Create your own awesome maps

Even on the go

with our free apps for iPhone, iPad and Android

Get Started

Already have an account?
Log In

Internet Sicherheit 2 by Mind Map: Internet Sicherheit 2
0.0 stars - reviews range from 0 to 5

Internet Sicherheit 2

Risk Management


Assets (Information)





27005, Information security risk management

27001, Risikoidentifikation, Risikobewertung, Fehler-Möglichkeits- und Einflus-Analyse, Hazard and Operability Study, Hazard Analysis and Critical Control Points, Zurich Hazard Analysis, Risikomatrix, Auswirtung X Eintrittswahrscheinlichkeit, NIST - Risk Management Guide for Information Technology Systems, Risikosteuerung, Vermeiden, Vermindern, Abwälzen, Selbst tragen, Risikoüberwachung, Reporting

27002, von BSI UK

British Standards Insitute

BS 25999 (BCM), Analysis, Solution Design, Implementation, Testing and organization acceptance, Maintenance

BSI Grundschutzhandbuch

Schichten, Anwendungen, übergreifende Aspekte, Infrastruktur, IT-Systeme, Netze/Netzwerke

Gefährdungskatalog, höhere Gewalt, Blitz, Unwetter, Feuer, Wasser, Krankheit, Technisches Versagen, Ausfall von Komponenten (Disk, Power), Organisatorische Mängel, Zuständigkeiten nicht klar, Menschliches Fehlverhalten, Fehler beim Einspielen von Patches, Auskunft an falsche Personen (Social Engineering), vertrauliche Informationen im Zug diskutiert, vorsätzliche Handlungen, Hacking, Vandalismus, Einspielen von Malware

Massnahmenkatalog, Infrastruktur, Hardware/Software, Kommunikation, Organisation, Personal, Notfallvorsorge

Server Side Security

Open Web Application Security Project( OWASP)

1. Injection, SQL Injection, ' OR 1 = 1', Counter measures, escaping, prepared statements (Java), parameter collection (.NET)

2. Cross-Site Scripting (XSS), Reflected XSS, Link an Opfer mit JS Code, Stored XSS, Daten speichern (Forum)

3. Broken Authentication and Session Management, Verbose login forms (Username is wrong), Session-IDs stored in server logs, Prevention, Send session id over HTTPS only, Use restrictive cookie parameters, Use non-persistent session tracking techniques, Non-guessable session ids, Provide a logout button for users, Change Session after successful authentication

4. Insecure Direct Object Reference, Access to lower layer/backend with a technincal user, access to restricted sites

5. Cross-Site Request Forgery (XSRF), Prevention, nonce for special actions (buy, sell ...)

6. Security Misconfiguration, Telling about system (exposing details)

7. Insecure Cryptographic Storage, eg. passwords stored in cleartext, using own "security algorithms", keys/salt publicly available, hash=SHA-256(password + salt) => store hash, salt

8. Failure to Restrict URL Access, Pages with admin actions are not or weakly protected, Access to pages, which aren't allowed with the logged in profile, evaluating user rights only on the client, Prevention, Input Validation, Server Hardening

9. Insufficient Transport Layer Protect, Vulnerabilities, SSL/TLS missing, Weak SSL version enabled (SSLv2), Weak cipher suites enabled (e.g. NULL cipher), Invalid server certificate, Weak server certificate, Remediation, Enable SSL/TLS to protect session information, Enable SSLv3, TLSv1 only, Enable strong cipher suites only (SHA-1 in combination with AES-128+), Acquire publicly trusted server certificate, Ensure certificate key material has at least 2048 Bits

10. Unvalidated Redirects and Forwards, Prevention, Validate parameters containing redirect URLs, Use "symbols" for redirections which get mapped to URLs server-side, Prefix URL with / to get an URL relative to the current site

OWASP Enterprise Security API (ESAPI)


Open Source Security Testing Methodology Manual

Netzwerk Security, weniger Anwendungsecurity

Vorgehen, Quantifizierbarkeit / RAV (Risk Assesment Value), Verhaltenskodex für Tester, Security Test Audit Report, Dokumentation, Vollständigkeit und Genauigkeit, Gesetzt- und Standartkonform, Zertifizierungsmöglichkeit

Components, Physical Security, Human, Spectrum Security, Wireless, Communications Security, Data Networks, Telecommunications

Definition Security Test Scope, Assets/Targets Definition, Areas of interactions, External impacts on assets, Interactions of asset with itself and outside, Equipment needed for test, Expected results of the test, Compliance with rules of engagement

True Random Number Generation



Key Stroke Timing

Mouse Movements

Sample Sound Card Input, verify entropy, but pretty in combination with other methods

Network Packet Arrival Time, can be manipulated

Serial numbers, very, very bad idea, can be guessed / calculated

Lava Lamps

Radioactive Decay



3F00 MF, Root Directory

0000 EF, Pin & Puk #1

0100 EF, Pin & Puk #2

0011 EF, Management Keys

0001 EF, Application Keys


Public Key based login

SSL/TLS client side authentication


VPN User/Host authentication

Voice-over-IP Security

Securing the media stream

SRTP, needs secret master key, Multimedia Internet KEYing

IPsec, IKE, large overhead in RTP audio packet, 60 - 80 bytes / packet


Diffie Hellman

RSA Public Key Encryption Method


Mix Functionality

Drop message duplicates, doppelt ankommende Packete löschen, da sonst Packete verfolgt werden können

Decryption, Server muss mit privatem Schlüssel Packet entpacken, um nächsten HOP zu erkennen und mit richtigem Schlüssel zu verschlüsseln

Message re-sorting buffer, soll Timing-Analysis-Attack verhindern, Packete verlassen HOP in zufälliger Reihenfolge

Buffer Overflows

Software Security

Web Services Security

Client Side Security