Continue reading »]]>

SmartPhone

Es evidente que la tecnología en Puerto Rico va incrementando en uso. Esto no significa que las personas que utilizan esta tecnología van a la par con el conocimiento de como utilizarla.  Un ejemplo sencillo es Red Box.  Redbox esta diseñado para que busques tu película favorita de una manera rápida si utilizas la tecnología presentada adecuadamente, como buscar la película por internet o por teléfono.

Nadie puede decirme que el problema es que Puerto Rico no esta suficientemente actualizado! , como dije al principio estamos creciendo en tecnología. Hoy día abuelito tiene un iPhone o un HTC aunque no sepa utilizarlo.

Mi punto es que entiendo que deberíamos leer un poco mas, entender en lo que nos estamos metiendo cuando compramos tecnología nueva.  Como dice el anuncio no comprar teléfonos “Smart” para hacer estupideces. Esto debería ser asi para todo, nos creemos expertos sin saber y ahí es donde fallamos.

Pensaba en esto hoy por toda la información que viaja en las redes de los proveedores de servicio móvil.  Fotos de la gente, conversaciones por texto, fotos de nudismo mas todo las otras cosas que se hacen con este tipo de teléfono. Yo no soy experto en nada, pero invito siempre a leer he informarse sobre lo que estas utilizando de alguna manera u otra. De esta forma podremos utilizar la tecnología a nuestro favor. La seguridad de la información que tenemos en nuestros teléfonos es nuestro deber, proteger esta información no le debería interesarle a nadie mas que a nosotros mismos.

Continue reading »]]> Lo malo de las convenciones en Puerto Rico es que siempre tienen intencionado vender algún tipo de producto.  Aunque se entiende por que los auspiciadores son los que logran que las convenciones se lleven acabo, creo que poner a un vendedor a tratar de hablar en el lenguaje de administradores como que no es real. Lo mejor que se puede sacar de este tipo de convenciones es el networking y los good times con los compañeros.

Dentro de las cosas mas interesantes, los estudiantes de Maestría de la Politécnica sacaron la cara con una demostración real de un Session Hijack , en realidad cuando el profesor lo anuncio se escucho como Sexual Hijack pero ahí vamos.  La tendencia de la industria de IT hacia cloud computing logra un user group que creo que tiene esperanza. El Puerto Rico Cloud Computing iniciativa de John Robles suena interesante y espero poder ser parte de esa iniciativa.

En mi carácter personal a mi me gusta mas lo” informativo” de verdad sin ninguna venta, pero claro como lograr esto sin auspicio es lo difícil. Vamos a ver como evoluciona el mundo de la seguridad en Puerto Rico.

Continue reading »]]>

Almost 2 years ago I took the CISSP. I have to admit I have no test taking abilities, and the proctor staring at me for 6 hours killed me. I failed with a 685. This was a very tragic moment on my life; knowing that the pass rate is 70%, I felt the stupidest person on the world. After a couple of weeks of “in the fuck it” mode I decided to do something about it. That is when I started my Masters on Information Assurance. I work for the Federal Government; and for some reason you could have all the experience in the world, but if you do not have a Cert or Credentials to back it up you do not get the job.

So here I am again, a couple of years after at it again. The reason I did not take it again quickly was because of the 500 dollars lost. I wanted to make sure I would not fail again. Now I want to review and help other people review for the exam.

This Blog for now is about CISSP but first I want to talk about other credentials in the market and their standing from my very personal point of view.

Legend:

Difficulty – How hard the test itself is, i.e. study-time needed, difficulty of material, etc.
Who – Who should be considering the certification.
Respect – Respect rating within the technical infosec-geek community.
Renown – How well-know the certification is throughout the industry.
Requirements – What’s needed to get the cert, e.g. prerequisites, exams, practicals, labs, etc.
Cost – What it’ll cost you (or your company) to get the credential.
Pros – Positive comments about the certification.
Cons – Downsides to the certification.

