Professional Documents
Culture Documents
https://www.linkedin.com/learning/it-security-careers-and-certifications-first-steps/government-fisma
SSCP Page 1
Security Fundamentals
Thursday, December 28, 2017 07:47
Least Privilege
- Grant user minimal access to resources required to perform his job
Separation of Duties
- Prevent fraud by ensuring that no single person has complete control over a process
Privacy
- PII - Personally Identifiable Information
○ Persons name, social security number, birthdate, etc.
- PHI - Protected Health Information
○ Medical and health history
- Strong encryption, authentication
Defense in Depth
- Several layers of security
- Combination of multiple controls on several layers
SSCP Page 2
- Combination of multiple controls on several layers
Nonrepudiation
- Party cannot deny taking an action
- Audit logging, digital signatures
- e-commerce transactions
○ Credit card + signature
AAA
- Authentication
○ Verifies the credentials
○ Three types of factors
Something you know, something you have, something you are
- Authorization
○ Assigned rights and permissions to resources
- Accounting
○ Tracking activity of a user
- Users must be identified by accounts
Accountability
- If a system can track activity of an individual system, it provides accountability
Due Diligence
- Refers to investigative steps taken prior to taking on something new
- Identify risks that can result in the loss of CIA
- Risk cannot be eliminated
○ Management decides which risks to mitigate
Due Care
- Practice of implementing security policies and practices to protect resources
- Ensures that certain level of protection is applied
- Due negligence - being irresponsible with level of implemented security
SSCP Page 3
Access Controls
Thursday, December 28, 2017 08:52
Authentication
- Typically username/password
- 3 different factors
○ Something you know
Password, PIN, personal questions, etc.
○ Something you have
Smart cards, HW & SW tokens, proximity cards, etc.
○ Something you are
Biometrics
Something you know
- Static password - stays the same over a period of time
- One-time/dynamic password - used only once per session
- Cognitive password - personal challenge questions -> name of the first pet, favorite color
- Passphrase - long string of characters with some meaning
SSCP Page 4
○ Can be fooled easily
- Palms - palm scanner can measure the vein pattern using infrared scanner
- Retina - scan pattern of blood vessels a the back of the eye
- Iris - lighting can affect iris scans
- Behavioral biometrics
○ Keystroke dynamics, handwriting analysis
○ Not reliable
- Can be used for authentication as well as for identification
- Biometric Error Rates
○ FRR (False Rejection Rate) - percentage of times the system falsely rejects known user
○ FAR (False Acceptance Rate) - percentage of times the system falsely identifies unknown user as known
○ CER (Crossover Error Rate) - the point where FAR and FRR of the system are equal
Lower CER, the better the system
Multifactor Authentication
- Two or more factors for authentication
- Smartcard + PIN
- Fingerprint + password
- HW token + username/password
Identification
- Username, biometrics, face recognition
SSCP Page 5
○ Authentication Service (AS)
○ Ticket-Granting Service (TGS)
○ When a user logs into the system, the AS verifies her identity using the credentials stored in AD. The user is then issued a
Ticket-Granting Ticket (TGT) by the AS, which can be used to access resources throughout the domain. The TGT expires after a
certain amount of time, so it must be periodically reissued. When a user wants to access a resource in the domain, the TGT is
presented to the TGS for authentication and the TGS generates a session key for the communications session between the
user and the resource server. This is known as a service ticket and is used for the duration of the access to the resource.
When a user later needs access to the same or a different resource, the older ticket is not reused and a new service ticket i s
generated.
○ uses both TCP and UDP ports 88, and it uses symmetric key cryptography
- Federated Access
○ Allows users in different networks to log on only once and use multiple systems managed by different organizations
○ Federated SSO systems share information via federated database
○ Includes identity information needed by each of the sites
○ Does not include passwords
- SAML
○ open standard that uses XML as its markup language format
○ standardized method of transferring information about authenticating users to an authentication service
○ passing authentication information between services
○ uses three types of information
○ principal - authenticating user
○ identity provider - entity authenticating the user
○ service provider - entity who must accept the authentication
○ web-based single sign-on
○ Provides SSO for web-based application servers
- SESAME
○ Secure European System for Applications in a Multivendor Environment
○ Alternative to Kerberos for EU
- KryptoKnight
○ IBM alternative to Kerberos
○ Rarely used
Offline Authentication
- In Windows, system caches credentials
- When user wants to login but is offline to the AD, system authenticates user based on cached credentials
- User can only access resources on local system
Device Authentication
- Prevent unauthorized devices from accessing the network (BYOD)
- MAC address filtering - easy to bypass
- Device fingerprinting
○ OS version, IP address, browser, fonts, plug-ins, storage, resolution, cookies, etc.
SSCP Page 6
Access Control Models
- Discretionary Access Control (DAC)
○ Granular level of access control
○ NTFS, NFS
○ Users have ownership of the data and can have full control over it
○ Uses DACLs
SSCP Page 7
○
○ Bell-LaPadula
Enforces confidentiality - unauthorized personnel cannot access the data
Simple security property rule - no read up
Subjects granted access to any security level may not read and object at higher security level
The star * property rule - no write down
Subjects granted access to any security level may not write to any object at a lower security level
○ Biba
Enforces integrity - unauthorized data modifications
Simple Integrity Axiom - no read down
Subjects granted access to any security level may not read an object at a lower security level, at least not as the
authoritative source
The * Integrity Axiom - no write up
Subjects granted access to any security level may not write to any object at higher security level
○ Clark-Wilson
Primary focus on integrity
Uses certification rules (C1-C5) and enforcement rules (E1-E4) to enforce separation of duties
○ Chinese Wall (Brewer-Nash)
Prevent conflict of interest and enforce separation of duties
Data is classified using different conflict-of-interest classes
If subject has access to data in one class, he/she cannot access data in a conflicting areas
SSCP Page 8
○ Guards
○ Locked doors
○ Alarm systems
○ Cameras and CCTVs
○ Facilities
- Personnel should prevent tailgating
○ Someone follows someone through controlled entry point without providing credentials
SSCP Page 9
Basic Networking and Communications
Monday, February 5, 2018 08:26
OSI Model
- Segment (datagram) -> packet -> frame -> bits
- Physical layer
○ Cabling, hubs, repeaters, wireless radio waves
○ Security -> protecting access to network
e.g. against connecting sniffer
○ Coax, UTP, STP, wireless - easy to tap in
○ Fiber - harder to tap in
- Data link layer
○ 2 sublayers
MAC sublayer - defines MAC addresses
Logical Link Control
○ Spoofing MAC address
○ Frames
○ May include ordered delivery and error correction features
- Network Layer
○ IP
○ ACLs - basic packet filtering
- Transport Layer
○ End-to-end communication services
○ Error detection and recovery mechanisms
○ TCP
Connection-oriented, reliable, guaranteed delivery
SYN, SYN-ACK, ACK
SYN flood attack - DoS
○ UDP
Connectionless
TFTP
- Session Layer
○ Establishes and maintains sessions between applications
○ RPC - Remote Procedure Call
- Presentation Layer
○ Standardizes data presentation for application layer
○ Encryption, decryption, compression, decompression
- Application Layer
○ Support many security features
Authentication, access control, encryption, hashing, digital signatures, etc.
