Tactical Security Inc’s Blog

Entries categorized as ‘CISSP’

Pandemic Preparation?

April 30, 2009 · 1 Comment

As I listen to the news this week and the number of H1N1 (Swine) Flu cases increases and we finally reach Pandemic status according to the WHO I wonder how many companies ever add elements to their BCP/DRP in order to be prepared to handle pandemics.

This is not the first, it wont be the last.  The nature of our world these days allows for illness to be spread around the planet so quickly.  Air travel is so easy and so common that the virus can jump states or countries very quickly.  This is one of those items that you can’t predict based on the type of work that your business does or its physical location.

Does your business have a way to continue to function and operate if employees must stay home to care for their children because schools are closed?  What would you do if a case of the Swine flu occurred within your user population? Send everyone home?  Do your employees have the capability to work from home?  How would you disinfect your workspace?  How would you immediately care for everyone to keep them healthy?

Some basic questions that if addressed now could save your business a lot of money in the event of a pandemic later.

Categories: CISSP
Tagged:

CISSP Quantitative Risk Analysis

April 28, 2009 · Leave a Comment

 

 

 

CISSP Quantitative Risk Analysis

Scenario Question

 

I read a joke the other day that went something like this:

Did you hear that there was a huge fire in the Yugo assembly plant? Over 80% of the building was destroyed. Insurance adjusters estimate the damages at $800.

This of course brings to mind a quantitative risk analysis. Remember, there are two main types of risk analysis – Qualitative and Quantitative. A qualitative risk analysis creates a scenario and attempts to rank seriousness of threats against the sensitivity of the asset. Quantitative risk analysis attempts to assign a specific cost to a threat.

Perhaps an exam type scenario question is in order:

There was a fire at a factory and 80% of the building was destroyed. The damage to the building was $800. Fire statistics reveal that the Yugo factory has had a similar fire an average of once every five years. Use this information to answer the following questions:

1. Given that the cost of the damages to the building was $800, what is the total asset value of the Yugo Factory?

a. $800

b. $1600

c. $500

d. $1000

2. Senior management decides to spend $1200 installing a fire prevention system in the newly repaired factory. This system requires a $100 per year maintenance contract that extends the warranty of the fire prevention system to 15 years assuming the maintenance is performed annually. The warranty covers the cost of all repairs including parts and labor. Would you advise management for or against buying this system?

a. Yes, buy the system; it will save the company $300 over the next 15 years.

b. No, do not buy the system; it will cost the company $300 over the next 15 years.

c. No, do not buy the system. Management should never spend more money preventing fires than the factory is worth.

d. Yes, buy the system it will save the company $100 over the next 15 years

3. What is the Annual Rate of Occurrence (ARO) of fires at the Yugo factory?

a. 2

b. .2

c. 5

d. .5

 

 

 

Answers:

1. D. $1000.

The formula for computing Single Loss Expectancy (SLE) is Asset Value (AV) x Exposure Factor (EF). In this scenario the SLE= $800 and the EF = 80% or .8. This gives the formula $800=AV X .8. Solving for AV we get AV = $800/.8 which gives us $1000 for the Asset Value. We can prove this equation by multiplying $1000 by .8 and we come up with $800.

2. B. No, do not buy the system; it will cost the company $300 over the next 15 years.

Assuming one fire every five years, and $800 of loss for each fire, we come up with three fires in 15 years for a total of $2400 in loss ($800 X 3 fires). The fire prevention system has an initial cost of $1200 and an additional $1500 over the next 15 years. The total cost of the system would be $2700. 

$2400 – $2700 =  -$300, so we would be losing $300.

3. B. .2

Statistics show us one fire every five years, or two fires every ten years. 2/10=.2, so the ARO is .2.

In this scenario we are assuming no loss of life and are not concerned with company reputation. In the real world the answers might be slightly different especially question number two as those two factors would likely swing the balance of the equation in the other direction. The scenario did not mention people, data, or reputation, so please do not add things into this question or the exam questions that you are not presented with.

 

 

 
 
 
 

 

Categories: CISSP
Tagged: , ,

PPP – Authentication methods PAP and CHAP

April 10, 2009 · Leave a Comment

Once a PPP connection has been established and LCP has negotiated which authentication method(s) are available, an authentication protocol must be agreed upon and utilized.  Those methods include Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP) and Extensible Authentication Protocol (EAP).  Due to the many flavors of EAP, I will not attempt to address those issues here. 