** Note: Numbers are on a scale from 1-10, with 10 being the highest

The Credentials: Security+
Sponsor: CompTIA
Difficulty: 2
Respectability: 2
Renown: 4
Requirements: Single Exam, +-100 Questions
Cost: $225 USD (discounts available online)

Who: This certification is for people just getting into the field. If you don’t have any other certifications, and your experience/skills are still developing, this is the certification for you.

Pros: It’s a fairly easy cert to get and I understand it’s getting a decent amount of recognition within federal organizations. It’s also a fair, solid test that asks decent questions rather than a bunch of vendor-specific garbage.

Cons: It’s entry-level and thus not strong as a standalone bargaining chip.

SSCP (Systems Security Certified Practitioner)
Sponsor: ISC2
Difficulty: 4
Respectability: 3
Renown: 2
Requirements: Single Exam, 125 Questions, 3 hours; 1 Year Experience
Cost: $350 USD

Who: The SSCP is for serious, dedicated information security professionals who are not quite ready to take the CISSP exam. Only one (1) year of experience is required for this exam vs. 3-4 (depending on if you have your bachelors) for the CISSP.

Pros: The SSCP is administered in a very professional fashion, just like the CISSP, and it thus carries some degree of the respect that goes along with that credential. It’s also from ISC2 just like the CISSP, so that helps it as well. It shows that you’re serious about your career.

Cons: Unfortunately, the certification that hurts the SSCP the most is in fact its older sibling — the CISSP. If you check the job boards, precious few jobs ask for the SSCP. The reasoning there is that the experience requirement for the CISSP is much of what makes it so respectable. To take that away and ask half the number of questions diminishes the value of the SSCP significantly.

CISSP (Certified Information Systems Security Professional)
Sponsor: ISC2
Difficulty: 5
Respectability: 4
Renown: 10
Requirements: Single Exam, 250 Questions, 6 hours; 4 Years Experience
Cost: $500 USD
Who: The CISSP is for serious, dedicated information security professionals who intend to stay in the field and grow. It says to employers that you are serious about your career and are familiar with the core basics of 10 separate areas within the field. In today’s market, managers and career professionals are expected to have this credential.

Pros: The CISSP is the undisputed king of infosec certifications. It’s the first infosec cert to receive ISO recognition — a great achievement not only for the certification itself, but also for the field as a whole. It commands a great deal of respect in many IT circles (and HR circles), and this can be clearly seen via job search results. It can help your chances greatly of getting high-paying jobs, and is an excellent addition to any resume. If you are only going to get one infosec certification, it should be the CISSP.

Cons: While the CISSP is the king of information security certifications, it suffers from being thought of as something it isn’t. Many still mistakingly view it as proof that someone is an expert in the field, and that couldn’t be farther from the truth. ISC2 has explicitly stated in the past that the test is designed to test a broad base of general knowledge, not to certify someone as a master of their field. Also, despite the rumors of impossibility, the exam also supports over a 70% first-time pass rate.

CISA (Certified Information Systems Auditor)
Sponsor: ISACA
Difficulty: 6
Respectability: 5
Renown: 8
Requirements: Single 200 Question Exam, 4 Hours; 5 Years Experience
Cost: $475 USD

Who: The CISA credential is ideal for anyone already doing, or looking at getting into information security auditing. If you’re not familiar with auditing, think of accounting. It’s basically ensuring that proper processes are in place and that people (and technologies) are doing what they’re supposed to be doing.

Pros: The credential is highly recognized and sports even more hits than the CISSP via Monster.com and other job searches. It’s highly sought after due to the myriad of regulations hitting the infosec industry. Considered a “professional” certification, it seems to borrow some respect from the CPA/Accountant arena.

Cons: Again, many jobs that request CISA also will take a CISSP. Certain jobs ask for CISA specifically, but most are just looking for this “class” of cert, and will accept a CISSP in its place.