Network Topologies
- Ethernet
○ CSMA
Collision Detection - if collision occurs, all devices are alerted and muted for a while
□ Required only in half duplex communication
Collision Avoidance - listen before transmitting data, Request to Send -> Clear to Send
□ Used in 802.11 networks
- Bus
SSCP Page 10
○
- DHCP
○ Discover -> Offer -> Request -> Ack
- ARP
○ IP to MAC
○ RARP
○ BootP - allows diskless client with MAC address to get an IP and retrieve a bootable ISO
- NDP
○ ARP in IPv6
○ Automatic node configuration, discovery, locate routers, DAD
- DNS
○ Name to IP address
○ Hierarchical system, distributed databases
○ 13 root servers
○ Different types of records
A record - resolves host name to IP address
PTR record - resolves IP address to a hostname
MX record - identifies mail server
SSCP Page 11
MX record - identifies mail server
CNAME record - allows system to be known by different names
○ BIND - DNS on UNIX
○ UDP 53 - client query for name resolution
○ TCP 53 - query between DNS servers
- ICMP
○ Can be used in DoS attacks, should be blocked
- IGMP
○ IPv4 multicast
- SNMP
○ Manage network devices
○ Can send traps or process gets for stats
○ V1 and v2 have security flaws
○ V3 uses encryption, verifies integrity and includes authentication
○ SNMP agents receive data on UDP 161 and send traps on UDP 162
Can use TLS - TCP 10161 and 10162
- FTP
○ Transfer files
○ Authentication in form of username or password
○ TCP 20 and 21
○ TFTP
UDP 69
Does not support authentication
○ Transfer of data in clear text
○ SFTP - uses SSH to encrypt FTP traffic
- Telnet
○ TCP 23
○ Data in cleartext, including credentials
- SSH
○ TCP 22
○ Encryption protocol, provides secure session
○ Can be used to encrypt other protocol traffic - FTP, SCP
○ Uses asymmetric and symmetric encryption
- HTTP/HTTPS
○ HTTPS uses SSL/TLS
TLS is replacement for SSL
TCP 443
- TLS/SSL
○ Used for encryption of other protocols
○ TLS is replacement for SSL
○ Operations performed on 3 layers
Transport layer - initial connection
Session layer - handshake protocol within TLS, negotiating details for TLS session
Application layer - TLS Record Protocol, provides confidentiality and integrity
- NFS
○ Network File System
○ Access and share files across the network
SSCP Page 12
- IPSec
○ AH (no encryption, protocol number 51), ESP (protocol number 50)
Private IP addresses
- Not routable on the Internet
- 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
- IPv6 - fc00::/7
NAT
- On router or proxy server
○ Static - one-to-one private public IP address static mapping
○ Dynamic - first-come first-served basis for mapping Ips in pool
○ PAT - multiple private Ips to single public IP
Trust Relationship
- One-way
○ Allows subject in one domain to access resources in other domain, vice versa does not work
- Two-way
○ Both domains trust each other, vice versa trust
- Transitive trust
○ A trusts B and B trusts C => A trusts C
- Trust does not mean automatic rights, those still need to be assigned
WIRELESS
Security
- Radio waves are easily captured by attacker
○ In NIC promiscuous mode
- WEP
○ Obsolete
- WPA
○ Easy to crack passphrase
- WPA2
○ 802.11i
○ Support Counter Mode with CCMP
○ Supports TKIP and AES encryption
○ Personal
Uses pre-shared key
SSCP Page 13
Uses pre-shared key
Symmetric encryption
- Change wireless router default access
- SSID - can't be longer than 32 characters
○ Broadcast or hide
Even if hidden, SSID can be sniffed
- MAC filtering
○ Allow only specific MACs to connect to wifi
○ MAC can be easily spoofed
- Bluetooth
○ PAN
○ Attacks
Bluesnarfing - pair with BT enabled smartphone and can access data on device
Bluebugging - access the phone and issue specific commands (call forwarding, send
messages, etc.)
Bluejacking - send unsolicited messaged to nearby Bluetooth devices
- GSM
○ 2G, 3G (3Mbps, HSPA), LTE and 4G (100Mbps in speed, 3Gbps walking), 5G (2020)
- WiMAX
○ 802.16
○ Broadband wireless coverage to MANs
○ 30 miles, up to 40Mbps
- RFID
○ Radio Frequency Identification
○ RFID tag can be read by reader
Active - with battery, always transmitting
Passive - reader excite electronics on tag and cause it to transmit information
- NFC
○ Near Field Communication
○ Transmitting only in short distances
- Protecting Mobile Devices
○ Password - PIN, pattern
○ Encryption - encrypt data
○ Remote wipe - send command to remotely wipe device data
○ GPS - can be used to locate lost device
SSCP Page 14
Advanced Networking and Communications
Wednesday, February 7, 2018 09:18
LAN Security
- Segmentation on L2 - VLAN or router
○ Divide broadcast domains
○ Security, performance, reduced cost
- Secure device management
○ Strong physical security
○ Traffic mirroring - SPAN, RSPAN, ERSPAN
Telecommunications
- Data at transit are always at risk
- Internet connections
○ PSTN - dial-up lines, 50kbps
○ ISDN - circuit-switched telephone network, 120kbps
○ DSL - over telephone networks, up to 40 mbps
○ Cable modem - broadband Internet access, usually 4mbps
○ Cellular - 3g, 4g, hotspot
○ Satellite - in rural areas, unstable
- VoIP
○ SRTP - Secure RTP
Confidentiality, message authentication, replay protection
AES for encryption and salting to protect against offline attacks
□ Adds bits to passwords or encryption keys to thwart brute-force attacks
- Securing Phones
○ Protect the system and wiring with physical security
○ Protect and regularly change admin password
○ Restrict numbers that can be used for call forwarding - block or restrict
prevent attackers from modifying call-forwarding features
○ Restrict long distance calling - enable only on entering authorization number
- Converged Communications
○ FCoE - FC over TCP/IP network
○ Security concerns - not widely used, can be unsecured, discovering vulnerabilities may take
longer time
Proxy Servers
SSCP Page 15
- Whitelisting or blacklisting
Firewalls
- Network-based or host-based
- Packet-filtering firewall
○ Stateless - cannot determine whether a packet is part of ongoing session
○ Uses ACLs
○ Filters traffic based on IP address, Subnet address, port, protocols, combinations
Defense Diversity
- e.g. implementing DMZ (created by two FWs) by using two different FW vendors
○ One vulnerability should not compromise both FWs
SSCP Page 16
AH - authentication & integrity
ESP - encryption
Tunnel/transport (only payload is encrypted) mode
○ TLS
Used for e.g. HTTPS, 443
Replacement for SSL
- Authentication
○ PAP - obsolete, credentials passed over network in clear-text
○ CHAP - md5(password + nonce)
Nonce provided by server when initializing communication
MS-CHAPv1/v2
□ Mutual authentication - client <-> server
○ EAP
Doesn’t use specific method, can be used as extension
PEAP - Protected EAP
□ Encrypts and encapsulates EAP in TLS
□ Requires cert on server
EAP-TTLS - EAP Tunneled-TLS
□ Uses AV Pairs - can secure other authentication methods
□ Requires certificate on a server
EAP-TLS
□ Mutual authentication
□ Both client and server must have certificates
□ Best option
○ RADIUS
AAA
Credentials are passed from remote access server
Can be used for VPN authentication, 802.1x, etc.
VPN server - RADIUS client
Can be integrated with AD
Uses UDP and encrypts only password
□ RFC 6613 and 6614 describe TCP and TLS
○ Diameter
Successor to RADIUS
TCP, supports IPsec and TLS
○ TACACS+
TCP, encrypts entire authentication session
- Traffic Shaping
○ Delaying some types of traffic so that others could be prioritized
Virtual Environment
- Host, guest, hypervisor
- Host runs hypervisor which manages guest VMs
- VMs usually use shared storage
○ Big and fast
○ Strong access control - VM must not access another VMs storage
- VMs within the same data classification (Secret, Unclassified, etc.) should be on the same host
- Virtual Appliance - VM with preconfigured OS and apps
SSCP Page 17
- Virtual Appliance - VM with preconfigured OS and apps
Cloud Computing
- Computing services provided over Internet
- SaaS, PaaS, IaaS
SSCP Page 18
○ BEST SECURITY
- Community Cloud
○ Private cloud shared by two or more organizations
- Hybrid Cloud
○ Combination of two or more clouds
Storage
- Cloud storage - might not be secure
- Legal jurisdiction of storage location
○ Sensitive data on Russian server
- E-discovery - electronic discovery
○ Locating and securing data so that it can be used as an evidence
○ Can only be applied on providers within legal jurisdiction of the country
Privacy
- Cloud providers are vulnerable to attacks
- Cracked passwords are responsibility of customer
- Ideally encrypt sensitive data before passing to the cloud - with your own keys
Data Control & Third-Party Outsourcing
- SLA between organization and vendor can include
○ Expectations for data availability and security
○ Data portability - reuse data across interoperable applications
○ Data destruction - when the data is no longer stored with cloud provider, data must be
properly deleted
○ Auditing - auditing access to data in cloud
○ Data resilience - backup/recovery
Compliance
- Organizations have legal responsibilities to comply with law
- HIPAA - US Health Insurance Portability and Accountability Act
- PCI DSS - Payment Card Industry Data Security Standard
- If such organization puts data in the cloud and breach happens, organization is responsible, not
cloud provider
○ Unless compliance included in SLA
SSCP Page 19
Attacks
Wednesday, February 21, 2018 15:22
Insider Attacks
- Someone with authorization steals data from organization for personal gain
- Access to system for fired employees should be terminated before they have a chance to perform
malicious action
- Smaller threat than attacks from outsiders
- Prevention - effective access control (strong authentication and authorization) and strong auditing
techniques
Script Kiddies
- Unexperienced attacker who is using downloaded script to perform attacks
- Bored teenagers
Phreak
- Someone who illegally breaks into a phone system
Accidental Threats
- Responding to phishing attempts
- Forwarding malware or bringing it from home
- Unauthorized data access
○ Accidental access, modification, removal…
- Losing HW
○ Losing NTB means losing also data on it
- Spoofing
○ Impersonating as someone or something else
○ Can be on different levels (MAC, IP, HTTP Cookie, email "from")
- DoS
Take down system
SSCP Page 20
○ Take down system
○ Disrupt service by taking system down or overloading it
=> service not available
○ e.g TCP SYN flood
TCP session half-open
IDS can detect this
○ Ping of Death
Obsolete
64kB icmp packet
○ LAND
Local area network denial
Tricks system to sending out packets to itself in an endless loop
- DDoS
○ DoS from multiple attackers at the same time
○ Botnets
Compromised systems commanded by attacker
- Botnet
○ Compromised systems (zombies) commanded by attacker from command and control
center
Infected by drive-by download - malware downloaded from malicious website
(without users knowledge) or through link in malicious email
○ CAC - can be one or multiple servers controlled by bot herder
Attacker can send different commands to zombies - launch DDoS, send phishing email,
etc.
