Legal securityCompliance with the law, awareness of the law.
What an asset isEverything and everybody forming part of an information system.
What a threat isA potential violation of security.
What a vulnerability isThe likelihood of a threat to become a reality.
What a risk isThreads and vulnerabilities of an asset. Probability X Impact.
What a countermeasure isMechanism or procedure to reduce risk.
What an impact isThe effect of a failure to preserve CIA.
Categories of computer crime and abuseFraud, hacking, invasion of privacy, sabotage, theft, piracy, private work, virus, DoS, illegal content.
Cyber-dependent crimesA computer or other form of ICT required to commit.
Cyber-enabled crimesA crime that’s facilitated by ICT.
Key incident typesMalware infection most common.
Hackers and crackersHackers are explorers, crackers are malicious.
Types of malwareVirus (non-autonomous program that replicates itself by infecting data), worm (autonomously replicates and spreads through systems and networks), Trojan horse (program or data containing hidden functionality), spyware (gathers information about users).
Dimensions of malware behaviorInfection (how and where users are likely to get it), payload (what the malware does), defense (how well it can hide itself and protect itself).
Authentication methodsPasswords (something the user knows), cards / tokens (something the user has), biometric (something the user is).
Digital Forensics
ACPO guidelines for digital forensicsData shouldn’t be changed if it’s being used as evidence in court.If the original data is to be accessed, the person accessing it should be competent, and should explain the implications and relevance of their actions.An audit trial or record of all processes applied to the evidence should be created.An independent third party should be able to follow the record, and achieve the same result. The person in charge of the investigation is held responsible for procedures being followed.
Lab requirementsCompliance to procedures, chain of custody, secure handling and storage of original data, ensure screens aren’t viewable by others, physical building complies with security requirements.
AcquisitionPreservation of data, documentation, order of volatility, write blockers.
Examination / AnalysisDead analysis for preservation of data, forensic tools for live analysis, ignore FS characteristics to inspect registry, meta-files, pagefile.sys (RAM), INFO2 (Trash). File signature analysis, hidden folders, hash checking, data carving, pattern matching, indexing.
CryptographyTransformation of information into an encrypted form.
Data communication threatsInterception (affects confidentiality), modification (affects integrity), blocking (affects availability).
Cryptography
Cryptographic techniquesTransposition (symbols in the plaintext moved into different positions in ciphertext). Substitution (symbols are replaced with different ones). Concealment (additional symbols placed to conceal content).
One-time padLong as the plaintext (at least). Each end has an identical pad. Cannot be broken. Difficult to use if a large amount of key material is consumed. Data integrity isn’t provided.
Asymmetric cryptographyPublic / private key pair.
One way hashCreates “fingerprint” of data through checksum.
Message Authentication Codes (MAC)Key dependent one way hash function. Provides authenticity, but not confidentiality. Can be used to ensure files haven’t been modified.
CryptanalysisRecovering plaintext from ciphertext without the key.
Monoalphabetic CipherA monoalphabetic substitution cipher, also known as a simple substitution cipher, relies on a fixed replacement structure. That is, the substitution is fixed for each letter of the alphabet. Thus, if "a" is encrypted to "R", then every time we see the letter "a" in the plaintext, we replace it with the letter "R" in the ciphertext.
Polyalphabetic CipherA polyalphabetic substitution cipher uses multiple alphabets systematically to encrypt plaintext. So instead of each letter being mapped to a different one as per a monoalphabetic substitution cipher, the alphabet changes at an interval. Most commonly, this change was noted with a capital letter, so each time a capital letter was found in the ciphertext, it meant the alphabet being used had changed.
Networks
Application layerHTTP / DNS.
Transport layerTCP / UDP.
Network layerIP.
Link layerEthernet / Wireless.
Network edgeEnd systems, access networks, links.
Network corePacket switching, internet structure. Interconnected routers, network of networks. Routing (determines source-destination route taken by packets), forwarding (moves packets from router’s input to appropriate output).
PerformanceDelay, loss, throughput (rate at which bits transfer between sender and receiver).
HostsEnd systems running network apps. Clients and servers.
Communication linksFiber, copper, radio, satellite.
Transmission rateBandwidth.
Packet switchesForward packets (data) through routers and switches.
InternetNetwork of networks with interconnected ISPs.
ProtocolsControl sending and receiving of data. Define format and order of data sent and received among network entities, and actions taken on message transmission or receipt. There are protocol layers, and service models.
Internet standardsRFC, IETF.
ServicesWeb, VoIP, email, games etc.
InterfacesHooks, APIs etc.
Physical mediaBit (propagates between transmitter / receiver pairs), physical link (what lies between transmitter and receiver), guided media (copper, fiber, coax), unguided media (radio), twisted pair (two insulated copper wires).