CISM (Certified Information Systems Manager)
Sponsor: ISACA
Difficulty: 6
Respectability: 5
Renown: 7
Requirements: Single 200 Question Exam, 4 Hours; 5 Years Experience; 3 Years Security Management Experience.
Cost: $475 USD
Who: The CISM credential is for information security managers. It’s for those who wish to show that they can manage an enterprise information security program.
Pros: The credential comes from ISACA, which is a respected organization, and the position of information security manager is so important to companies that any credentials that speak to one’s competence will be helpful.
Cons: Once again the CISSP is still the leader in this area, and while the certification can definitely help, anyone hiring for an ISM position is going to be looking at a lot more than certifications.
Comments: Anyone wanting to get into an ISM position needs to be looking at this credential, but it doesn’t have the power of CISSP in my view. I think that out of the two big ISACA certs, the CISA offers more of a punch, albeit not necessarily for managers.

GSEC (GIAC Security Essentials Certification)
Sponsor: GIAC (SANS)
Difficulty: 7
Respectability: 7
Renown: 7
Requirements: Two 100-Question, Open-book, Open-Google Online Exams

Cost: $800 USD (Cost of exam without training)

Who: The GSEC is for highly-technical, serious information security professionals who actively work with the technical side of infosec on a daily basis. Those who are looking to show considerable technical knowledge over a large number of infosec subjects would be well-served by attaining this credential.

Pros: The SANS organization is universally recognized as a top-notch infosec training and certification organization. Any certification from them commands a decent degree of respect, both with engineers and increasingly with human resources as well.

Cons: The CISSP still owns the majority of the spotlight in this arena. Relatively few employers are aware of the GSEC, and even of those who do recognize it, most view the CISSP as just as (or more) valuable.

GCFW, GCFA, GCIA, GCUX, GCIH
Sponsor: GIAC (SANS)
Difficulty: 8-9
Respectability: 8-9
Renown: 5
Requirements: Two 100-Question, Open-book, Open-Google, Online Exams
Cost: $800 USD (without training)

Who: These various certifications represent the “hardcore” SANS offerings. They are more in-depth and difficult than the GSEC, and they focus on one area specifically. GCFW is for firewalls and VPNs, GCIA is for IDS/IPS, GCUX is for Unix security, GCFA is for forensics, and GCIH is for incident handling. These are just a few of those that are offered, and these are geared towards veteran infosec professionals who have already specialized in an area. If this sounds like you, these certs are the way to go.

Pros: The GIAC (SANS) organization is universally recognized as a top-notch training and certification organization. Any certification from them commands a decent degree of respect, and these specialized certs say to an employer or client that you are truly skilled at what you do.

GSE (GIAC Security Expert)
Sponsor: GIAC (SANS)
Difficulty: 10
Respectability: 10
Renown: 4

Requirements: Must have three (3) GIAC certifications (GSEC, GCIA and GCIH) with GIAC Gold in at least two; must pass a proctored GSEC exam with average scores of 80 on both tests; 23 hour onsite testing process consists of a mix of open book written exams, research, hands on exams, group work and an oral presentation.

Who: The GSE is for those who have literally mastered a number of areas within information security, have superior talent, have a love of difficult-to-attain credentials, and a lot of time on their hands.

Pros: If you encounter anyone who knows what all the exam involves, you’ll be instantly acknowledged as a world-class information security expert.

Cons: You aren’t likely to find any of those people. Plus, anyone with these skills doesn’t need the certification anyway.

It is very important to understand that there are a lot of certifications out there, there are some that are more technical than others. My perspective is manager wise. Most of the time managers get the better position within the company and better salary in the industry. My purpose for the CISSP is because it is required for most Chief of Information Security officer positions in the federal government and military. So the purpose of this blog is to accomplish that. I am hoping to get help and to help others and make this experience a good one.

Continue reading »]]> Security Architecture include models to follow to design a security oriented network infrastructure. They will depend on the need of security classification. Each model will be focus on a specific area of the security tria Confidentiality, Integrity and Availability.