○ Are usually rent-out for customers
- Sniffing
○ Packet sniffer, capturing data
○ Mitigation - encrypt all data, protect access to network, use switches instead of hubs,
physical security
○ Promiscuous (capture all data reachable to the system) or non-promiscuous mode (capture
only data addressed to the system)
- Ping sweep
○ ICMP to identify which IP addresses are operational within the range
○ Usually part of reconnaissance
Afterwards, vulnerability scanners used to obtain details
- Port Scan
○ To detect what ports are open on a system
○ Part of fingerprinting attack
Gathering information on specific systems
○ Can be easily detected on FW or IDPS (sequential or random port scanning)
- Salami attack
○ Attacker performs large number of minor actions that likely won't be noticed
○ e.g. shaving a penny from each financial transaction
○ Can be used to get information from databases piece by piece
Inference attack - collecting pieces of small, seemingly inconsequential information
and putting them together to infer or deduce sensitive information
- MITM
○ Eavesdropping by putting system between two communicating parties
e.g. sniffer
○ TLS MITM - system is acting as TLS proxy, transparent for both parties
○ Can be used legally - e.g. for monitoring users activities
○ active (capture data from specific system) or passive (capture data from any system)
- Session Hijacking
Attacker captures information from ongoing session and then impersonates original client
SSCP Page 21
○ Attacker captures information from ongoing session and then impersonates original client
○ e.g. stealing HTTP cookie by sniffing on the session
○ Firesheep, Facesniff
- Replay
○ Started by sniffing on a session
○ Information are used to impersonate other party
○ Mitigation - Kerberos (uses timestamps), CHAP (nonce - number used only once during
authentication)
- Smurf Attack
○ Broadcasts ICMP echo to multiple systems on the network but uses spoofed source IP of
attacked host
Attacked host is flooded by responses
Amplifying network - directed broadcast ping (can pass the router)
□ Blocked on routers
- Fraggle Attack
○ Sends packets to UDP port 7 (echo port) or 19 (chargen)
○ If chargen is enabled, it sends random character whenever traffic received on a port
Usually disabled
- Buffer Overflow
○ Application is not able to handle received data
○ Overflow of assigned memory
○ Can be used to write additional code into protected memory
○ e.g. send large volume of NOOP (no-operation) commands to position memory pointer and
then add the code
○ Gain elevated privileges
○ Starts as a programming error
○ Mitigation - proper error handling in application, input validation, keeping systems up-to-
date
- Injection attacks
○ Inject code into web application
○ SQL Injection
e.g. entered data into website form contains SQL query
Mitigation
□ Input validation - restriction of double hyphen (comment in SQL) or semicolon
(end of command), etc.
□ Stored procedures - group of SQL statements that execute as small program
○ Command Injection
Inserting OS system command into website form
Mitigation - input validation
- Cross-Site Scripting (XSS)
○ Inject HTML or JavaScript code into webpage
○ Injecting malicious code to harm webpage visitor
Steal sensitive information from users system (e.g. cookies)
○ Mitigation - server-side input validation
- Cross-site Request Forgery (CSFR)
○ Send malicious command from the users system to the website
User click malicious link that includes a command
○ Exploits the trust that a site have to users browser
○ e.g. to make purchase on behalf of user
○ Protection
Verify user before making change
Avoid clicking unknown links
- Password attacks
Use strong, complex passwords
SSCP Page 22
○ Use strong, complex passwords
○ Brute-force
Try all possibilities until getting match
Can be mitigated by complex password, limited number of incorrect passwords, etc.
○ Dictionary
Try all the words in a dictionary
○ Social Engineering
Tricking user into handing in the password
○ Rainbow table
List of passwords with hashes
Protection
□ Key stretching - salts the password before hashing it
Add random bits to the password
Use of rainbow tables can speed up password cracking (if hash was already obtained)
- SPAM
○ Unsolicited commercial email (UCE) or instant messages
○ Can be sent by botnets
○ Web-spiders - crawl through websites looking for emails (e.g. @ character)
- Phishing
○ Spam with malicious intent
○ Enter sensitive information
○ Phishing email components
Impersonation - a legitimate person or company
Identification of a problem - e.g. "suspicious activity"
A sense of urgency - to open the document, log in portal, etc.
Dire consequences - "closing an account", "freezing funds"
○ Drive-by download
User clicks the link and malicious code is downloaded and executed
No personal info
○ Spear Phishing
Targets a specific organization or a group
○ Whaling
Phishing targeted on CxO executives
Get attention by using words like "Lawsuit"
Attached document may be easily malware
○ Vishing
Trick the user in providing sensitive information using VoIP
Providing CCN via keypad, etc.
○ Smishing
Phishing via SMS
- Zero Day Exploits
○ Attacks that take advantage of vulnerabilities
Unknown and unpublished by vendor
Known by vendor but not published - patch not released yet
○ Can be prevented by applying defense in depth model
If one technology has zero-day vulnerability, others may not be susceptible
Disable unnecessary services on servers
○ If patches are not applied immediately
Attacker can download patch, reverse-engineer it and find which vulnerability it is
fixing
Attacker can then develop attack and launch it sooner than patches are actually
applied
- Covert Channel
Mechanism used for transmitting information secretly between two entities
SSCP Page 23
○ Mechanism used for transmitting information secretly between two entities
○ e.g. utilizing unused bytes in protocol headers
TCP handshake - protocol ID field can be used to pass covert information
○ Firewalls usually detect this
Countermeasures
- Software Security
○ Security embedded in website code
During development
- Input Validation
○ Checks data before using within application
If they are valid for operation
○ Checks for valid characters, valid format, valid range, etc.
○ Does not provide accuracy
e.g. check if zipcode is really from the area you are living in
○ Prevent buffer overflow, SQL injection, XSS
○ Client side validation
Validating user input
Embedded in form webpage - saves round trip to the server
SSCP Page 24
Embedded in form webpage - saves round trip to the server
Can be easily bypassed
○ Server side validation
Final security check before using input data
Both should be implemented
- Application Review
○ Testing application for bugs and vulnerabilities before release
○ Code review or peer review
- Code Signing
○ Associating certificate with software
○ Assurance on who wrote the SW and its integrity
○ If infected by malware, integrity check will fail!
Can be checked in browser, during installation, etc.