Loss and delayPackets queue in router buffers. If arrival rate exceeds output capacity, a queue is formed, leading to a delay. If no free buffers are available, packets are dropped, causing loss. The lost packet might be retransmitted by the previous node, by the end system, or not at all.
Sources of packet delayProcessing, propagation, queue, transmission. Nodal = sum of all of them.
Processing delayCheck bit errors, determine output link, typically takes less than a millisecond.
Queuing delayTime waiting at output link for transmission. Depends on congestion level of router.
Transmission delayPacket length (bits), link bandwidth (bits per second). Length divided by bandwidth.
Propagation delayLength of physical link, propagation speed. Length divided by speed.
Response Time / Round Trip Time (RTT)“Length of time it takes for a signal to be sent plus the length of time it takes for an acknowledgement of that signal to be received.”
Bottleneck linkLink on end-to-end path that constrains the throughput.
Internet protocol stackApplication (supporting network applications, FTP, SMTP, HTTP), Transport (process-to-process data transfer, TCP, UDP), Network (routing of datagrams from source to destination, IP, routing protocols), Link (data transfer between neighboring network elements, Ethernet, WiFi), Physical (bits on the wire).
ISO/OSI reference model (layers)Application, presentation, session, transport, network, link, physical. Internet stack doesn’t have the session (synchronization checkpointing, recovery of data exchange) and presentation (allow applications to interpret meaning of data) layers.
Application Layer
Network appsRun on different end systems, communicate over network, server communicates with browser. Network core devices don’t run user applications.
ServerAlways-on host. Static IP. Usually in a data center.
ClientsCommunicate with server. Intermittently connected. Dynamic IP. Do not communicate directly with each other.
P2P architectureNo server. Clients communicate with each other (peers). Peers provide service to one another. Self scalability as new peers bring new service capacity. Peers can have dynamic IPs.
ProcessA program running within a host. Processes can communicate using inter-process communication as defined by the OS. Processes in different hosts can communicate via messages. A process must have an identifier to receive messages. The ID includes both IP address and port numbers associated with it.
Client processInitiates communication.
Server processWaits to be contacted.
SocketsProcesses send and receive messages to and from their sockets.
Data integritySome apps require reliable data transfer, others can tolerate loss.
TimingSome apps require low delay to be effective.
ThroughputSome apps require a minimum amount of throughput to be effective.
SecurityEncryption, data integrity etc.
TCPReliable, flow control, congestion control (throttling), no timing or throughput guarantee, connection-oriented.
UDPUnreliable, no flow control, no congestion control, no timing, no throughput guarantee, no security. Used by DNS.
App-layer protocolsTypes of messages (request, response), syntax (fields in messages), semantics (meaning of information in fields), rules for when and how processes send and respond to messages.
Open protocolsDefined in RFCs, allow for interoperability, HTTP, SMTP etc.
Proprietary protocolsSkype etc.
HTTPWeb’s application layer protocol. Client - server model. Uses TCP to initiate connection on port 80 with the server. Server accepts the connection and HTTP messages are exchanged between the client and server. The connection is then closed. HTTP is stateless, meaning the server maintains no information about past client requests.
HTTP connectionsNon-persistent HTTP (at most one object sent over TCP), persistent HTTP (multiple objects sent over a single connection).
RTTRound-trip time. Time for a packet to travel from client to server and back.
HTTP response timeOne RTT to initiate connection. One RTT for request to return. File transmission time. 2RTT + file transmission time.
POST / GET methodsPOST uploads input in the body of the request.GET uploads input in URL field of the request.
Method typesHTTP/1.0 (GET, POST, HEAD. HEAD asks server to leave a requested object out of the response).HTTP/1.1 (GET, POST, HEAD, PUT, DELETE. PUT uploads a file in the body of a request to a path specified in the URL field. DELETE deletes a file specified in the URL field).
HTTP response codes200 OK, request succeeded, requested object provided.301 Moved Permanently, requested object has moved, new location provided.304 Not Modified, content requested has not been modified.400 Bad Request, request message not understood.404 Not Found, requested object was not found.505 HTTP Version Not Supported.
Conditional GETCheck cache for object, if object exists and the one on the server hasn’t been modified since the cached one, then use the cache.
DNS (Domain Name System)Distributed database implemented in a hierarchy of many name servers. Database used to convert hostnames to IP addresses. Database divided by top-level domain (TLD) servers, such as .com, .org, .net etc. Authoritative DNS servers are maintained by an organization or service provider for internal hosts.
Iterated queryDNS server replies with another server’s address if it can’t find the requested hostname’s IP.
Recursive queryDNS server has to resolve the hostname.
DNS recordName, value, type, TTL. The type can be A (name is hostname, value is IP), CNAME (name is alias name for the real name, value is the real name), NS (name is domain, value is hostname of authoritative DNS server), MX (value is the name of the mail server associated with name).
