Table 3-1 Confidentiality, Integrity, and Availability Potential Impact Definitions
CIA Tenet |
Low |
Moderate |
High |
Confidentiality |
Unauthorized disclosure will have limited adverse effect on the organization. |
Unauthorized disclosure will have serious adverse effect on the organization. |
Unauthorized disclosure will have severe adverse effect on the organization. |
Integrity |
Unauthorized modification will have limited adverse effect on the organization. |
Unauthorized modification will have serious adverse effect on the organization. |
Unauthorized modification will have severe adverse effect on the organization. |
Availability |
Unavailability will have limited adverse effect on the organization. |
Unavailability will have serious adverse effect on the organization. |
Unavailability will have severe adverse effect on the organization. |
Table 5-12 Authentication Protocols
Protocol |
Advantages |
Disadvantages |
Guidelines/Notes |
PAP |
Simplicity |
Password sent in cleartext |
Do not use |
CHAP |
No passwords are exchanged Widely supported standard |
Susceptible to dictionary and brute-force attacks |
Ensure complex passwords |
MS-CHAP v1 |
No passwords are exchanged Stronger password storage than CHAP |
Susceptible to dictionary and brute-force attacks Supported only on Microsoft devices |
Ensure complex passwords If possible, use MS-CHAP v2 instead |
MS-CHAP v2 |
No passwords are exchanged Stronger password storage than CHAP Mutual authentication |
Susceptible to dictionary and brute-force attacks Supported only on Microsoft devices Not supported on some legacy Microsoft clients |
Ensure complex passwords |
EAP-MD5 CHAP |
Supports password-based authentication Widely supported standard |
Susceptible to dictionary and brute-force attacks |
Ensure complex passwords |
EAP-TLS |
The most secure form of EAP; uses certificates on the server and client Widely supported standard |
Requires a PKI More complex to configure |
No known issues |
EAP-TTLS |
As secure as EAP-TLS Only requires a certificate on the server Allows passwords on the client |
Susceptible to dictionary and brute-force attacks More complex to configure |
Ensure complex passwords |
Characteristic |
RADIUS |
TACACS+ |
Transport protocol |
Uses UDP, which may result in faster response |
Uses TCP, which offers more information for troubleshooting |
Confidentiality |
Encrypts only the password in the access-request packet |
Encrypts the entire body of the packet but leaves a standard TACACS+ header for troubleshooting |
Authentication and authorization |
Combines authentication and authorization |
Separates authentication, authorization, and accounting processes |
Supported layer 3 protocols |
Does not support any of the following:
|
Supports all protocols |
Devices |
Does not support securing the available commands on routers and switches |
Supports securing the available commands on routers and switches |
Traffic |
Creates less traffic |
Creates more traffic |
Table 5-14 Placement of Proxies
Type |
Placement |
Circuit-level proxy |
At the network edge |
Application-level proxy |
Close to the application server it is protecting |
Kernel proxy firewall |
Close to the systems it is protecting |
Table 5-15 Typical Placement of Firewall Types
Type |
Placement |
Packet-filtering firewall |
Located between subnets, which must be secured |
Circuit-level proxy |
At the network edge |
Application-level proxy |
Close to the application server it is protecting |
Kernel proxy firewall |
Close to the systems it is protecting |
RAID Level |
Minimum Number of Drives |
Description |
Strengths |
Weaknesses |
RAID 0 |
2 |
Data striping without redundancy |
Highest performance |
No data protection; if one drive fails, all data is lost |
RAID 1 |
2 |
Disk mirroring |
Very high performance; very high data protection; very minimal penalty on write performance |
High redundancy cost overhead; because all data is duplicated, twice the storage capacity is required |
RAID 3 |
3 |
Byte-level data striping with a dedicated parity drive |
Excellent performance for large, sequential data requests |
Not well suited for transaction-oriented network applications; the single parity drive does not support multiple, simultaneous read and write requests |