○ Extended Validation Code Signing certificates
By Symantec
More thorough background check for issuing certs
○ Configure web browser to block unsinged software
- Sandboxing
○ Run program in isolated area of memory
○ e.g. Antivirus - check new or untrusted apps
○ e.g. virtualization
Social Engineering
- Low-tech attack, but very effective
- Aiming at people to give up sensitive data
- e.g. phone call impersonating CEO (information from company website) telling that he is collecting
information
○ Attacker gains information and then repeats the attack
- They try to build trust, familiarity
- Sense of urge
- Even threats
- Tailgating
○ Someone passes through authorization point without providing credentials by closely
following someone authorized
○ One employee opens the door by his card and lets several other people to pass
○ Mitigation
Mantrap - enclosure for only one man, who is locked when entered and passed
through other side
□ e.g. in Datacube
Turnstiles
- Impersonation
○ Masquerading or spoofing
○ As someone else
- Dumpster Diving
○ Sifting through some else's trash
○ Sensitive documents should be shredded or burned, not thrown to dumpster
- Shoulder Surfing
○ Looking over someone's shoulder to gain information (e.g. password)
- Pharming
○ Manipulates hostname resolution to redirect user to bogus site
○ DNS manipulation or host files
- Social Networking attacks
Attacker impersonates social network (e.g. Facebook) in email and lets user know that
SSCP Page 25
○ Attacker impersonates social network (e.g. Facebook) in email and lets user know that
messages are awaiting
But link is malicious
- User Awareness
○ Primary countermeasure
○ Training
○ To change user behavior from unsafe to safe actions
○ Acceptable Use Policy
Expectations on employee's use of computing resources
Responsibilities and risks
Should be acknowledged by each employee
○ Initial Training when hired
Security training
○ Annual Refresh Training
Training about current risks and threats
○ Newsletters
○ Periodic emails
SSCP Page 26
Malicious Code and Activity
Wednesday, February 28, 2018 09:08
Virus
- Piece of code, negative events on PC
- Ability to copy itself into a computer and replicate using different methods
- Infected file must be executed for virus to run
○ Virus can only run with some type of user interaction
- Components
- Replication component
Copying its code onto other applications and infecting them
e.g. it may copy itself on USB drive and then replicate further
- Activation component
It delivers payload - malicious program
e.g. delete or corrupt system data
May contact C&C centrum if part of botnet
- Usually tries to stay hidden and collect information of the user
- Forms
- Stealth
Try to hide from AV by providing misleading info about the virus to AV
e.g. misreport file size
- Armored
Additional code to complicate reverse engineering by AV
e.g. compiler with encryption, different code design
- Polymorphic
Ability to morph or mutate each time they are copied or run
e.g. by encrypting file slightly differently each time
Replication and activation code remains the same
- Metamorphic
Mutates the code for replication and delivery
Changes logic of replication and activation - more difficult to detect
- Boot Sector
Virus is stored in boot sector and executes when system is booted
- Multipartite
Multiple components - e.g. boot sector with virus
- Macro
Macro in document is used to launch virus
Worm
- Do not require any interaction to activate, does not need to be executed
- Travels through network and infects nodes
- Can use different protocols
- Use defense in depth
- Host based firewalls, up-to-date AV, switch-off unneeded protocols
Trojan Horse
- Application that looks legit but includes malicious component
- e.g. pop-up updates for Flash
- Always update only from legit webpage, not from pop-ups
Scareware
SSCP Page 27
Scareware
- Malware that describes itself as AV
- Popup with message to fix problem -> installs malware
- Could be used to create zombies in botnet, install backdoors, etc.
Ransomware
- Takes control of users computer and demands ransom to release it
- Preventing from logging in, or prevents access to data (by encrypting them)
- Accuses user of participating in illegal activities and demands fine
- Or encrypts data and demands money for releasing decryption key
- Sense of urge (72 hours to lawsuit, deleting of key, etc.)
Keylogger
- Capture all keystrokes entered on computer
- HW or SW based
- Can be installed via Trojan
Logic Bomb
- Code that executes in response to some event or point in time or specific actions
- Keylogger may include logic bomb on emailing keystrokes after user visits specific website
Rootkit
- Program that runs on system with root-level access undetected
- Remote control of node
- Can hide itself from AV scan or restrict data returned to the scan
- Usually installed via Trojan or virus
- Kernel PatchGuard - prevention from rootkits in kernel, requires digitally signed drivers
Mobile Code
- Can transfer itself between the systems without user taking any action to install it
- e.g.
- JavaScript or VBScript
Embedded into webpage or PDF, Word, etc.
- Java Applets and ActiveX
Mini-programs embedded into webpage
They run when webpage is displayed
Block unsigned applets
- Documents with macros
They run when file is opened
Disable macros
RAT
- Remote Access Trojan
- Control via Internet
Spyware
- Spying on user activity, e.g. for targeted advertisement
- Steal financial data, person's identity, etc.
- Installed via Trojan
SSCP Page 28
- Installed via Trojan
Malware Hoax
- False message about malware risk
- Sense of urge
Stages of Regin
- Regin - advanced class of malware
- Collect data
- Via RAT features, screenshots, stealing pass, retrieving deleted files, monitoring network
traffic, etc.
- Six stages
- Stage 0
Dropper stage - initial infection, installing Trojan
- Stage 1
Loads OS kernel drivers
Decrypt, load and execute stage 2
(subclass.sys, adpu160.sys)
Only stage with plain visible code on station
□ Other stages are encrypted
- Stage 2
Stored in NTFS extended attribute
Removing code after stage 1
- Stage 3
Decrypts, install and execute stage 4
Build encrypted file system
Modular framework for stages 4,5
- Stage 4
Loads modules for stage 5
Different features can be enabled and executed
- Stage 5
Collects data and stores them within encrypted file system
Sends data to attacker via standard protocols
- Includes also C&C functionality
- All communication is encrypted and encapsulated within ICMP or UDP
SSCP Page 29
- Antivirus and content filtering on FW
- Preform regular antivirus and vulnerability scans
- Keep systems and AV up to date
- Educate users
- Antivirus
- Real-time (when user opens a file) or on-demand (started manually) or scheduled scan
- Signature based detection
Match unique characteristics of the virus - e.g. byte pattern
Signatures are generated by reverse engineering the file in AV company
Detection can be avoided by using polymorphic or metamorphic virus
□ Many different variations of virus
Database must be up-to-date!!! - update often
- Heuristic based detection
Can detect previously unknown and non-reverse engineered viruses
Detection based on behavior
□ e.g. picture file is trying to change system files
Can use sandbox technique
□ Activity is evaluated in isolated environment
- Spam Filter
- Detect and block unsolicited email
- Sender Policy Framework (SPF)
Identifying spoofed email
SPF record can be used on DNS server to identify authorized server for sourcing traffic
from given domain
When email-server receives email, it can check if the domain in email header is
matching server that sent the email
- Content-Filtering
- Filters traffic in and out of the network
- Deep-packet inspection, sandboxing on the edge, etc.
- Can be used as proxy - validating certificates, URLs, etc.
- Must be deployed at border with external network
All traffic coming from Internet must be inspected before passed onto internal
network
- Part of defense in depth
FW with content-filter, AV and AS filtering entry to network
AV on endpoints filtering traffic that passed signatures on FW by applying heuristic
method
- Keep OS up-to-date
- Patch vulnerabilities
- Scanners
- Vulnerability scanners - Nessus, Rapid7
- Check system for vulnerabilities and report findings
- Beware of shortened links
- Different hypertext shortcut
- Obfuscated links
- e.g. bit.ly, tinyurl.com
- LongURL - demystify link
- Sandboxing
- Heuristic-based analysis in isolated environment
- e.g. virtualization
- Least Privilege
- Users should not have admin privileges to install apps
- Even admins should not use admin accounts for day-to-day activity
SSCP Page 30
- Even admins should not use admin accounts for day-to-day activity
- Software security
- Input validation, code signing, application review
- Application Whitelist and Blacklist
- Which apps are allowed and blocked
- Security Awareness and Training
- Educate users on safe computer habits
- Turn on AV, don’t open suspicious attachments, links, etc.