Continue reading »]]> Cables

10Base5

50-ohm thick Coax

Thicknet

500 Meters

Bus

10Base2

50-ohm RG-58 A/U

Thinnet

185 Meters

Bus

10BaseT

Cat 3 UTP (or better)

100 Meters

Star

100BaseTX

Cat 5 UTP (or better)

100 Meters

Star

Gigabit Ethernet

Cat 6 UTP (or better)

Depends

Star

Category

Name

Speed

Network

Cat 1

Not suitable for data communications.

Cat 2

Not suitable for networks but may be used to connect terminals to mainframes.

Cat 3

10BaseT

10 Mbps

Ethernet

Cat 4

16 Mbps

Token Ring

Cat 5

100BaseTX

100 Mbps

Ethernet

Cat 6

Gigabit Ethernet

155 Mbps

Etnernet

Cat 7

1 Gbps

Ethernet

ACCESS MEDIA TYPES

Acess Media Cabling

Network Media Access Standards

Network Trnasmission Methods

Network Data Element Terms

IP Class Ranges / Reserved IPs

Class A

0.0.0.0   - 127.255.255.255

First byte (octet) = network

Remaining bytes (octets) = host

16 million

Blass B

128.0.0.0 - 191.255.255.255

First two bytes = network

65 thousand

Class C

192.0.0.0 – 223.255.255.255

First three bytes = network

254 usable

Class D

224.0.0.0 – 239.255.255.255

Used for multicast traffic

Class E

240.0.0.0 – 255.255.255.255

Reserved for future use

1.       169.254.255.255   -> APIPA (Automatically Private IP Addressing).

2.       127.0.0.1         -> Loopback.

3.       10.255.255.255    -> Private Addressing, Internal network.

4.       172.16-31.255.255 -> Private Addressing, Internal network.

5.       192.168.255.255   -> Private Addressing, Internal network.

Continue reading »]]>

Applications and Systems Development Security

This domain examines the security components within operating

systems and applications and how to best develop and measure their

effectiveness. This domain looks at software life cycles, change control,

and application security. Some of the other topics covered include:

• Data warehousing and data mining

• Various development practices and their risks

• System storage and processing components

• Malicious code

Cryptography

This domain examines methods and techniques for disguising data for

protection purposes. This involves cryptography techniques, approaches,

and technologies. Some of the topics covered include:

• Symmetric versus asymmetric algorithms and uses

• Public key infrastructure (PKI) and hashing functions

• Encryption protocols and implementation

• Attack methods

Security Architecture and Models

This domain examines concepts, principles, and standards for designing

and implementing secure applications, operating systems, and systems.

This covers international security measurement standards and their

meaning for different types of platforms. Some of the topics covered

include:

• Operating states, kernel functions, and memory mapping

• Security models, architectures, and evaluations

• Evaluation criteria: Trusted Computer Security Evaluation Criteria

(TCSEC), Information Technology Security Evaluation Criteria

(ITSEC), and Common Criteria

• Common flaws in applications and systems

• Certification and accreditation

Operations Security

This domain takes a look at controls over personnel, hardware, systems, and auditing and monitoring techniques. This also covers possible abuse

channels and how to recognize and address them. Some of the topics

covered include:

• Administrative responsibilities pertaining to personnel and job functions

• Maintenance concepts of antivirus, training, auditing, and resource protection activities

• Preventive, detective, corrective, and recovery controls

• Standards, compliance, and due care concepts

• Security and fault tolerance technologies

Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP)

This domain examines the preservation of business activities when

faced with disruptions or disasters. This involves the identification of

real risks, proper risk assessment, and countermeasure implementation.

