• Designed with the assumption that any DMZ host may be compromised: the
DMZ is designed to contain the compromise, and prevent it from extending
into internal trusted networks
• Hosts on a DMZ should be hardened
92. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Fundamental Firewall Designs - DMZ Networks and Screened
Subnet Architecture
A “classic” DMZ uses two firewalls (shown below) - called a screened subnet
dual firewall design: two firewalls screen the DMZ subnet.
93. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Fundamental Firewall Designs - DMZ Networks and Screened
Subnet Architecture
A single-firewall DMZ uses one firewall (shown below) - sometimes called a
“three-legged” DMZ.
94. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Fundamental Firewall Designs - DMZ Networks and Screened
Subnet Architecture
• Single firewall design requires a firewall that can filter traffic on all interfaces:
untrusted, trusted, and DMZ
• Dual-firewall designs are more complex, but considered more secure
• The term “DMZ” alone implies a dual-firewall DMZ.
95. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Modem
• Modulator/Demodulator
• Binary data is modulated it into analog sound that can be carried on phone
networks designed to carry the human voice
• Receiving modem then demodulates the analog sound back into binary data
• Asynchronous devices: they do not operate with a clock signal
96. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
DTE/DCE and CSU/DSU
• DTE (Data Terminal Equipment) is a network “terminal”
• Any type of network-connected user machine, such as a desktop, server, or actual terminal
• DCE (Data Circuit-Terminating Equipment, or sometimes called Data Communications
Equipment)
• A device that networks DTEs, such as a router
• The most common use of these terms is DTE/DCE, and the meaning of each is more
specific:
• DCE marks the end of an ISP’s network, connecting to:
• Data Terminal Equipment (DTE), which is the responsibility of the customer
• The point where the DCE meets the DTE is called the demarc: the demarcation point, where the ISP’s responsibility ends, and the
customer’s begins
• The circuit carried via DCE/DTE is synchronous (it uses a clock signal)
• Both sides must synchronize to a clock signal, provided by the DCE
• The DCE device is a modem or a CSU/DSU (Channel Service Unit/Data Service Unit)
97. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Intrusion Detection Systems and Intrusion Prevention Systems
• Intrusion Detection System (IDS) is a detective device designed to detect
malicious (including policy-violating) actions
• Intrusion Prevention System (IPS) is a preventive device designed to prevent
malicious actions
• Two basic types of IDSs and IPSs: network-based and host-based.
Most of the examples reference IDSs, for simplicity. The
examples also apply to IPSs; the difference is the attacks are
detected by an IDS and prevented by an IPS.
98. CISSP Mentor Program Session #8
Domain 4: Communication and
Network Security
NIDS and NIPS
• Detects malicious traffic on a network
• Usually require promiscuous network access in
order to analyze all traffic, including all unicast
traffic
• Passive devices that do not interfere with the
traffic they monitor
• Difference between NIDS and NIPS is that the
NIPS alters the flow of network traffic
99. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
NIDS and NIPS
Two types of NIPS:
• Active response
• Architecturally, an active response NIPS is like NIDS
• Monitoring interface is read/write
• May “shoot down” malicious traffic via a variety of methods, including forging TCP RST segments to source or destination (or
both), or sending ICMP port, host, or network unreachable to source
• Inline
• “in line” with traffic
• Snort is a popular open-source NIDS and
• A false positive by NIPS is more damaging than the one by a NIDS: legitimate traffic is
denied
100. CISSP Mentor Program Session #8
Domain 4: Communication and Network
Security
HIDS and HIPS
• Host-based cousins to NIDS and NIPS
• Process information within a host
• A well-known HIDS is Tripwire
101. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Intrusion Detection and Prevention
Pattern Matching
• Works by comparing events to static signatures
• Works well for detecting known attacks
• Usually does poorly against new attacks
Protocol Behavior
• Models the way protocols should work, often by analyzing RFCs
• Also detects “stupid” (broken) traffic: applications designed by developers who do not read or follow
RFCs
Anomaly Detection
• Works by establishing a baseline of normal traffic
• Reports on traffic that fails to meet the baseline
• Can detect new attacks
• Challenge is establishing a baseline of “normal”.
102. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Honeypots
• A system designed to attract attackers
• Allows information security researchers and network defenders to better
analyze network-based attacks
• Honeynet is a (real or simulated) network of honeypots
• No production value beyond research
• Consult with legal staff before deploying a honeypot
• If an attacker compromises a honeypot, and then successfully penetrates further into a production network? Could the
attackers argue they were “invited” into the honeypot, and by extension the production network?
• What if an attacker penetrates a honeypot and then successfully uses it as a base to attack a third party?
103. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Honeypots
https://www.honeynet.org/
104. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Network Attacks
• The original definition of a hacker is someone who uses technology in ways
the creators did not intend.
• There are countless network-based attacks
• Many of the attacks in the notes have been mitigated by newer or patched
operating systems
105. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Network Attacks - TCP SYN Flood
• Common TCP denial of service attack
• Systems must keep track of any remote system that begins a TCP three-way
handshake; this is typically done via a half-open connection table
• If an attacker sends many SYNs, but never ACKs the resulting SYN/ACK (this
can easily be done by forging the SYN segments to come from IP addresses
with no live host), the victim’s half-open connection table will start to fill. If
the attack can exhaust that table, no new connections can be completed.
106. CISSP Mentor Program Session #8
Domain 4: Communication and
Network Security
Network Attacks - LAND Attack
• A single-packet denial-of-service
attack
• Example: An attacker forges a packet
from 192.0.2.221:80 to 192.0.2.221:80
(from the victim, port 80; to the
victim, port 80)
• Confuses the victim’s operating
system, sometimes crashing it
107. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Network Attacks - Smurf and Fraggle attacks
• Smurf
• Denial-of-service attack relies on directed broadcast IP addresses
• An attacker pings a directed broadcast address on the Internet, with a source address
forged to be “from” the victim
• If 200 hosts respond to the attacker’s ICMP echo request, one packet will result in 200
ICMP echo replies to the victim
• Called an “asymmetric attack,” where the response traffic is far larger than the query
traffic
• Fraggle
• Based on the concepts used by Smurf
• Use UDP “echo” packets in place of ICMP
108. CISSP Mentor Program Session #8
Domain 4: Communication and Network Security
Network Attacks - Teardrop Attack
• Denial-of-service attack that relies on fragmentation reassembly
• An attacker sends multiple large overlapping IP fragments
• System may crash as it attempts to reassemble the bad fragments
109. Questions?
We made it through Class #8!
We’re almost through Domain 4: Communication and Network
Security
Homework for Tuesday (4/25)
◦ Finish reading Domain 4: Communication and Network Security – We
will get through the rest of this domain on Thursday (For real this
time!). Come with questions!
◦ Start reading Domain 5: Identity and Access Management
If you’re in MN, enjoy the great weather. Have a great weekend!