- Download files directly from source website
SSCP Page 31
Risk, Response and Recovery
Monday, March 5, 2018 09:45
Risk - probability that threat will exploit a vulnerability can cause a loss
Threat - activity that can be possible danger
Vulnerability - weakness in system
To lower the risk, you need to reduce vulnerabilities (by implementing safeguards and controls)
- Or reduce impact of the risk
- It's rarely possible to reduce threats
SSCP Page 32
- e.g. ZIP attachment in email, attack websites and install malware to be downloaded on visit
- Exploit and compromise
- Technical and nontechnical methods
- e.g. tailgating, exploiting vulnerabilities in unpatched systems, zero-day attacks
- Achieve results
- Cause impact and obtain information
- Exploit was successful
- Adverse impact include any results that affect CIA of systems and data
- Maintain a presence or set of capabilities
- Attacker takes steps to obscure their actions
- Bypass or circumvent IDPS and auditing capabilities
- Maintaining presence for further time
- Many more
Vulnerabilities
- Vulnerability = any weakness in a system, network, infrastructure or organization
- Weakness in and information system, system security procedures, internal controls or
implementation that could be exploited by threat source
- Examples
- Poor and nonexistent AV protection
- Terminated employees - accounts should be disabled right after employee is terminated
- Weak access control - identification, authentication and authorization techniques
- Poor or nonexistent change-management practices - problems caused by unintentional
side effect of making change to system
- Poor hardening practices
- Lack of redundancies for key systems - on multiple levels
- Uneducated users - social engineering
Impact
- Impact = magnitude of harm that could result if a threat exploits a vulnerability
- Can be high (risk is high priority) or low (risk is not priority)
- e.g. fire
- Likelihood = low
- Impact = high
- Overall risk = high
Purchase insurance to reduce impact
Risk management
- Identify, assess and mitigate risk to an acceptable level for the organization
- Needs to change and evolve with the threats
- Continual process
- Reduce vulnerabilities and impact, not threats
- Choices in response to risk
- Mitigate - reducing vulnerabilities by implementing controls and safeguards
- Avoid - by avoiding activity that causes the risk
- Share or transfer - share or transfer risk to another party, e.g. insurance (only partial impact
reduce)
- Accept - accept risk and potential losses, when asset value is low
Or accept the remaining risk after taking steps to reduce the risk to acceptable level
Residual Risk
- Amount of risk that remains after reducing risk to an acceptable level
SSCP Page 33
-
- Management must decide which controls will be implemented and when is the risk acceptable
Identifying Assets
- Important first step in risk management
- Asset
- Has high value to organization
- Can be valued using tangible and intangible values
Tangible = direct loss, e.g. on revenue
Intangible = side loss, e.g. customers turn to other organization
Risk Register
- Central depository for known organizational risks
- e.g. risk register for web server
Quantitative Analysis
- Numerical-based data to identify the actual cost associated with a risk
- Single Loss Expectancy (SLE)
- Identifies the actual loss of single occurrence of a threat
- e.g. website down for an hour causes loss of 10000$
- Exposure Factor
- Magnitude of loss as a percentage of assets value
- e.g. if value is 1000 and insurance covers 750, Exposure Factor is 25%
- Annual Rate Occurrence (ARO)
- How often the SLE is expected to happen in a given year
- Annual Loss Expectancy (ALE)
- SLE x ARO
- Cost of control
- Cost of implemented security controls
- Including side costs like admin training, etc.
- If ALE < Cost of control, it may not be justified to implement control
SSCP Page 34
- If ALE < Cost of control, it may not be justified to implement control
SLE ARO ALE before ALE after ARO after Cost of Savings Impleme
before control control control control nt?
$10000 control
3 (SLExARO)
$30000 $10000 0 $5000 30000-5000= Yes
25000
-
$10000 3 $30000 $10000 1 $5000 30000-10000 Yes
-5000 =
$2000 2 $4000 $2000 0 $10000 15000
4000 - 10000 No
= -6000
- Advantage - analyze actual value of control
- Disadvantage - it's hard to obtain values of Assets, SLEs, etc.
Qualitative Analysis
- Subjective, scenario-based data, categorizes risk using works such as low, medium and high
Risk Assessment
1. Prepare for Risk Assessment
- Identify purpose, scope, information sources,
- Identify assumptions and constraints - which controls are in place, etc.,
- Identify risk model and analytic approach - quantitative or qualitative analysis
2. Conduct Risk Assessment
- Identify threat sources, threat events, vulnerabilities
- Perform analysis to determine the likelihood of a risk occurring, impact and overall risk
- Threats - internal/external, natural/manmade, intentional/accidental
- Likelihood x impact = risk score
Risk score can be overridden subjectively
SSCP Page 35
Risk score can be overridden subjectively
- You can evaluate prospective controls or safeguards
Risk score evaluation without and with new control
3. Communicate and Share Risk Assessment Results
- Provide results to decision makers
- Content
Executive summary - summarizes risk assessment
Risk assessment preparation - identifies purpose, scope, etc. from Step 1
Threat sources, events and vulnerabilities
Risk scores - tables, graphs including likelihood and impact
Controls and countermeasures - evaluation of new controls and countermeasures
Uncertainties - caused by missing data, subjective opinions and assumptions
Appendixes
4. Maintain Risk Assessment
- Evaluates threats and vulnerabilities at a specific time
- Periodically repeat and update risk assessment for key systems
Monitoring risk factors
Address Findings
- Identified risks must be mitigated by implementing controls
Responding to Incidents
- Security incident - any violation of policies or security practices that has potential to result in an
adverse event
- Adverse event - event with a negative consequence (system crash, data damage, etc.)
- Lifecycle of incident response
- Preparation
- Steps to prevent an incident by securing systems
- Planning for incidents and planning for response
- CIRT/CSIRT/IRT
People responsible for responding to incidents
Ready access to tools and resources (every minute spent looking for them is wasted)
□ Contact information - who and when needs to be notified
□ Reporting forms - record specific information about an incident
□ Forensics tools - collect and analyze evidence, maintain chain of custody
□ Documentation - systems and network infrastructure, performed changes
□ Software and hardware - to create reports, doing research or perform analysis
□ War room - where the team meets and solves the issue
These tools may be stored in network location or "crash cart" (in case network goes
down)
SSCP Page 36
down)
- Detection and Analysis
- Incident is discovered, investigated and analyzed
- Detection - by AV, suspicious activity, SIEM, IDS, etc.
- Analysis - whether the event is an incident and prioritization (minor, critical, etc.)
- Containment, Eradication and Recovery
- Contain incident as quickly as possible - prevent from spreading
e.g. unplug PC from network
To quickly contain incident, detection and analysis must be fast
- Eradication - reverse all actions taken by the malware and remove it from system
completely
- Recovery - bring system back online, move data, etc.
- Post-incident Activity
- Examine the incident and response
- Determine whether the existing plans and procedures adequately address the incident
They may be improved
- Generate post-incident report (can be used later in risk assessment)
Lessons to be learned, speed of detection and responding to incident, recovery time,
documentation up-to-date, new controls to implement
All of this can be improved
- Avoid finger pointing and blame storming
SSCP Page 37
Monitoring and Analysis
Thursday, March 8, 2018 08:08
IDS
- Detect attack and raise alert
- Passive - monitoring and recording events in log, sends notification when attack detected
- Active - takes action to modify environment to stop the attack (e.g. modify ACL)
- Network (NIDS) or host based (HIDS)
- Alerts
○ Notification via email or sms
○ Send alert to SIEM or display in dashboard
○ May be false positive - must be investigated by personnel if it is incident or not
○ Triggered when specific threshold reached
e.g. if same IP is trying to open communication in multiple ports in 60 minutes (port
scan)
○ Difficult to define the threshold
Better tighten it up and receive false positives than vice versa
- NIDS
○ Monitors network traffic for attacks
○ Uses agents to monitor traffic on network devices
They forward the traffic to a central management console
○ Can be inline or outline (harder to detect for attacker)
- HIDS
○ Installed in individual system
○ Monitors activity on a host (processes, running apps, etc.)
○ Can be CPU intensive
○ Can be detected by attacker and disabled or logs deleted
○ Can be included in UTM
- Using NIDS + HIDS is part of defense-in-depth strategy
- Detective security control
IPS
- Placed inline with the traffic on boundary of the network (behind first line FW)
- Is active, blocks potentially malicious traffic
- Prevents the traffic from entering the network (not just modify environment)
- HIPS or NIPS
- Preventive security control
SSCP Page 38
○ Identify normal activity and detect abnormal activity
○ Usually generate higher level of false positives than signature-based
○ If the environment is modified, it is important to update baseline
- Hybrid
○ Combination of anomaly and signature based
○ Common
- Whitelisting
○ host-based IDS
○ App whitelist allows only specific apps and processes on endpoint
○ Whitelisting MACs on switch
Analyzing results
- Important part of monitoring
- Analyzing individual events - if they are incidents
- Reviewing security analytics and metrics - e.g. number of false positives each week, adjust
threshold
- Identifying trends - determine if security controls are providing adequate protection
- Creating graphics for visualization - graphs, see trends
- Communicating findings - report to decision makers
SSCP Page 39
etc.