Some of the topics covered include:

• Business resource identification and value assignment

• Business impact analysis and prediction of possible losses

• Unit priorities and crisis management

• Plan development, implementation, and maintenance

Domain Description Laws, Investigation, and Ethics

This domain examines computer crimes, laws, and regulations. This

includes techniques in investigating a crime, gathering evidence, and

handling procedures. It also covers how to develop and implement

an incident-handling program. Some of the topics covered include:

• Types of laws, regulations, and crimes

• Licensing and software piracy

• Export and import laws and issues

• Evidence types and admissibility into court

• Incident handling

Physical Security

This domain examines threats, risks, and countermeasures to protect

facilities, hardware, data, media, and personnel. This involves facility

selection, authorized entry methods, and environmental and safety

procedures. Some of the topics covered include:

• Restricted areas, authorization methods, and controls

• Motion detectors, sensors, and alarms

• Intrusion detection

• Fire detection, prevention, and suppression

• Fencing, security guards, and security badge types

Continue reading »]]> SSL is a secure protocol used for transmitting private information over the Internet. It works by using a public key to encrypt data that is transferred over the SSL connection. SSL provides data encryption, server authentication, message integrity, and optional client authentication.

TLS – upgrade to SSL, resides on application layer and can secure other protocols/applications, such as SMTP, IMAP, POP3, and HTTP.

SET (Secure Electronic Transaction) protocol originated by VISA and MasterCard as an Internet credit card protocol using digital signatures; makes USE of an electronic wallet on a customer’s PC and sends encrypted credit card information to merchant’s Web server, which digitally signs it and sends it on to its processing bank. It is comprised of three different pieces of software, running on the customer’s PC (an electronic wallet), on the merchant’s Web server and on the payment server of the merchant’s bank. The credit card information is sent by the customer to the merchant’s Web server, but it does not open it and instead digitally signs it and sends it to its bank’s payment server for processing.

SSH (Secure Shell) functions as a type of tunneling mechanism that provides terminal like access to remote computers.

SSH-2 is a secure, efficient, and portable version of SSH (Secure Shell) which is a secure replacement for telnet.

SLIP (Serial Line Internet Protocol) supports ONLY IP over a serial link. SLIP (Serial Line IP) was developed in 1984 to support TCP/IP networking over low-speed serial interfaces.

PPP (Point-to-Point Protocol) was designed to support multiple network types over the same serial link, just as Ethernet supports multiple network types over the same LAN. PPP replaces the earlier Serial Line Internet Protocol (SLIP) that only supports IP over a serial link.

CRAM (Challenge-Response Authentication Mechanism) is an authentication mechanism for IMAP4 where a client uses a keyed hash to authenticate itself to an IMAP4 server.

Authentication protocols used with remote access:

PAP (Password Authentication Protocol) – 2-way handshake in clear text that can be used in PPP.

CHAP (Challenge Handshake Authentication Protocol) – 3-way handshake, 1-way hash, Microsoft uses. Authentication mechanism for point-to-point (PPP) protocol connections that encrypt user’s password. Uses a randomly-generated challenge and requiring a matching response that depends on a cryptographic hash of the challenge and a secret key.

EAP (Extensible Authentication Protocol) – A framework that supports multiple, optional authentication mechanisms for PPP, including cleartext passwords, challenge-response, and arbitrary dialog sequences. Intended for use primarily by a host or router that connects to a PPP network server via switched circuits or dial-up lines. Implements MD5-challenge, S/Key, generic token card, & digital certs.

Most common VPN communication protocol standards:

PPTP is an encapsulation protocol (tunneling protocol), based on PPP, operates at the data link layer (layer 2) of the OSI model and enables only a single point-to-point connection per session, usually between client and server. PPTP uses native PPP authentication and encryption services, and asynchronous and synchronous links; while PPTP depends on IP to establish its connection, as currently implemented, PPTP encapsulates PPP packets using a modified version of the generic routing encapsulation (GRE) protocol, which gives PPTP to the flexibility of handling protocols other than IP, such as IPX and NETBEUI over IP networks. Disadvantages: It is able to only handle IP networks, (exp: IPX, or Netbeui over IP), it does not provide strong encryption, and it does not support any token-based authentication method for users.