RAID 5 |
3 |
Block-level data striping with distributed parity |
Best cost/performance for transaction-oriented networks; very high performance and very high data protection; supports multiple simultaneous reads and writes; can also be optimized for large, sequential requests |
Write performance is slower than with RAID 0 or RAID 1 |
RAID 10 |
4 |
Disk striping with mirroring |
High data protection, which increases each time you add a new striped/mirror set |
High redundancy cost overhead; because all data is duplicated, twice the storage capacity is required |
Table 5-19 Attacks and Mitigations
Attack Type |
Clues |
Mitigation |
Typical Sources |
Authentication attacks |
Multiple unsuccessful logon attempts |
Alert sent and/or disabling after 3 failed attempts |
Active Directory Syslog RADIUS TACACS+ |
Firewall attacks |
Multiple drop/reject/deny events from the same IP address |
Alert sent on 15 or more of these events from a single IP address in a minute |
Firewall Routers Switches |
IPS/IDS attacks |
Multiple drop/reject/deny events from the same IP address |
Alert sent on 7 or more of these events from a single IP address in a minute |
IPS IDS |
Table 5-20 Common TCP/UDP Port Numbers
Application Protocol |
Transport Protocol |
Port Number |
Telnet |
TCP |
23 |
SMTP |
UDP |
25 |
HTTP |
TCP |
80 |
SNMP |
TCP and UDP |
161 and 162 |
FTP |
TCP and UDP |
20 and 21 |
FTPS |
TCP |
989 and 990 |
SFTP |
TCP |
22 |
TFTP |
UDP |
69 |
POP3 |
TCP and UDP |
110 |
DNS |
TCP and UDP |
53 |
DHCP |
UDP |
67 and 68 |
SSH |
TCP |
22 |
LDAP |
TCP and UDP |
389 |
NetBIOS |
TCP and UDP |
137, 138, and 139 |
CIFS/SMB |
TCP |
445 |
NFSv4 |
TCP |
2049 |
SIP |
TCP and UDP |
5060 |
XMPP |
TCP |
5222 |
IRC |
TCP and UDP |
194 |
RADIUS |
TCP and UDP |
1812 and 1813 |
rlogin |
TCP |
513 |
rsh and RCP |
TCP |
514 |
IMAP |
TCP |
143 |
HTTPS |
TCP and UDP |
443 |
RDP |
TCP and UDP |
3389 |
AFP over TCP |
TCP |
548 |
Product |
Number of Protection Profiles |
Access control devices and systems |
3 |
Biometric systems and devices |
2 |
Boundary protection devices and systems |
11 |
Data protection |
9 |
Databases |
3 |
ICs, smart cards, and smart card–related devices and systems |
70 |
Key management systems |
4 |
Mobility |
4 |
Multi-function devices |
2 |
Network and network-related devices and systems |
12 |
Operating systems |
2 |
Other devices and systems |
48 |
Products for digital signatures |
19 |
Trusted computing |
6 |
Table 6-2 Windows Audit Policies
Audit Event |
Potential Threat |
Success and failure audit for file-access printers and object-access events or print management success and failure audit of print access by suspect users or groups for the printers |
Improper access to printers |
Failure audit for logon/logoff |
Random password hack |
Success audit for user rights, user and group management, security change policies, restart, shutdown, and system events |
Misuse of privileges |
Success audit for logon/logoff |
Stolen password break-in |
Success and failure write access auditing for program files (.EXE and .DLL extensions) or success and failure auditing for process tracking |
Virus outbreak |
Success and failure audit for file-access and object-access events or File Explorer success and failure audit of read/write access by suspect users or groups for the sensitive files |
Improper access to sensitive files |
Table 6-3 Common UNIX/Linux-Based Shells
Shell Name |
Command |
Description |
tcsh |
tcsh |
Similar to the C shell |
Bourne shell |
sh |
The most basic shell available on all UNIX systems |
C shell |
csh |
Similar to the C programming language in syntax |
Korn shell |
ksh/pdksh |
Based on the Bourne shell, with enhancements |
Bash shell |
bash |
Combines the advantages of the Korn shell and the C shell; the default on most Linux distributions |
Variant |
Access Control |
Encryption |
Integrity |
WPA Personal |
Preshared key |
TKIP |
Michael |
WPA Enterprise |
802.1X (RADIUS) |
TKIP |
Michael |
WPA2 Personal |
Preshared key |
CCMP, AES |
CCMP |
WPA2 Enterprise |
802.1X (RADIUS) |
CCMP, AES |
CCMP |
Table 9-1 Runtime Debugging Tools
Tool |
Operating Systems |
Languages |
AddressSanitizer |
Linux, Mac |
C, C# |
Deleaker |
Windows (Visual Studio) |