○ Ability to define or fine-tune items of interest - modify thresholds, correlate events, define
incidents, etc.
○ Alerting capabilities - visual indications, pop-ups, emails, sms, etc.
○ Secure storage of data - central storage is easier to protect than distributed on multiple
stores, harder to manipulate logs
- Steps
a. Gain permission from management - so that scans are not evaluated as attacks
b. Discovery - reconnaissance and vulnerability scanning
c. Analyze results - scanner may generate false positives
- Manual check
- May also generate false negatives!
d. Document vulnerabilities - create report
e. Identify and recommend methods to reduce vulnerabilities - configuration changes,
patching, implementing new control, etc.
f. Present recommendations - to management
g. Remediate - implement fixes
i. Most important step
ii. Repeat scan to check if vulnerability is patched
SSCP Page 40
Penetration tests
- Next step after vulnerability scan
- Exploit discovered vulnerabilities
- May cause loss of CIA
- White, black, gray box
- Intrusive test
○ Goal is to prove that exploiting a vulnerability can affect the mission of organization
- Steps
1. Gain permission - written!!!
2. Perform vulnerability assessment
i. Discovery and reconnaissance - nmap, social engineering, etc.
ii. Fingerprinting - scanner
iii. Identify vulnerabilities
3. Attempt to Exploit Vulnerabilities
i. Do not cause outage or other real damage
ii. Data should not be disclosed, corrupted, etc.
4. Report results
i. To management
ii. Should include recommendations for mitigation
1) What to mitigate, what to accept
SSCP Page 41
Controls and Countermeasures
Monday, March 12, 2018 16:29
SSCP Page 42
- AV = detective + corrective
- Backup = preventive + corrective
- Prevention
- Written security policies, standards and procedures
- Background checks
- Separation of duties and least privilege
- Access control process (strong authentication)
- Password policies
- Employee termination process (disable accounts)
- Classification of data
- Encryption of data
- Physical security - cameras, fences, guards
- Detective - detecting occurring or already occurred event
- Physical inventories
- IDS
- Antivirus SW - detect malware
- Audit logs
- Forensics analysis
- Reconciliation - comparing different sets of data with each other
- Corrective - takes action to reverse the effects of an events
- IPS
- Antivirus - removing or quarantining malware
- Backup and restore procedures (preventive + corrective)
- Disaster recovery and business continuity plans
- Other
- Compensating
In place in case primary control fails or is unavailable
Separation of duties -> problem with vacations -> may not be effective as during the
vacation, responsibility is on one man
□ Implement periodic reconciliation auditing to detect anomalies
- Deterrent
Deter attackers or users trying to circumvent policies
Proxy blocking access to website (reminding user that activity is recorded)
Encourage someone not to take specific action
Preventive type
- Directive
Mandated by higher authority
HIPAA - how to protect PHI (Personal Health Information)
- Recovery
Recovery after failure
Backups, procedures how to restore backups, etc.
Corrective
Classes of Controls
- Management (administrative), Technical (logical) and Operational
SSCP Page 43
-
Basic Controls
- NIST-SP 800-53
- Hardening Systems
- Remove or disable unused protocols - decrease attack surface
- Remove or disable unneeded services - fewer opportunities to attack system
SSCP Page 44
- Remove or disable unneeded services - fewer opportunities to attack system
- Change defaults - e.g. passwords
- Keep systems up to date - patching bugs in SW
- Enable firewalls - and AV
- Install AV software
- Policies, Standards, Procedures and Guidelines
- Policies - high-level documents used to provide guidance to members of organization
(authoritative)
- Standards - document criteria such as a proven norm or method (can influence policies)
- Guidelines - recommendations to members of an organization (not authoritative, derived
from policies)
- Procedures - specific action steps to complete tasks (derived from policies)
- An organization can choose, which standard to follow - ISO 20000, ISO 27000, NIST-SP, etc.
SSCP Page 45
- Or prohibiting use of mobile devices in certain areas
Telecommuting
- Work from home
- Must deploy secure VPN
- Devices owned by telecommuter cannot be controlled by organization
- Access to VPN must be strictly controlled
- NAC - check predefined health characteristics before allowing access for endpoint
Mobile Device Management (MDM)
- Patch management for mobile devices (iOS, Android, etc.)
- Microsoft ConfigMgr
USB Devices
- Significant risks - data leakage and infection by malware
- Easy to connect and easy to copy
- Can be mitigated by enforcing encryption of data in rest and AV deployment
Thin Clients
- Virtualization of workstation
- If workstation is stolen, no data is lost
Virtualization
- VM escape attacks
- Attacker connects to VM and "escapes" to host - can gain full control over all VMs on given
host
- Keep hypervisors up to date
Application White/Blacklisting
- Prevent users from installing any application - only approved by organization
- List of allowed or blocked apps
- e.g. Apple Store is reviewing each app before published for security
Endpoint Encryption
- Full disk or full device encryption
- Automatic on iOS and Android (from 5.0) devices
- If the device is jailbroken, root-access can be granted to user - but also to malware
Trusted Platform Module (TPM)
- Stores crypto keys which system can use to encrypt/decrypt data
- HW chip on motherboard
- Creates storage root key, which encrypts application keys (e.g. BitLocker key)
Sandboxing in browsers
- Browser runs in isolated area of computer
- Web applications cannot access your personal files or HW (webcam)
SSCP Page 46
- Web applications cannot access your personal files or HW (webcam)
User awareness and training programs
- Users to understand security policies and procedures
- Social engineering tactics, etc.
Fault Tolerance
- Avoid single point of failure by adding redundancies
- RAID
- Can improve performance and provide fault tolerance
- Can be SW or HW based
- 0
Two or more disks, stretched data
Improves performance, does not provide fault tolerance
If one disk fails, all data are lost
- 1
Two disks that are mirrored (one is backup)
Parallel reading from both disks at the same time - improves performance
Halves the combined capacity of both disks
- 5
Three or more drives, stripping with parity
Parity - either odd or even value (XOR of data bits)
2 drives carry the data, one drive carries parity
□ Each stripes parity is on different disk
Subsystem can contain spare drives, which are used automatically if one of the drives
fail
- 6
Uses 2 parity blocks
Can survive failure of 2 disks
Minimum of four disks
Recommended over Raid-5 due to URE (unrecoverable error rate)
□ Lower if two disks can fail
- 10 (1+0)
Combines 1 and 0
Minimum of 4 disks
Increased performance and fault tolerance
- Failover Cluster
- Fault tolerance at server level
- Allows service to operate even if one server fails
- Can be active/active, active/passive, per service or other, etc.
- Load-balancing cluster
- Redundant connections
- Link fault tolerance
Backups
SSCP Page 47
Backups
- Backups are useful only if they can be restored
- Backup plans should include restore test to verify usefulness of backup
- Tape drives, tapes, backup software, backup servers - additional cost, but justified
- Backup policies should define what and when to backup
- Disk-to-disk-to-tape strategy
- e.g. copying DB to tape can take long time, so it is first copied on fast disk and then
processed offline to tape
- Full Backups
- Backs up entire contents of target data
- Can take very long time, during which data cannot be accessed
- Full/Incremental Backup
- Full back up at start and then only incremental periodic back up changes
Incremental backs up only changes since last full or incremental back up
- Restoring data
First full backup needs to be restored
Then every incremental backup since full back up up to the point of failure must be
restored
- Minimizes the time needed for incremental backups
- Recovery can take longer due to multiple backups to be restored
- Full/Differential Backup
- Full back up at start, then differential backups periodically
Differential backs up all changes since last full backup
- Recovery
First full backup needs to be restored
Then only most recent differential backup must be restored
- Takes longer to backup, as differential backup is bigger every day
- Recovery time is reduced - maximum 2 backups need to be restored
SSCP Page 48
Auditing
Friday, March 23, 2018 11:01
Auditing provides accounting component, which tracks and records individual actions.