L2TP operates at the data link layer (layer 2) of the OSI model and enables only a single point-to-point connection per session. L2TP is a combination of PPTP and the earlier Layer 2 Forwarding protocol (L2F). L2TP is derived from L2F and PPTP

L2F (Layer 2 forwarding).

IPSec operates at the network layer (layer 3) and enables multiple simultaneous tunnels.

ARP (Address Resolution Protocol) is used to match an IP address to an Ethernet address so the packet can be sent to the appropriate node. ARP does the opposite of RARP by broadcasting a request to find the Ethernet address that matches a known IP address.

RARP is used to match an Ethernet address to an IP address. RARP protocol sends out a packet, which includes its MAC address and a request to be informed of the IP address that should be assigned to that MAC address. When a station communicates on the network for the first time, RARP searches for and finds the Internet Protocol (IP) address that matches with the known Ethernet address.

ARP and RARP map between 32-bit addresses in IPv4 and 48-bit hardware addresses. IP headers contain 32-bit addresses (in IPv4) and 128 in IPv6. In an Ethernet local area network, however, addresses for attached devices are 48 bits long. The physical machine address is also known as a Media Access Control (MAC) address.

ICMP is a management protocol whose function is to send message between network devices. Routing tables are used by routers to choose the appropriate interface to route packets. ICMP supports packets containing error, control, and informational messages (e.g. PING).

UDP runs over IP and is used primarily for broadcasting messages over a network.

Both TCP and UDP use port numbers of 16 bits, which allows for a port number from 1 to 65535. (the binary representation would be 1 for 65535)

TCP Wrappers

Is limited – it can’t control access to running UDP servers, but can only control when a UDP server starts, because UDP packets can be sent randomly.

Acts as an ACL restricting packets so would not confuse a proxy server because the packets would not arrive and would not be a limitation.

Is considered open source (free), with a BSD licensing scheme.

PAT (Port Address Translation) is a type of NAT (Network Address Translation) that is the most convenient and secure solution.

TFTP (Trivial File Transfer Protocol) is sometimes used to transfer configuration files from equipments such as routers but the primary difference between FTP and TFTP is that TFTP does not require authentication. Speed and ability to automate are not important.

DNS relies on connectionless UDP whereas services like FTP, Telnet and SMTP rely on TCP.

SKIP is a key distribution protocol that uses hybrid encryption to convey session keys that are used to encrypt data in IP packets.

ISAKMP is an Internet IPsec protocol to negotiate, establish, modify, and delete security associations, and to exchange key generation and authentication data, independent of the details of any specific key generation technique, key establishment protocol, encryption algorithm, or authentication mechanism.

IKE is an Internet IPsec protocol for key-establishment protocol (partly based on OAKLEY) that is intended for putting in place authenticated keying material for use with ISAKMP and for other security associations, such as in AH and ESP.

KEA (Key Exchange Algorithm) is defined as a key agreement algorithm that is similar to the Diffie-Hellman algorithm, uses 1024-bit asymmetric keys, and was developed and formerly classified at the secret level by the NSA.

Protocols Related to Email

IMAP4 (Internet Message Access Protocol, version 4) is an Internet protocol by which a client workstation can dynamically access a mailbox on a server host to manipulate and retrieve mail messages that the server has received and is holding for the client. IMAP4 has mechanisms for optionally authenticating a client to a server and providing other security services.

MIME is the Multi-Purpose Internet Mail Extension; it extends the format of Internet mail to allow non-US-ASCII textual messages, non-textual messages, multipart message bodies, and non-US-ASCII information in message headers.

S/MIME is a standard for encrypting and digitally signing electronic mail and for providing secure data transmissions.

SMTP (Simple Mail Transfer Protocol) is a TCP-based, application-layer, Internet Standard protocol for moving electronic mail messages from one computer to another.

PEM (Privacy Enhanced Mail) is an Internet protocol used to provide data confidentiality, data integrity, and data origin authentication for electronic mail.

Continue reading »]]> This Model should be learned and memorized, if asked you should not have to think about them. These links will guide you to their wikis for easy study access.