PAP uses a simple two-way handshake only performed during the initiation of the connection.  Once PPP LCP moves into the authentication phase, PAP passes the ID/Password pair in the clear (unencrypted) continuously until the authentication is acknowledged or the connection is terminated.  The handshake may not be repeated during the resulting connection, which does not allow for replay protection.  There is no specification in RFC as to how the password is stored on either end of the connection, but it must be available in plain text for both ends.  Common implementation encrypts the password database for decryption during the authentication process.

CHAP is a much more robust authentication protocol and should be used whenever possible in place of PAP.  Once LCP has negotiated for CHAP authentication, the authenticator (normally considered to be the server or device being connected to) sends a challenge packet consisting of challenge identifier number and a random number often called a “nonce” or just a challenge.  The host device will then respond with a hash value created from the identifier, the password (called a “secret”) and the challenge.  These three items will be concatenated (written end to end one after another) and hashed.  The resultant message digest or hash value, will be returned to the authenticator in a packet that has the same identifier as the challenge.  The reason for the identifier is to associate potential multiple unique challenges with this particular response.  Upon receiving the response packet containing the message digest, the authenticator hashes the sent challenge identifier, the shared secret, and the sent challenge.  The locally created message digest must be identical to the received message digest tin order to authenticate the host. 

The creation of the hash value requires that the password be available in plain text to both ends of the authentication process.  The secret is never sent across the wire in plain text, but must be maintained by both endpoints in a manner where the plaintext can be resolved i.e. plaintext or two way encrypted.

CHAP may be implemented in such a manner that the challenges may be periodically sent during the NCP phase.  These challenges should be responded to by the host device.  The random challenge itself prevents replay attacks while the option to resend the challenge is an aid to preventing session hijacking.  The CHAP challenge may also be sent by the host device to authenticate the “server” side.  This two way authentication could be used to set up a VPN or other communication path requiring mutual authentication, and is the default in many Cisco networking devices.

Cisco routers and other devices have an option to attempt multiple forms of authentication.  This is NOT the recommended security setting.  Each unique username should be allowed only one form of authentication, in our case either PAP or CHAP.  PAP is the weaker and least advised authentication method.  If a username is optioned to provide both PAP and CHAP authentication the secrets should be different.  Remember CHAP send the password hashed and PAP in the clear.  What good is it to use CHAP when other times PAP is used with the same clear text password?  Always select CHAP or better yet EAP over PAP when possible.

Categories: CISSP · Network Protocols · Secure Network Protocols
Tagged: , , ,

CISSP Preparation – Practice Questions

April 10, 2009 · Leave a Comment

To practice or not to practice… that is the question.

My basic answer is YES.  Do practice questions.

The complicated answer:

You must understand the reason you are doing the practice questions in order to get the most out of them.  So what is the reason you ask? It is to get yourself used to answering questions of this nature.  Most adults do not take exams on a regular basis.  As a result most of us are not used to these convoluted questions.

Before I go further with that I have to add what you are NOT trying to get out of these practice questions.  You are not doing these questions with the hope of memorizing them word for word so that by the time you get to the exam you have seen all of the questions and all of the answers.  Expect that you will not see anything on the exam that you have seen in practice.

One of the most important things that you can get out of your practice questions is to identify why you got the questions wrong.  It is better to identify this now, rather than after the exam.  It is fun and makes you feel good when you get the questions right, but what you really want to be looking for is the questions that you get wrong and then understanding why you got it wrong.

Some of the reasons that you might get the question wrong is to look at it from a technical perspecitve rather than a managerial one.  You might have missed a work (i.e. NOT).  You might have added a word that was not there (i.e. NOT).  You might have missed the actual question embedded within all of the words that they gave you.

One thing that I can promise you is that you will find bad questions.  Questions that make you upset, mad or even angry.  Practice questions are almost always written by people that had the thought AFTER writing a book or a course that they should probably write some practice questions as well, myself included.  As a result they do not get all of the attention that they deserve and they are not evaluated and revised as necessary.