Auditing methods
1. Auditing activity through logs - logs inspected by auditors to reconstruct events
2. Auditing activity through an inspection process - periodic security inspections to ensure
organization is following required policies and procedures
- To hold users accountable with audit logs, strong authentication practices must be used
○ e.g. if multifactor authentication is implemented, user cannot deny that he did not commit
given action
- Audit logs provide nonrepudiation
- Audit logs combined with strong authentication and authorization practices provide
nonrepudiation (users cannot deny what they did)
Audit logs
- OS logs
○ Track activity on individual computers and servers
○ Logging must be configured
e.g. audit access only to sensitive or proprietary data
○ System log - events from OS (e.g. driver stops)
○ Application log - events from specific apps (e.g. DNS)
○ Setup log - setup of certain applications
○ Event Viewer - see logs in Windows
○ Copies of logs should be stored on remote systems
Increases difficulty for attacker to erase tracks
- *Nix log
○ Unix
○ /var/log, /var/adm, /usr/adm
Syslog (overall system activity), sulog (all attempts to use SU command), auth
SSCP Page 49
○ Syslog (overall system activity), sulog (all attempts to use SU command), auth
(authentication on SSH), maillog
- Proxy Server logs
○ Log user activity on Internet
○ Caching web pages
○ Can use as a deterrent to unacceptable behavior
- Firewall logs
○ Blocked and forwarded traffic
○ Other events
○ Should be aggregated by SIEM
Reviewing logs
- Look for anomalies
- Archive logs
- Strong authentication & authorization - clearing, reading logs, etc.
○ First log after clearing logs in windows is "Logs cleared"
- Set retention policies
○ To be able to investigate
Security Audits
- Help organization identify vulnerabilities in processes and procedures
- After audit -> implement fixes -> reduce discovered vulnerabilities
- Compliance audits (e.g. HIPAA) - law enforced
○ Audits help to prove that organization is following procedures according to standard
- Password Auditing
○ If users are following policies related to passwords
Complexity (by password cracking), retention, etc.
- Security Policies Audit
○ Review of written security policy to ensure that it still meets organizations requirements
○ e.g. lack of awareness and training for users
ISACA
- Standardization for IT security audits
- CISA, CISM
- Developed COBIT framework
PCI DSS
- For organizations that process credit card payments
- Protect customer personal and credit card data
- PCI DSS Control Objectives
SSCP Page 50
-
- Compliance Reports
○ PCI DSS compliant organizations must submit regular reports
Document processes, how are they complying to 12 requirements, etc.
Reports are sent to acquiring bank and global payment brand
- Compliance Audits
○ Organization with low volume of credit card use - only Self-Assessment Questionnaire (SAQ),
submit to bank
○ With high volume of credit cards
Hire and independent expert to perform audit
PCI Security Standards Council can revoke the business authorization to process credit
card payments or give a fine
Configuration Management
- Ensuring that systems are configured with security in mind and configuration is tightly controlled
- Establish baseline configuration with hardening
- FIPS Pub 200
○ Requirements to enforce security configuration settings
- Strong change management - change authorization, review, etc.
- Imaging Technologies
○ Contains baseline configuration
○ Easy to check later if configuration changed - if baseline is established
○ configure security settings such as auditing, a password policy, an account lockout policy, a
password-protected screen saver, and much more
- Group Policy
○ Centralized administration of systems
Change Management
- Ensure that changes don’t result in unintended outages
- e.g. change review before implementation
- Documentation trail
- Propose changes to system -> examine the request (approve or reject)
- Steps in change control process
SSCP Page 51
-
SSCP Page 52
Security Operations
Tuesday, April 10, 2018 10:42
Handling data
- Value and risks must be recognized
Classifying data
- First step in determining data security
- e.g. Top Secret, Secret, Confidential, Unclassified
○ Principle of need-to-know should be also applied
- e.g
○ Confidential - company proprietary information, R&D, trade secrets
○ Private - intended for internal use only - employee records, customer data
○ Sensitive - data that requires special precautions for its protection - financial data
○ Public - either publicly available or does not cause any harm if public
Marking and Labeling data
- To quickly identify category of given data
○ Watermarks, title page, headers, covers for Top Secret
- HW holding data should be also marked
○ e.g. red label USBs for classified data
○ Encryption should be enforced based on UUID
SSCP Page 53
○ Should be encrypted
e.g. AES
○ When passed to application, data is decrypted
Deduplication
- Ensuring that the file is stored only once on the system
○ Even though multiple users have their own copies
- Problem with encryption
○ If files are encrypted, deduplication software cannot identify same files
Encryption weakening -> decreases security
SSCP Page 54
- Usually, access to SNs is prohibited in companies
Databases
- IBM, Microsoft, Oracle
- Relational databases
- Key elements
○ Row (tuple) - contains unique data element
○ Primary Key - uniquely identify each row
○ Column - attribute
○ Foreign key - relationship to another table, points to primary key in another table
○ Field - piece of information in row or column
- Views
○ Virtual table that provides access to specific columns in one or more tables
○ To control authorization on what given user can see
- SQL
○ Communication and manipulation with database
○ Data Definition Language (DDL) - create the structure of database, tables, keys, etc.
○ Data Manipulation Language (DML) - manipulate data in database (add, delete, modify,
retrieve, etc.)
- Database organization methods
○ Online Transaction Processing (OLTP)
The transaction is recorded in database as it occurs
e.g. purchasing via website
Data normalization
Databases need to be quick and record all transactions in the logs before making
changes
○ Online Analytical Processing (OLAP)
Reorganizes data from data warehouses into multidimensional cubes -> easier
retrieval
Include redundant data
Are slower than OLTP
Retrieval of data -> data mining
Data inference attack
- Attempts to collect public or unclassified pieces of information to predict or guess an outcome
- Deducting sensitive information from insensitive
- Use deduction to learn detailed information from large quantity of public information
Data diddling
- Unauthorized changing of data before entering it into a system
○ e.g. increasing overtime hours before logging them into system
SSCP Page 55
- Vulnerability testing of applications accessing the data
- Use System Development Life Cycle (SDLC)
Regulatory Requirements
- Protection of some data is regulated end enforced by law
- Personally Identifiable Information (PII)
○ Information that personally identifies an individual
○ If data breach occurs, companies are obligated to inform customers
- Health Insurance Portability and Accountability Act (HIPAA)
○ Cover U.S. organizations processing health information
○ Identifies Protected Health Information (PHI)
○ Failing to follow requirements of HIPAA can result in serious fines
- Sarbanes-Oxley Act (SOX)
○ Mandates special protection for data related to publicly held companies
○ Requires high level officers to personally verify accuracy of financial data
- Training
○ Some laws mandate specific training and awareness related to data
○ e.g. FIPS Publication 200
Asset Management
- Helps organization to track its assets
○ e.g. track HW and SW owned by company
- HW
○ Inventory tracking
○ Desktops, laptops, servers, routers, switches, etc.
○ Must be actual and managed
○ RFID tags can be put on each device to scan them easily
- SW
○ Track OS and applications throughout their life-cycle
○ Track licensing (if there are not more copies installed than licensed)
○ Patch management
○ Check actual software installed on system
- Can also track media files, data should be properly classified, marked and labeled
- Procedures have to be defined on what can and cannot be performed with data
Common Criteria
- Framework used to evaluate systems
- International standard
- Evaluation Assurance Level (EAL) - indicate the level of quality assurance steps that personnel
have taken to ensure the reliability of security features
• EAL1 Functionally tested. The threats to security are low, so a high level of security
assurance is not required.
• EAL2 Structurally tested.
• EAL3 Methodically tested and checked.
• EAL4 Methodically designed, tested, and reviewed. Many commercial operating systems
achieve EAL4
• EAL5 Semiformally designed and tested.
SSCP Page 56
• EAL5 Semiformally designed and tested.
• EAL6 Semiformally verified design and tested.
• EAL7 Formally verified design and tested. This provides the highest level of assurance.
It’s applicable in extremely high-risk situations
1. Determine security category of the system based on the data it processes and stores
2. Select set of baseline security controls for given category
3. Implement
4. Examine controls to verify they are working correctly
5. Authorize system
6. Monitor security control to know what are they doing
SSCP Page 57
○ Change management and configuration management should be implemented
○ Periodic system auditing
- Disposal - remove the system from service -> sanitize all media
○ Migrate data and sanitize the system before disposal
○ Destroy media, or overwrite them
○ Dispose data if not required for hold
SSCP Page 58
Security Administration and Planning
Friday, April 20, 2018 08:33
Security Policies
- Written document that provides the organization with a high-level view of security goals
- Management (administrative) control that focuses on management of risk and IT security
- Authoritative document
- Stages of policy
○ Initial stage - draft the security policy
○ Approval stage - policy approved by senior management
○ Publication stage - policy is provided to relevant personnel for implementation
○ Implementation stage - implementing and enforcing the policy
○ Maintenance stage - periodic reviews of policy
- Often, there are several security policies, with top level policy driving them
SSCP Page 59
○ Account lockouts - when to lock account, how to unlock it
○ Hardware usage - e.g. prohibit use of USB drives
○ Ethics statement - minimal acceptable behavior by members of the organization, resolve
ethical dilemmas
Code of Ethics
- Employees have an obligation to abide by the ethics of the organization
- Protecting society, acting honorably, etc.
