CISSP Friday-Five Questions: Well-known ports.

On which port does POP3 normally use?

A POP3 server listens on well-known port 110.

Your organization is using a secure website using https://, which port is used by default?

HTTPS URLs begin with "https://" and use port 443 by default, or alternatively 8443, whereas HTTP URLs begin with "http://" and use port 80 by default.

To upload files using FTP which ports would be the common ports?

FTP uses TCP port 20 for FTP data transfer and TCP port 21 for FTP control.

Which well-known ports does email programs use POP3, IMAP, and SMTP

SMTP (Simple Mail Transfer Protocol) uses TCP port 25 as default, but can also use port 2525. POP3 (Post Office Protocol, version 3) uses TCP port 110. IMAP (Internet Message Access Protocol) uses TCP port 143.

Using SSH we log into our cloud servers, which port is assigned to SSH?

The well-known TCP port 22 has been assigned for contacting SSH servers.

 

Continue Reading

CISSP – Defense in Depth

  • Defense in Depth – Also called Layered Defense or Onion Defense.
    • We implement multiple overlapping security controls to protect an asset.
    • This applies both to physical and logical controls.
    • To get to a server you may have to go through multiple locked doors, security guards, man traps.
    • To get to data you may need to get past firewalls, routers, switches, the server, and the applications security.
    • Each step may have multiple security controls.
    • No single security control secures an asset.
    • By implementing Defense in Depth you improve your organizations Confidentiality, Integrity and Availability.

Continue Reading

CISSP – Liability, due diligence and negligence.

  • Liability:
    • If the question is who is ULTIMATELY liable, the answer is Senior Leadership. This does not mean you are not liable; you may be, that depends on Due Care. Who is held accountable, who is to blame, who should pay?
  • Due Diligence and Due Care:
    • Due Diligence – The research to build the IT Security architecture of your organization. Best practices and common protection mechanisms. Research of new systems before implementing.
    • Due Care – Prudent Person Rule – What would a Prudent Person do in this situation?
    • Implementing the IT Security architecture, keep systems patched. If compromised: fix the issue, notify effected users (Follow the Security Policies to the letter).
  • Negligence (and Gross Negligence) is the opposite of Due Care.
    • If a system under your control is compromised and you can prove you did your Due Care you are most likely not liable.
    • If a system under your control is compromised and you did NOT perform Due Care you are most likely liable.
Continue Reading

CISSP – Need to know, least privilege and objects/subjects.

  • Least Privilege and Need to know.
    • Least Privilege – (Minimum Necessary Access) Give users/systems exactly the access they need, no more, no less.
    • Need to know – Even if you have access, if you do not need to know, then you should not access the data.
  • Non-repudiation.
    • A user can not deny having performed a certain action. This uses both Authentication and Integrity.
  • Subject and Object.
    • Subject – (Active) Most often users, but can also be programs – Subject manipulates Object.
    • Object – (Passive) Any passive data (both physical paper and data) – Object is manipulated by Subject.
    • Some can be both at different times, an active program is a subject; when closed, the data in program can be object.
Continue Reading

CISSP – IAAA (Identification and Authentication, Authorization and Accountability)

  • Identification:
    • Your name, username, ID number, employee number, SSN etc.
    • “I am Thor”.
  • Authentication:
    • “Prove you are Thor”. – Should always be done with Multifactor Authentication!
    • Something you know – Type 1 Authentication (passwords, pass phrase, PIN etc.).
    • Something you have – Type 2 Authentication (ID, Passport, Smart Card, Token, cookie on PC etc.).
    • Something you are – Type 3 Authentication (and Biometrics) (Fingerprint, Iris Scan, Facial geometry etc.).
    • Somewhere you are – Type 4 Authentication (IP/MAC Address).
    • Something you do – Type 5 Authentication (Signature, Pattern unlock).
  • Authorization
    • What are you allowed to access – We use Access Control models, what and how we implement depends on the organization and what our security goals are.
    • More on this in Domain 5 – Identity and Access Management (DAC, MAC, RBAC, RUBAC)
  • Accountability (also often referred to as Auditing)
    • Trace an Action to a Subjects Identity:
    • Prove who/what a given action was performed by (non-repudiation).

Continue Reading

CISSP – the CIA Triad and its opposites.

Confidentiality, Integrity and Availability

  • Finding the right mix of Confidentiality, Integrity and Availability is a balancing act.
  • This is really the corner stone of IT Security – finding the RIGHT mix for your organization.
    • Too much Confidentiality and the Availability can suffer.
    • Too much Integrity and the Availability can suffer.
    • Too much Availability and both the Confidentiality and Integrity can suffer.
  • The opposites of the CIA Triad is DAD (Disclosure, Alteration and Destruction).
    • Disclosure – Someone not authorized gets access to your information.
    • Alteration – Your data has been changed.
    • Destruction – Your Data or Systems has been Destroyed or rendered inaccessible.

Continue Reading

CISSP – the CIA Triad – Availability!

We want to keep our System and Data available.

  • We use:
    • IPS/IDS.
    • Patch Management.
    • Redundancy on Hardware Power (Multiple Power Supplies/UPS’/Generators), Disks (RAID), Traffic paths (Network Design), HVAC, Staff, HA (high availability) and much more.
    • SLA’s – How high uptime to we want (99,9%?) – (ROI)
  • Threats:
    • Malicious attacks (DDOS, Physical, System compromise, Staff).
    • Application failures (errors in the code).
    • Component failure (Hardware).

Continue Reading

CISSP – the CIA Triad – Integrity!

  • We want system and Data integrity
    • We use:
      • Cryptography (again).
      • Check sums (This could be CRC).
      • Message Digests also known as a hash (This could be MD5, SHA1 or SHA2).
      • Digital Signatures – non-repudiation.
      • Access control.
    • Threats:
      • Alterations of our data.
      • Code injections.
      • Attacks on your encryption (cryptanalysis).

Continue Reading

CISSP – the CIA Triad – Confidentiality!

We want to keep our information confidential. 

  • We use:
    • Encryption for data at rest (for instance AES256), full disk encryption.
    • Secure transport protocols for data in motion. (SSL, TLS or IPSEC).
    • Good best practices for data in use – clean desk, no shoulder surfing, screen view angle protector, PC locking (automatic and when leaving).
    • Strong passwords, multi factor authentication, masking, Access Control, Need-to-Know, Least Privilege.
  • Threats:
    • Attacks on your encryption (cryptanalysis).
    • Social engineering.
    • Key loggers (software/hardware), cameras, Steganography.
    • IOT (Internet Of Things) – The growing number of connected devices we have pose a new threat, they can be a backdoor to other systems.
Continue Reading

CISSP – the CIA Triad!

  • The CIA Triad (AIC)
    • Confidentiality
      • This is what most people think IT Security is.
      • We keep our data secure and our secrets secret.
      • We ensure no one unauthorized can access the data.
    • Integrity
      • How do we protect against modifications of the data and the systems.
      • We ensure the data has not been altered.
    • Availability
        • How do we ensure the data is available when users need to access it.
        • We ensure authorized people can access the data they need, when they need to.

       

Continue Reading