If you are dealing with a bad question what is most useful to you is to identify why it is a bad question.  Was it poorly worded?  Were the answers to close to each other?  Were the answers synonymous? Was a word missing from the question or the answer?  And so on.  If you can explain why it is a bad question than you are showing that you do have a grasp of the topic which is what you need to be ready to take the exam.

So practice away.  Just look for what has you getting the wrong answers in order to get you ready for the exam.

Now the next question I am often asked is which questions should you use?

If you have any of the study guide books there are questions that go along with them.  They are ok.  All of them.. they are ok.  One note is the questions in the All-in-One used to be too long in comparison to the exam, but now they are not long enough.

There are a lot of questions on CCCure.org.  I would recommend practicing at the two hardest levels.  I like these questions because they are free.  I am all about free.  Buyer beware – you get what you pay for.  There are a lot of bad questions in there.  Just use them for practice.  Identify why they are bad questions and let it go.  If there is information in a question that goes against all you have read or learned or all of you own background tells you then let it go as a bad question, or go research somewhere else for more accurate info.

What if you want to spend money on questions.  I would NOT recommend buying the Transender or any other similar questions.  You are just as well off with CCCure.  If you really want some good questions and are willing to pay for them get them from the source, (ISC)2.  They have 300 questions available for purchase.  The difference with these questions is that they went through the same process as the real test questions (minus going in to real exams) and are decent, solid questions. Click here to get to them.

Practice away !!!

Categories: CISSP

CISSP Preparation – Books

April 9, 2009 · Leave a Comment

Are you getting ready to take the CISSP exam?  Are you wondering where to start?  Are you wondering how you will know when you are really ready to take the exam?  I have some tips that I have found are very useful through my six years of teaching CISSP for (ISC)2.

Lets start with books.

I classify books available for preparing for this exam  into three categories.

Category 1 = Cliff Notes

Category 2 = Full prep guides

Category 3 = Expert books

Category 1 includes CISSP for Dummies and the Passport by Mike Myers.   The passport is currently out of print as I write but perhaps you can borrow one.  I recommend either of these books.  The basic difference between them is a style of writing.  The CISSP for Dummies book is entertaining to boot, but if you are going to be aggravated by funny quips such as the different hash algorithms being compared to the Jackson family then go with the Passport book.

I would recommend using these books as you start your studying, through to the last week before you take the exam.  When you first pick up this book I would take a walk through to start to identify the topics you are familiar with and those that you are not familiar with.  As you identify areas that you need to work on you can then migrate to a book out of Category 2.

Category 2 books include the Official guide from (ISC)2, the All-in-One Exam Guide by Shon Harris, as well as many others.  I recommend that you pick a book here that matches your reading style.  For example the Official guide is a bit long winded on topics and that works great for some people, but not for others.  Most people seem to work well with the All-in-One exam guide.

As you go through the list of topics in your Category 1 book and find things that you are less familiar with or not familiar with at all I would then recommend that you move to your Category 2 book to read more on that topic.  Some people do read their Category 2 book from cover to cover, a couple of times even, although most do not.  I find it to be most useful as a research aide.

Category 3 books include all of the real books out there on security.  These are the books that are written by a subject matter expert on their topic of knowledge.  If you are still left confused by Category 1 or 2 books, this is the place to turn for more detailed, or possibly, more accurate information.  ISC2 has a list of books that falls into this category.  My favorite cryptography books can be found here.

In general these books are too detailed for getting ready for the exam, although they could be very useful when you are looking for that additional information or clarification information for a specific project.

One other note regarding buying books, is that you don’t necessarily have to.  There is free information available on the web.  Just buyer beware you usually get what you pay for.  One place that many turn to is CCCure.  There are several study guides that people have put together and posted on this site. For the most part these are nice study guides and can save you some money.

Good luck ;) and study hard.

More coming on CISSP practice questions.

Categories: CISSP
Tagged:

Personal Security part 1 – RFID Passports, Credit cards and badges

January 31, 2009 · Leave a Comment

I have had two conversations in the last two days that reminded me of the world that I live in.  The world on the security informed and therefore the slightly paranoid.  So may I offer some of my paranoia to you…

I received my new US Passport yesterday.  There are no more choices with the US Passport, they all now come with a RFID chip embedded inside of them.  So today I ordered a new wallet to go along with my new passport.  Those two conversations were on this topic.  So here is the scoop…

Many of our credit cards and our new passports have RFID chips embedded in them.  The amount of information contained on these chips dose vary but what does not vary is the fact that it is information that we do not want to leave the safety of our wallets.  These chips likely contain your name, your address, your account number or passport number and so on.  There is both good and bad news with these wondrous new chips.

