Table 3-1 Confidentiality, Integrity, and Availability Potential Impact Definitions
CIA Tenet |
Low |
Moderate |
High |
|
Unauthorized disclosure will have limited adverse effect on the organization. |
Unauthorized disclosure will have serious adverse effect on the organization. |
|
Integrity |
|
Unauthorized modification will have serious adverse effect on the organization. |
Unauthorized modification will have severe adverse effect on the organization. |
Availability |
Unavailability will have limited adverse effect on the organization. |
|
Unavailability will have severe adverse effect on the organization. |
Table 5-12 Authentication Protocols
Protocol |
Advantages |
Disadvantages |
Guidelines/Notes |
|
Simplicity |
Password sent in cleartext |
Do not use |
CHAP |
|
Susceptible to dictionary and brute-force attacks |
Ensure complex passwords |
MS-CHAP v1 |
No passwords are exchanged Stronger password storage than CHAP |
|
|
MS-CHAP v2 |
No passwords are exchanged Stronger password storage than CHAP Mutual authentication |
Susceptible to dictionary and brute-force attacks Supported only on Microsoft devices Not supported on some legacy Microsoft clients |
Ensure complex passwords |
EAP-MD5 CHAP |
|
|
Ensure complex passwords |
EAP-TLS |
|
Requires a PKI More complex to configure |
|
EAP-TTLS |
As secure as EAP-TLS Only requires a certificate on the server Allows passwords on the client |
|
Ensure complex passwords |
Characteristic |
RADIUS |
TACACS+ |
|
Uses UDP, which may result in faster response |
|
Confidentiality |
|
Encrypts the entire body of the packet but leaves a standard TACACS+ header for troubleshooting |
Authentication and authorization |
Combines authentication and authorization |
|
|
Does not support any of the following:
|
|
Devices |
|
Supports securing the available commands on routers and switches |
Traffic |
Creates less traffic |
Creates more traffic |
Table 5-14 Placement of Proxies
Type |
Placement |
|
At the network edge |
Application-level proxy |
|
Kernel proxy firewall |
|
Table 5-15 Typical Placement of Firewall Types
Type |
Placement |
|
Located between subnets, which must be secured |
Circuit-level proxy |
|
|
|
Kernel proxy firewall |
Close to the systems it is protecting |
RAID Level |
Minimum Number of Drives |
Description |
Strengths |
Weaknesses |
|
2 |
Data striping without redundancy |
|
No data protection; if one drive fails, all data is lost |
RAID 1 |
2 |
|
Very high performance; very high data protection; very minimal penalty on write performance |
High redundancy cost overhead; because all data is duplicated, twice the storage capacity is required |
RAID 3 |
3 |
Byte-level data striping with a dedicated parity drive |
Excellent performance for large, sequential data requests |
|
RAID 5 |
|
|
Best cost/performance for transaction-oriented networks; very high performance and very high data protection; supports multiple simultaneous reads and writes; can also be optimized for large, sequential requests |
Write performance is slower than with RAID 0 or RAID 1 |
|
|
Disk striping with mirroring |
High data protection, which increases each time you add a new striped/mirror set |
High redundancy cost overhead; because all data is duplicated, twice the storage capacity is required |
Table 5-19 Attacks and Mitigations
Attack Type |
Clues |
Mitigation |
Typical Sources |
|
Multiple unsuccessful logon attempts |
Alert sent and/or disabling after 3 failed attempts |
|
Firewall attacks |
|
Alert sent on 15 or more of these events from a single IP address in a minute |
|
IPS/IDS attacks |
Multiple drop/reject/deny events from the same IP address |
|
|
Table 5-20 Common TCP/UDP Port Numbers
Application Protocol |
Transport Protocol |
Port Number |
|
TCP |
23 |
SMTP |
|
25 |
HTTP |
TCP |
80 |
|
TCP and UDP |
|
FTP |
|
20 and 21 |
FTPS |
TCP |
989 and 990 |
SFTP |
TCP |
22 |
|
UDP |
69 |
POP3 |
|
|
DNS |
TCP and UDP |
53 |
DHCP |
|
67 and 68 |
|
TCP |
22 |
LDAP |
TCP and UDP |
389 |
NetBIOS |
TCP and UDP |
|
|
TCP |
445 |
NFSv4 |
TCP |
2049 |
SIP |
TCP and UDP |
5060 |
|
TCP |
5222 |
IRC |
TCP and UDP |
194 |
|
TCP and UDP |
|
rlogin |
TCP |
513 |
rsh and RCP |
TCP |
514 |
|
|
143 |
HTTPS |
TCP and UDP |
443 |
RDP |
|
|
AFP over TCP |
TCP |
548 |
Product |
Number of Protection Profiles |
|
3 |
Biometric systems and devices |
2 |
Boundary protection devices and systems |
|
Data protection |
9 |
|
3 |
ICs, smart cards, and smart card–related devices and systems |
|
Key management systems |
4 |
|
4 |
|
2 |
Network and network-related devices and systems |
|
Operating systems |
2 |
Other devices and systems |
|
Products for digital signatures |
19 |
|
6 |