DNS protocol messagesQuery and reply messages, both have the same format. Message header has identification (16 bit number for query, reply uses the same number) and flags (query or reply, recursion desired, recursion available, reply is authoritative).
Transport Layer
ServicesProvide logical communication between app processes running on different hosts. Protocols run in end systems (send side breaks messages into segments and passes them to the network layer, the receiver side reassembles the segments into messages and passes them to the app layer). More than one transport protocol available to apps (internet uses TCP and UDP).
Transport layer vs network layerNetwork layer provides logical communication between hosts, transport layer provides logical communication between processes, but relies on and enhances network layer services.
Multiplexing and demultiplexingSender handles data from multiple sockets, adds transport header. Receiver uses the header info to deliver received segments to correct socket.
DemultiplexingHost receives IP datagrams (contains source IP, destination IP, and one transport-layer segment. Each segment has a source port number, and a destination port). Host uses IP and port number to direct segment to appropriate socket.
Socket APIUsed by server and client to exchange messages over the network using TCP or UDP.
Connection-oriented demultiplexingTCP socket identified by 4-tuple (source IP, source port, destination IP, destination port). Receiver uses all four values to direct segment to appropriate socket. Server host may support simultaneous TCP sockets, with each socket being identified by its own 4-tuple. Web servers have different sockets for each client, non-persistent HTTP has different socket for each request.
UDP checksumUsed to detect errors (like flipped bits) in a segment. Sender puts the checksum of segment contents into the UDP checksum field. The receiver checks to see if the checksum sent is the same as the computed checksum.
TCP overviewPoint-to-point (one sender, one receiver), reliable (in-order byte stream, so no message boundaries), pipelined (TCP congestion and flow control set window size), full duplex data (bi-directional data flow in same connection, maximum segment size or MSS), connection oriented (handshaking), flow controlled (throttling so the sender doesn’t overwhelm the receiver).
TCP flagsFIN (gracefully terminate a connection). SYN (establish a new session). RST (abort a session). PSH (push data). ACK (acknowledge the receipt of data). URG (urgent data being sent).
TCP sequence numbersByte stream number of first byte in segment’s data, acknowledgment (sequence number of next byte is expected from the other end, cumulative ACK). Initial sequence number is randomly generated, then the next sequence number is the current one added with the segment length.
TCP connectionEstablished with a three-way handshake (client sends server SYN, server sends ACK and SYN, client sends ACK).
TCP data transferCreates reliable transfer service on top of IP’s unreliable service. Pipelined segments, cumulative ACKs, single retransmission timer. Retransmission is triggered by timeout events or duplicate ACKs. Usually a long delay before resending a lost packet. If there are duplicate ACKs, then the sender knows a segment was lost.
TCP timeoutLonger than RTT. If it’s too short, then unnecessary retransmissions will occur due to a premature timeout. If it’s too long, then there won’t be a quick enough reaction to segment losses. Estimated RTT is 1 take away a, where a is usually 0.125, multiplied by the estimated RTT added with a multiplied by the Sample RTT (measured time from segment transmission until ACK receipt). So (1 - a) * EstimatedRTT + a * SampleRTT. TimeoutInterval is Estimated RTT added with 4 multiplied by the Deviation RTT, which is the SampleRTT deviation from the Estimated RTT. Deviation RTT is (1 - b) * DevRTT + B * SampleRTT - EstimatedRTT where b usually 0.25.
TCP flow controlThe receiver side of a TCP connection has a buffer. The buffer has a receiver window, which is the amount of free space the buffer has. The data comes from the IP, goes into the buffer, and then gets transmitted to the application process. The window is calculated by taking the total buffer, and taking away the addition of the last byte received, and the last byte read. The receiver tells the sender how much free space there is by including the receiver window (RcvWindow) in the segment. Sender limits its unACKed data to the receiver window size, so that the buffer doesn’t overflow.
TCP congestion controlToo many sources sending too much data too fast for the network to handle. Different from flow control. Causes lost packets (buffer overflow at routers), and long delays (queuing in router buffers). There are two approaches to congestion control; additive increase (increase congestion window by 1 maximum segment size every RTT until loss is detected), and multiplicative decrease (cut congestion window in half after loss). Sender limits transmission.
TCP sending rateSend congestion window bytes, wait RTT for ACKs, then send more bytes. So the rate is the congestion window divided by the RTT, and it’s measured in bytes per second.
TCP slow startWhen a connection is established, increase the rate exponentially until a segment is lost. Initially, the congestion window would be 1 maximum segment size, which is then doubled every RTT, which is done by incrementing the congestion window for every ACK received. So the initial rate is slow, but ramps up exponentially fast. It’s an aggressive approach. There is a threshold, and on a timeout, it equals the congestion window divided by 2. When the congestion window is bigger than or equal to the threshold, then congestion avoidance kicks in and the congestion window grows linearly. This is a more conservative approach.