The good news: It is possible to move forward with technology in our daily lives.  You can purchase tasty treats from a vending machine by waving your credit card in front of it instead of fighting with the machine to get it to accept that last dollar bill in your wallet that is crumpled and torn.  Or pay for your groceries at the store by waving your credit card in front of the machine instead of dealing with the magnetic strip that just cant be read today.  (Have you ever had a store clerk place your credit card inside of a plastic bag and then run it through the reader – in the plastic bag?)  These problems go away when you introduce the RFID chips.  It is easier for Immigrations and Customs to spot faked passports now, shoot it is even harder for the bad guys to fake passports for that matter.

As with all good news, there is a flip side, the bad news.  Some of the companies producing cards with RFID chips have acted responsibly by trying to protect our information with encryption, while some have not.  Unfortunately even those companies that have tried to do good are up against some bad guys out there.  The bad guys that try just a little harder.  The bad guys that crack the encryption.

So what are we to do?  We can debate whether these RFID chips should be used or not but unfortunately that will not help us protect ourselves in the here and now.  So lets work on that instead.

There are plenty of instructions available to the hackers of the world, so lets protect ourselves!  The attack against these are now being referred to as the Johnny Carson attack  http://www.theregister.co.uk/2006/10/24/rfid_credit_card_hack/

The first step is to figure out if you have any of these chips in your wallet.  You can usually see them when you look at your cards (to include your badges to get into the office as well).  They are usually gold or silver in color and only a few centimeters square, about half the size of a dime.  For the US passport, you cant see the chip, but when you received your passport they told you that it contained sensitive electronics.  If you don’t remember that paperwork it might be a time issue, these passport were issued within the last 2 or so years.  The other option with the passport is the weight and thickness of the cover.  The old passports were bendable, the new ones are not so.

The second step is to find out if there is a way to disable these chips.  If you are not in need of the convenience of flashing your credit card in front of a reader rather than through a reader I would suggest disabling.  One company that definitely allows you to disable these chips is American Express.  I would recommend checking your banks website or simply giving them a call for assistance.

The third step is to protect your information on these chips.  If it is a work badge, a Visa card, a Master card or your passport you may not have the choice of disabling them.  So the next step is to carry them in a secure wallet or holder.  There are many on the market now and they come in a variety of shapes, colors and styles.  I would highly recommend looking for a vendor that says that their wallet/holder is FIPS-201 compliant, otherwise you may only think you are protected.

Some of the options that I would recommend looking at are the following.  If these do not suit your style or need then I would recommend googling “RFID blocking FIPS wallet” or something to that effect.

For your work badge holder my recommendation would be http://www.idstronghold.com/content/products.

For your passport or credit cards there are two basic options.  The first option is a sleeve that the card/passport slides into and then you can place it in your regular wallet.  The second basic option is a new wallet.

The sleeves are generally cheaper than a whole new wallet, but which will work best for you is up to you.

For a sleeve you can look at http://www.idstronghold.com/content/products

If you are looking for a wallet the expensive, but nice looking wallets (men and womens) can be found at www.kenakai.com or check our http://www.difrwear.com/products.shtml (mens only)

Be safe

Categories: CISSP · Family Security · General Security Tips

Password Storage

January 23, 2009 · Leave a Comment

Lets start with Passwords… we all have ‘em… we all need ‘em… and they are out of control!  My preference for storing all of those passwords is a free little program from CounterPane called Password Safe.  It allows you to store all of your passwords in one safe, encrypted, location.  You must remember one password in order to access the safe, but once you are in you have all of your passwords nicely listed and arranged.  It also has the very nice feature of creating random passwords for you to increase the general strength of your passwords.

When you need to log into something simply open password safe, scroll down until you locate the one you need, double click on it and now you can simply paste it into the password box in your application.  Memory is cleared so it will not remain there for some nefarious thief to steal later.

Very very useful!  Kudos to CounterPane for making this and making it available to the general public for free.

You can download from here: http://passwordsafe.sourceforge.net/

Categories: CISSP · Family Security · General Security Tips