C, C# |
Software Verify |
Windows |
.Net, C, C##, Java, JavaScript, Lua, Python, Ruby |
Record Type |
Function |
A |
A host record that represents the mapping of a single device to an IPv4 address |
AAAA |
A host record that represents the mapping of a single device to an IPv6 address |
CNAME |
An alias record that represents an additional hostname mapped to an IPv4 address that already has an A record mapped |
NS |
A name server record that represents a DNS server mapped to an IPv4 address |
MX |
A mail exchanger record that represents an email server mapped to an IPv4 address |
SOA |
A Start of Authority record that represents a DNS server that is authoritative for a DNS namespace |
Black Box |
Gray Box |
White Box |
Internal workings of the application are not known. |
Internal workings of the application are somewhat known. |
Internal workings of the application are fully known. |
Also called closed-box, data-driven, and functional testing. |
Also called translucent testing, as the tester has partial knowledge. |
Also known as clear-box, structural, or code-based testing. |
Performed by end users, testers, and developers. |
Performed by end users, testers, and developers. |
Performed by testers and developers. |
Least time-consuming. |
More time-consuming than black-box testing but less so than white-box testing. |
Most exhaustive and time-consuming. |
Table 9-4 SOC Report Comparison
Report Type |
What It Reports On |
Who Uses It |
SOC 1 |
Internal controls over financial reporting |
User auditors and users’ controller office |
SOC 2 |
Security, availability, processing integrity, confidentiality, or privacy controls |
Management, regulators, and others; shared under non-disclosure agreement (NDA) |
SOC 3 |
Security, availability, processing integrity, confidentiality, or privacy controls |
Publicly available to anyone |
Table 10-1 netstat Parameters
Parameter |
Description |
-a |
Displays all connections and listening ports. |
-e |
Displays Ethernet statistics. |
-n |
Displays addresses and port numbers in numeric form instead of using friendly names. |
-s |
Displays statistics categorized by protocol. |
-p protocol |
Shows connections for the specified protocol, either TCP or UDP. |
-r |
Displays the contents of the routing table. |
Table 10-2 Sysinternals Security Utilities
Tool |
Use |
AccessChk |
Displays the access the user or group you specify has to files, Registry keys, or Windows services. |
AccessEnum |
Displays who has what access to directories, files, and Registry keys on your systems. |
Autoruns |
Displays programs that start up automatically when your system boots and you log in. |
LogonSessions |
Lists active logon sessions. |
PsLoggedOn |
Shows users logged on to a system. |
SDelete |
Overwrites sensitive files and cleanses free space of previously deleted files using this DoD-compliant secure delete program. |
ShareEnum |
Scans file shares on your network so you can view their security settings and close security holes. |
Table 15-1 Symmetric Algorithm Key Facts
Algorithm Name |
Block or Stream Cipher? |
Key Size |
Number of Rounds |
Block Size |
DES |
Block |
64 bits (effective length 56 bits) |
16 |
64 bits |
3DES |
Block |
56, 112, or 168 bits |
48 |
64 bits |
AES |
Block |
128, 192, or 256 bits |
10, 12, or 14 (depending on block/key size) |
128 bits |
IDEA |
Block |
128 bits |
8 |
64 bits |
Skipjack |
Block |
80 bits |
32 |
64 bits |
Blowfish |
Block |
32 to 448 bits |
16 |
64 bits |
Twofish |
Block |
128, 192, or 256 bits |
16 |
128 bits |
RC4 |
Stream |
40 to 2,048 bits |
Up to 256 |
N/A |
RC5 |
Block |
Up to 2,048 bits |
Up to 255 |
32, 64, or 128 bits |
RC6 |
Block |
Up to 2,048 bits |
Up to 255 |
32, 64, or 128 bits |
Table 15-2 Forms of Encryption
Type |
Scope |
Key Usage |
Performance Impact |
Limitations |
Disk |
Encrypts an entire volume or an entire disk |
Single key per drive |
Slows the boot and logon process |
No encryption while data is in transit |
File and record |
Encrypts a single file |
Single key per file |
Slows opening of a file |
No encryption while data is in transit |
Port |
Encrypts data in transit |
Single key per packet |
Slows network performance |
No encryption while data is at rest |
3.142.195.24