I delivered a speech at OWASP Romania InfoSec Conference 2013 in Bucharest (I took part in the organization of the event as well).
Tag: security
Password policies in Windows
To access the password policy in Windows just go to Start and type in the search box secpol.msc. Click on secpol and you’ll be presented with the security policy.
Go to Account Policies, then click on Password Policy.
The options, explained:
- History – how many passwords will Windows store (you won’t be able to reuse these passwords)
- Complexity requirements – if enabled, the Windows complexity requirement states that passwords should be at least 6 characters long, must not contain the username, have at least 3 different character types ([a-z][A-Z][0-9][special characters])
- Minimum length – this overrides the previous length setting
- Store passwords using reversible encryption – self explanatory; note that if the key used for encryption is lost, the password can be retreived
- Maximum age – how long (in days) until the user is forced to change the password
- Minimum age – very interesting option! If left to 0 you can change the password as many times as you like in one day. The problem is in conjunction with History. If, for example, History is set to 5, a user can change 6 passwords in one day and reuse the original password.
More information on: http://windows.microsoft.com/en-au/windows-vista/change-password-policy-settings
ISO ISMS history
The ISO is developing a new series of security standards, the first of which is ISO 27001, Information Technology—Security Techniques— Information Security Management Systems—Requirements. ISO 27001 replaces British Standard (BS) 7799, Part 2. BS 7799, Part 1 evolved into ISO 17799, Information Technology—Security Techniques—Code of Practice for Information Security Management and is now known as ISO 27002. Definitive plans are not yet available; however, tentative plans for additional ISO security standards in the 27000 numbering series include ISO 27003, covering security implementation guidance; ISO 27004, for metrics and measurements; and ISO 27005, covering risk management.
CISSP CBK 10 – Physical Security
Physical Security Controls
Types of controls:
– Administrative controls
– Facility selection or construction
– Facility management
– Personnel controls
– Training
– Emergency response and procedures
– Technical controls
– Access controls
– Intrusion detection
– Alarms
– Monitoring (CCTV)
– Heating, ventilation and air conditioning (HVAC)
– Power supply
– Fire detection and suppression
– Backups
– Physical controls
– Fencing
– Locks
– Lighting
– Facility construction materials
CISSP CBK 7 – Operations Security
Controls and Protections
To protect hardware, software and media resources from:
– Threats in an operating environment
– Internal or external intruders
– Operators who are inappropriately accessing resources
Categories of Controls:
– Preventative Controls: Are designed to lower the amount and impact of unintentional errors that are entering the system and to prevent unauthorized intruder from internally or externally accessing the system.
– Detective Controls: Are used to detect an error once it has occurred.
– Corrective Controls / Recovery Controls: Are implemented to mitigate the impact of a loss event through data recovery procedures.
– Deterrent Controls / Directive Controls: Are used to encourage compliance with external controls.
– Application Controls: Are the controls that are designed into a software application to minimize and detect the software’s operational irregularities.
– Transaction Controls: Are used to provide control over the various stages of a transaction. Types of controls are: Input, processing, output, change and test controls.
CISSP CBK 6 – Security Architecture & Models
Security Model
Is a statement that outlined the requirements necessary to properly support a certain security policy.
Computer Architecture
CPU – Central Processing Unit: Is a microprocessor. Contains a control unit, an ALU / Arithmetic Logic Unit and primary storage. Instructions and data are held in the primary storage unit needed by the CPU. The primary storage is a temporary memory area to hold instructions that are to be interpreted by the CPU and used for data processing.
Buffer overflow – Data being processed is entered into the CPU in blocks at a time. If the software instructions do not properly set the boundaries for how much data can come in as a block, extra data can slip in and be executed.
Real storage – As instructions and data are processed, they are moved back to the system’s memory space / real storage.
CISSP CBK 4 – Applications & Systems Development Security
Database systems and database management
Types of databases:
– Hierarchical
– Mesh
– Object-oriented
– Relational
DBMS / Database Management System
A suite of programs used to manage large sets of structured data with ad hoc query capabilities for many types of users.
Database: A collection of data stored in a meaningful way that enables multiple users and applications to access, view and modify data as needed.
Database terms/jargon
– Record: Collecion of related data items
– File: Collection of record of the same type
– Database: Cross-referenced collection of files
– DBMS: Manages and controls the database
– Base relation: A table stored in a database
– Tuple: A row in a database
– Attribute: A column in a database
– Primary key: Columns that make each row unique
– View: Virtual relation defined by the database to control subjects from viewing certain data
– Foreign key: Attribute of one table that is the primary key of another table
– Cell: Intersection of a row and column
– Schema: Holds data that describes a database
– Data dictionary: Central repository of data element and their relationships.
– Cardinality: The number of rows in the relation.
– Degree: The number of columns in the relation.
– Domain: Is a set of allowable values that an attribute can take.
CISSP CBK 3 – Security Management Practices
Fundamental Principles of Security
Security objectives
Confidentiality: Provides the ability to ensure that the necessary level of secrecy is enforced.
Integrity: Is upheld when the assurance of accuracy and reliability of information and system is provided and unauthorized modification of data is prevented.
Availability: Prevents disruption of service of productivity.
Definitions
Vulnerability: Is a software, hardware or procedural weakness that may provide the attacker the open door he is looking for to enter a computer or network and have unauthorized access to resources within the environment.
CISSP CBK 2 – Telecommunications & Network Security
Open System Interconnect Model
Protocol – Standard set of rules that determine how systems will communicate across networks.
OSI Model TCP/IP
Application Application
Presentation
Session
Transport Host-to-host
Network Internet
Data Link Network Access
Physical
Each layer adds its own information to the data packet.
CISSP Intro
This starts a series of posts that deals with CISSP CBK (Common Body Knowledge). The summary covers all the ten CBK that are required for the CISSP Exam. One should not use this as a definitive guide in taking the CISSP exam, but rather as an intro to CISSP. All the data is gathered from various sources, starting from study guides for the exam and ending with materials found on the Internet.
As a side notice, there are questions about CISSP vs CISA. The focus of those two certifications is different. While CISSP is focused on building and maintain security (although is not a technical standard), CISA is more focused on auditing and assessing risks and controls. Your choice of certification should be based on what you really want to work with. If you want to be a security professional, CISSP is the choice. If you want to be an IT/IS auditor instead, then you should take CISA. As I’ve been an IT/IS auditor and now is an IS consultant. There is a lot of knowledge supported by both CISA and CISSP.