CCIE SEC Security General

Policies - Security Policy Best Practices
Information Security Standards (ISO 17799, ISO 27001, BS7799)
1. Common Criteria
  1. Provides a security framework whereby...
    1. Users can specify what they want
    2. Vendors can implement it
    3. Labs can test vendors claims
  2. derrived from BS7799
2. CIA
  1. Confidentiality
    1. Prevenets unauthorized disclosure
    2. Implemented by Encryption
  2. Integrity
    1. Prevents anauthorized moddification of data
    2. Implemented by Hashing Algorythms
  3. Availability
    1. ..Is the prevention of loss of access to data, i.e. to ensure it's available when needed
    2. Implemented by Resiliancy / Redunancy & Load Balancing
3. Security Policies
  1. Acceptable
  2. Ethics
  3. Infomation Sensitivity
  4. Email
4. Security Wheel
5. ISO 17799
  1. Renamed ISO 2702
  2. Wikipedia Page
6. ISO 27001
  1. Wikipedia
7. BS7799
  1. Wikipedia
Standards Bodies
Common RFCs
1. RFC1918
  1. Special-Use IPv4 Addresses
2. RFC 2827
  1. Network Ingress Filtering Defeating Denial of Service Attacks which employ IP Source Address Spoofing
3. RFC3330
  1. Special-Use IPv4 Addresses
4. RFC2401
  1. Security Architecture for the Internet Protocol
BCP 38
1. Network Ingress Filtering for MULTI-HOMED Devices
  1. Linked to RFC2827
2. BCP 38, RFC 2827, is designed to limit the impact of distributed denial of service attacks, by denying traffic with spoofed addresses access to the network, and to help ensure that traffic is traceable to its correct source network. As a side effect of protecting the Internet against such attacks, the network implementing the solution also protects itself from this and other attacks, such as spoofed management access to networking equipment. There are cases when this may create problems, e.g., with multihoming. This document describes the current ingress filtering operational mechanisms, examines generic issues related to ingress filtering, and delves into the effects on multihoming in particular. This memo updates RFC 2827.
  1. Linked to RFC3704
Attacks, Vulnerabilities and Common Exploits - recon, scan, priv escalation, penetration, cleanup, backdoor
1. Spanning Tree Attacks
  1. User sends malicious BPDU's to become the route brigde
  2. Can be used for further Sniffing / DoS Attacks
2. MAC / CAM flood attacks
  1. User sends many arp packets to fill switch CAM Tables
  2. When Switch CAM resouce flooded the switch becomes a hub & broadcasts all frames/packets
3. Reconnaissance Attacks
  1. Sniffing
    1. Capturing Packets of Clear Text Protocols
  2. Port Scans
  3. Ping Sweeos
  4. Internet Info Queries
    1. DNS / WHOIS lookups
    2. Google
4. Access Attacks
  1. Password Cracking / Attacking
    1. Dictionary Attack
    2. Brute Force Guessing
    3. Rainbow tables
  2. Trust Exploitation
  3. Buffer Overflow
    1. When Data written to a memory buffer, due to insufficient bounds checking, Corrupts data vales in memory address adjacent to the buffer
      1. Bounds Checking: Checks if data is "appropriate for storage"
  4. VLAN Hopping
    1. Switch Spoofing
      1. i.e. Connecting to a Switch as a trunk port, when should be a user
      2. not an exploit as such, if auto trunk is left on then user can be trunk port and "hop" out of the "user" vlan
    2. Double Tagging
      1. Attacker sends double-encapsulated 802.1q Frames to switch
      2. Switch strips off one tag and forwards the other
      3. Only uni-directional traffic, as victim won't double tag response frames
      4. very old exploit, switches now check frames conform to standards
  5. Port Redirection
  6. Man in the Middle Attacks
    1. Attacker Sniff Packets (nonblind attack)
    2. Attacker redirects traffic (blind attack)
  7. IP Spoofing
    1. IP is Connectionless
    2. Non-Blind Spoofing
      1. Attacker "sniffs" sequence numbers
    3. Blind Spoofing
      1. Attacker calculates Sequence numbers
5. Malware
  1. Worm
  2. Virus
  3. Spyware
  4. Trojan
6. DHCP Server Spoofing
  1. Malicious User replies to DHCP broadcasts
  2. .. has to either respond quicker than legit server or exahust the legit server pools
7. DHCP Starvation Attack
  1. Either to spoof
  2. Or to DoS
8. Denial of Service
  1. DoS
  2. dDoS - Distributed Denial of Service
  3. TCP SYN Flood
  4. BotNets
9. Vulnerability
  1. a weakness in a system
  2. examples
    1. application bugs
    2. poor passwords
10. Exploit
  1. Something that takes advantage of a Vulnerability
11. Hacking Lifecycle
Security Audit & Validation
1. CVE
  1. Common Vulnerabilities and Exposures
  2. a dictionary of publicly-known information security vulnerabilities and exposures
Risk Assessment
1. Qualitative
  1. Only Potential Loss is Calculated
  2. Compenents....
    1. Threats
      1. Things that "can go wrong" or "attacks"
      2. e.g. Fire, Fraud
    2. Vulnerabilities
      1. Weaknesses or things that make a threat more likely
      2. e.g. paper in the building = FIRE
    3. Controls
      1. Countermeasus for Threats & Vuln's
        Deterrent
        Reduce probability
        Preventative
        Prevent sucess if happens
        Corrective
        Reduces effectiviness
        Detective
        Discovers if happens
        May trigger Corrective
2. Quantitative
  1. A Risk calculation based on figures
  2. The probablility of an event, and the estimated cost if it does
    1. The Outputs of this....
      1. ALE Annual Loss Expectancy
      2. EAC Estimated Annual Cost
  3. + A number is generated and risks can easily be ranked by importance
  4. - Probability is rarely accurate / precice, an incorrect calculations can promote complacency
Change Management Process
Incident Response Framework
Computer Security Forensics
1. Chain of Evidence