Table 6-2 Windows Audit Policies
Audit Event |
Potential Threat |
Success and failure audit for file-access printers and object-access events or print management success and failure audit of print access by suspect users or groups for the printers |
|
Failure audit for logon/logoff |
|
Success audit for user rights, user and group management, security change policies, restart, shutdown, and system events |
Misuse of privileges |
|
Stolen password break-in |
Success and failure write access auditing for program files (.EXE and .DLL extensions) or success and failure auditing for process tracking |
Virus outbreak |
Success and failure audit for file-access and object-access events or File Explorer success and failure audit of read/write access by suspect users or groups for the sensitive files |
|
Table 6-3 Common UNIX/Linux-Based Shells
Shell Name |
Command |
Description |
|
tcsh |
Similar to the C shell |
Bourne shell |
|
The most basic shell available on all UNIX systems |
|
csh |
|
Korn shell |
|
Based on the Bourne shell, with enhancements |
Bash shell |
bash |
|
Variant |
Access Control |
Encryption |
Integrity |
|
Preshared key |
TKIP |
|
WPA Enterprise |
802.1X (RADIUS) |
|
|
WPA2 Personal |
|
|
CCMP |
|
802.1X (RADIUS) |
|
CCMP |
Table 9-1 Runtime Debugging Tools
Tool |
Operating Systems |
Languages |
|
Linux, Mac |
C, C# |
|
Windows (Visual Studio) |
C, C# |
|
Windows |
.Net, C, C##, Java, JavaScript, Lua, Python, Ruby |
Record Type |
Function |
|
A host record that represents the mapping of a single device to an IPv4 address |
|
A host record that represents the mapping of a single device to an IPv6 address |
|
An alias record that represents an additional hostname mapped to an IPv4 address that already has an A record mapped |
|
A name server record that represents a DNS server mapped to an IPv4 address |
|
A mail exchanger record that represents an email server mapped to an IPv4 address |
|
A Start of Authority record that represents a DNS server that is authoritative for a DNS namespace |
|
|
|
Internal workings of the application are not known. |
Internal workings of the application are somewhat known. |
Internal workings of the application are fully known. |
Also called closed-box, data-driven, and functional testing. |
Also called translucent testing, as the tester has partial knowledge. |
Also known as clear-box, structural, or code-based testing. |
Performed by end users, testers, and developers. |
Performed by end users, testers, and developers. |
Performed by testers and developers. |
Least time-consuming. |
More time-consuming than black-box testing but less so than white-box testing. |
Most exhaustive and time-consuming. |
Table 9-4 SOC Report Comparison
Report Type |
What It Reports On |
Who Uses It |
|
Internal controls over financial reporting |
User auditors and users’ controller office |
|
Security, availability, processing integrity, confidentiality, or privacy controls |
Management, regulators, and others; shared under non-disclosure agreement (NDA) |
|
Security, availability, processing integrity, confidentiality, or privacy controls |
Publicly available to anyone |
Parameter |
Description |
|
Displays all connections and listening ports. |
|
Displays Ethernet statistics. |
|
Displays addresses and port numbers in numeric form instead of using friendly names. |
|
Displays statistics categorized by protocol. |
|
Shows connections for the specified protocol, either TCP or UDP. |
|
Displays the contents of the routing table. |
Table 10-2 Sysinternals Security Utilities
Tool |
Use |
AccessChk |
|
|
Displays who has what access to directories, files, and Registry keys on your systems. |
Autoruns |
|
|
Lists active logon sessions. |
PsLoggedOn |
|
|
Overwrites sensitive files and cleanses free space of previously deleted files using this DoD-compliant secure delete program. |
ShareEnum |
|
Table 15-1 Symmetric Algorithm Key Facts
Algorithm Name |
Block or Stream Cipher? |
Key Size |
Number of Rounds |
Block Size |
DES |
Block |
|
16 |
64 bits |
3DES |
Block |
|
48 |
|
AES |
Block |
128, 192, or 256 bits |
|
128 bits |
IDEA |
Block |
|
8 |
64 bits |
|
Block |
80 bits |
32 |
64 bits |
Blowfish |
Block |
32 to 448 bits |
|
|
Twofish |
Block |
|
16 |
128 bits |
RC4 |
|
|
Up to 256 |
N/A |
RC5 |
Block |
Up to 2,048 bits |
|
32, 64, or 128 bits |
RC6 |
|
Up to 2,048 bits |
Up to 255 |
|
Table 15-2 Forms of Encryption
Type |
Scope |
Key Usage |
Performance Impact |
Limitations |
Disk |
|
Single key per drive |
Slows the boot and logon process |
|
File and record |
|
Single key per file |
|
No encryption while data is in transit |
Port |
|
|
Slows network performance |
|
3.129.23.30