Saturday, June 17, 2023

SMS as a Second Factor for Authentication Deprecated by NIST

 NIST has deprecated SMS as a second factor for authentication due to its vulnerabilities. 

This was removed in NIST Special Publication 800-63 Revision 3 in June 2017!

Posted by at No comments:

Network-based IDS versus Host-Based IDS in "Case of DDOS Attacks

 NIDS can detect initiating of attacks but will not be able to figure out if attacks are successful.

HIDS can find out if attacks are successful but will not find out about initiating attacks. 

Posted by at No comments:

Tuesday, April 25, 2023

Patent, Copyright, Trademark & Trade Secrets

 There are 4 types of intellectual property protection methods: 

  1. Patents: good for 20 years - the shortest of all 4. 
  2. Copyright: good for 70 years after death of the author - for programming code and books, art and so on. 
  3. Trademark: renewable - indefinite
  4. Trade secret - as long as the secret is not disclosed to public. 

Posted by at No comments:

Tuesday, March 7, 2023

VPN Protocols

  •  Point-to-Point Tunneling Protocol (PPTP)
    • Obsolete - sends initial negotiation unencrypted, which can include usernames and hashed passwords.  
    • Encapsulation protocol from dialup P2P. 
    • Operates in Data Link layer (layer 2) 
    • TCP Port 1723
    • Offers:  
      • Password Authentication Protocol (PAP)
      • Challenge Handshake Authentication Protocol (CHAP)
      • Extensible Authentication Protocol (EAP)
      • Microsoft Challenge Handshake Authentication Protocol (MS-CHAP2)
  • Layer 2 Tunneling Protocol (L2TP)
    • Combines PPTP with Cisco's L2F
    • Operates at layer 2 
    • Port UDP 1701
    • Can rely on PPP's supported Authentication protocols, e.g., IEEE 802.1X
      • IEEE 802.1X makes it possible to use AAA services like RADIUS or TACAS+
    • No native encryption but can support payload encryption protocols
      • Often deployed using IPsec's ESP for encryption. 
  • Secure Shell (SSH)
    • Secure replacement for Telnet (TCP port 23)
    • Uses TCP port 22
    • Is used to encrypt protocols such as SFTP, SEXEC, SLOGIN, and SCP
    • OpenSSH is used to implement SSH VPNs. 
  • OpenVPN
    • Based on TLS
    •  Open source
    • Can use pre-shared or certificates for authentication
  • IP Security Protocol (IPsec)
    • Collection of protocols: AH, ESP, HMAC, IPComp, IKE
      • Authentication Header(AH) - provides message integrity, nonrepudiation, as well as primary authentication
      • Encapsulating Security Payload (ESP) - provides confidentiality & integrity of payload contents, operates in either transport or tunnel mode. AES is used in modern IPsec ESP. 
      • Hash-based Message Authentication Code (HMAC) - primary hashing for integrity
      • IP Payload Compression (IPComp) - Compression prior to ESP for better speed. 
      • Internet Key Exchange (IKE) - enables IPsec to use public-key cryptography & symmetric cryptography.
        • Composed of 3 elements: OAKLEY, SKEME, and ISKMP

Posted by at No comments:

Friday, March 3, 2023

Types of Thread Modelling (Defensive/Proactive versus Reactive or Threat Hunting

Proactive Or Defensive Thread Modelling: 

Proactive approach or defensive approach to threat modelling takes place during the early stages of systems development. 

Reactive Threat Modelling: 

Threat hunting (a.k.a. reactive threat management and an adversarial approach) which takes place after a product has been created and deployed.



Posted by at No comments:

Wednesday, February 22, 2023

Security Policy, Standard, Baseline, Guideline and Procedure

 Security Policies, Standards, Baselines and Guidelines should be understood for CISSP exam fully. 

Security Policy

a security Policy is a document that defines the top tier formalisation of security requirement of an organisation. Such document defines the scope of security in the organisation and states which assets and to what extent are required to be protected.  

Security Standard 

A security Standards provide courses of actions to be uniformly implemented across software, hardware and technology and provide a homogenous environment from a security perspective. 

Security Standards 

A security Standards provide courses of actions to be uniformly implemented across software, hardware and technology and provide a homogenous environment from a security perspective. 


Posted by at No comments:

Monday, January 9, 2023

Incident Management

 Incident Management has the following steps: 

  1. Detection - automated using tools such as Intrusion Prevention and Detection software, anti malware tools, automated log audits or users detect anomalies etc.  
  2. Response - engage Computer Security or Computer Incident Response Team (CIRT or CSIRT). A formal engagement method should be in place. CSIRT are trained to do what is required and will be engaged in this and the next steps.  
  3. Mitigation - contain the incident, limit the impact and so on.
  4. Reporting - internal, e.g. a serious incident needs to be reported to CEO and if customer info leaked to certain authorities within a mandated time-frame. 
  5. Recovery - bring the system back to a fully functional state, may require rebuilding, patching, configuring ACLs etc. 
  6. Remediation - Root Cause Analysis and taking steps to prevent in future. 
  7. Lessons Learned
One can use the acronym DRMRRRL(Drums Roll) if that makes it easier to remember! 


Posted by at No comments:

Subject and Objects

 In a security context, subject is normally a user but could be a process, computer or an organisation. A  subject is active. It always receives information about, or data from, the object. 

On the other hand, an object is the entity that always provides or hosts information or data. 

A process accessing a database is a subject whereas the database and its components are objects. 

The two roles  of subject and object can switch while two entities communicate to accomplish a task.



Posted by at No comments:

Saturday, January 7, 2023

Data Classification (Government & Commercial)



Class # Government Classification Commercial Classification Impact of leak
Class 3 Top Secret    Confidential/Proprietary  Exceptionally Grave Damage
Class 2 Secret
Private Serious Damage
Class 1 Confidential Sensitive Damage
Class 0 Unclassified
 Public No Damage


Posted by at No comments:

SOC 1, SOC 2, SOC3 and Type I and Type II Audits

  One of the topics which most definitely is asked in CISSP exam is types of audit engagements based on Statement on Standards for Attestation Engagements no. 18 (SSAE No. 18 or SSAE 18)

There are three types of System and Organization Controls (SOC) reports:

  1. SOC 1 – Internal Control over Financial Reporting
  2. SOC 2 – Trust Services Criteria
  3. SOC 3 – Trust Services Criteria for General Use Report 
Please note these for exam: 
    ====>>>    SOC 3 is for public and SOC 2 is for internal use!
    ====>>>    SOC 1 is for financial reporting!

There are 2 levels of SOC reports: 

  • Type I, is more of a "point in time" report and describes if a service organisation's systems and whether the design of specified controls meet the relevant trust principles. It is more of a documentation review than actually thoroughly auditing functionality etc. 
  • Type II, addresses the operational effectiveness of the specified controls over a period of time: usually 9 to 12 months - at least 6 months! 
Posted by at No comments:
Labels: , ,
Subscribe to: Comments (Atom)