- For the places that are not covered by security policy
○ Norms and principles of correct conduct
- Part of that should be that employees should not retaliate against attackers
○ e.g. security professional launching attack back
○ IP address can be spoofed, you may cause even more damage to organization
Policy Awareness
- Personnel must be aware of security policy
○ e.g. every employee of AUP
- Not all policies must be understood by all employees
- Awareness should be acknowledged
SSCP Page 60
- Should be updated regularly, e.g. once a year
○ Also supporting policies, to ensure they are aligned with security policy
- Should be reviewed also after breach
○ Updated or additional trainings for employees, etc.
SSCP Page 61
$/h RPO may be up to moment of failure
□ Lower the RPO, more expensive the solution can be
RPO should be based on BIA to justify the expenses
□ Database backup strategies
Full backup
Differential backup
Backup of transaction logs
◊ Record every database transactions since the last backup
◊ Can be used to recover database up to the moment of failure
○ Output
Document that identifies losses that can result from the outage of critical business
functions
How much money can be lost if critical systems are down
Prioritize different functions based on probability of incident occurring and impact
Should use historical data to predict the probability of specific disasters (e.g.
earthquake in San-Francisco)
- Disaster Recovery Plan (DRP)
○ Plan to restore critical operations after a disaster
Clear-cut steps to recover systems as fast as possible
In form of checklist
○ Is not the same thing as fault tolerance
Fault tolerance - ensuring that system works after component failure (e.g. RAID)
Disaster recovery - steps to take to recover system after total outage
○ Includes emergency response plans and procedures
DRPs for different types of disasters
Restoration Planning
- Identify critical business functions (output of BIA)
- Identify restore targets (BIA -> MAO, RTO and RPO)
- Create plan to restore system
○ Within required times
○ Extremely clear and in order (e.g. first restore database, then web-server)
Alternative Locations
- Hot Site
○ All of the resources required to take over operations of another location in a very short time
○ Servers, network, data, personnel is already there
○ e.g. mirrored site = 100% availability
○ Most expensive
○ e.g. regional sites taking over for each other but also functioning individually
Easy to test - everything is already ready
SSCP Page 62
○ Easy to test - everything is already ready
- Cold Site
○ Building with a roof, running water and electricity
○ Hard to test
○ Cheaper than hot site
- Warm Site
○ Compromise between hot and cold (with cost and time)
○ e.g. this site can be active within 24 hours
Some manual steps must be taken to make it operational
- Mobile Site
○ e.g. container with servers
○ Equipment is already installed, but usually SW and data are out of date
○ Cost is usually as a warm site
Security Organizations
- National Institute of Standards and Technology (NIST)
○ Special Publications (SPs)
○ Also publishes FIPS documents
○ http://csrc.nist.gov/publications/PubsSPs.html
- US-CERT
○ Response support and defense against cyber-attacks for US government entities
- SANS Institute
○ Security certifications and trainings
○ SANS Reading Room: www.sans.org/reading-room/
○ Sponsors Internet Storm Center: https://isc.sans.edu/diaryarchive.html
- CERT Division
○ Works with DHS (Department of Homeland Security)
○ Software Engineering Institute
SSCP Page 63
Legal Issues
Friday, April 27, 2018 08:36
Computer Forensics
- Inspecting computer systems for evidence about an event or crime
- Primary goal - preserve data integrity
- Incident Handling
○ NIST 800-61 - Computer Security Incident Handling Guide
○ Incident - any violation of policies or security practices that has the potential to result in
adverse event (system crash, data breach)
○ Create incident response policy
1. Discovering an incident
- How do you know which event is incident?
- User reports erratic behavior of PC, admin starts to investigate, finds out that PC was
infected -> incident
2. Responding to incident
- According to incident response plan
□ Actions to take for specific incidents
- e.g. disconnect the PC from network if infected by malware (containment)
- Protecting evidence while investigating
3. Escalating an incident
- If personnel cannot resolve it
- Escalate to supervisor or higher level technicians
4. Reporting an incident
- e.g. report to member of IRT
- Always document every incident that happened
- Reporting may be enforced by law
□ e.g. GDPR for PII
Implementing Feedback Loop
- Ensure that organization examines each incident to learn from it
- e.g. find out why PC was infected and implement countermeasures to avoid recurrence
○ e.g. enforce AV updates more often, training to users on phishing tactics
Implementing Countermeasures
- Based on organizations acceptable level of risk
SSCP Page 64
○ Most sensitive part of the process (easy to modify evidence if not done properly)
○ Bit-copy or drive-imaging tools to capture the data (with write-blocker)
- Must be exact bit-by-bit copy of original drive
○ Capture content of computer's memory
- Recently run processes and applications
- Memory is volatile - you must keep system on
○ For first responders
- Do not access any files
- Do not shutdown the PC
- Create multiple copies of disk and memory
○ Toolkits for acquiring evidence
- FTK Imager, Forensics Toolkit, COFEE, Sleuth Kit, EnCase, SANS SIFT
2. Authenticate the evidence
○ After collection, create chain-of-custody
- Documents who obtained the evidence, where, when and how it was controlled since
it was first collected
- Records every interaction and provides proof that evidence was properly controlled,
was not subject to tampering and is valid
○ Maintain control of evidence - to avoid being subjected to tampering
○ Authenticate drives and files
- By comparing hash values
- Create hash from original drive and then from drive that was analyzed - if they match,
there was no tampering
3. Analyze the evidence
○ Process must be performed on copies of original drive
- Sometimes original must be analyzed (you have only one shot)
○ Process must be repeatable
SSCP Page 65
Fraud and Embezzlement Crime
- Fraud - use of deception for unlawful gain or unjust advantage
- Embezzlement - special type of financial fraud where an individual steals money or property from
employer, customers, client, etc.
- "Ponzi scheme"
- "Salami attacks"
- Minor actions to large gains
- To reduce the risk of internal fraud and embezzlement
- Mandatory vacations
- Goal is to let another person to perform job to increase possibility of exposing an
suspicious activities
- Requires employees to take vacations for a minimum period
- Job rotation
- Moving employees periodically between different jobs
- Increases chance to expose internal fraud
- Combined with "separation of duties" practice
Privacy Issues
- Key element to avoid data leakage is due diligence - actively taking steps to protect data
- Defining data breach
- Unauthorized personnel gains access to data
- European Directives
- Data Protection Directive - processing and protection of personal data in EU (obsolete by
GDPR)
- E-Privacy Directive - protection of digital data (e.g. cookies)
- Safe Harbor Program
- COPPA (Children Online Privacy Protection Act) - applies to collection of information on
children under the age of 13
- California Online Privacy Protection Act (OPPA) -
SSCP Page 66
Cryptography
Saturday, April 28, 2018 12:34
- Provides
○ Confidentiality - prevent unauthorized access to data (encryption)
○ Integrity - prevent unauthorized modifications to system and data (hashing)
○ Authenticity - assurances that data is coming from a known source and s valid and reliable
Terminology
- Plaintext - cleartext
- Ciphertext - encrypted or scrambled format, can be decrypted back to plaintext with proper key
- Encryption - process of converting plaintext to ciphertext
- Encryption algorithm - mathematical process of converting plaintext to ciphertext
- Symmetric encryption - data is encrypted and decrypted with the same key
- Asymmetric encryption - encryption and decryption is provided using different keys
(private/public key pair)
- Cryptography - science of encryption, study of algorithms
- Cryptographic system - includes algorithms for encryption/decryption
- Cryptanalysis - science of studying cryptographic methods (looking for weaknesses)
- Hashing - process of producing hash from data
Data Sensitivity
- Drives the selection of encryption algorithms (according to data classification)
- Encryption has high requirements for performance, storage, etc.
Regulatory Requirements
- Encryption of PII and PHI at rest (encryption on disk) or in motion
- PCI DSS - enforces the use of strong crypto algorithms
Integrity
- Enforced by hashing
○ Number calculated from data, if data changes also hash changes
- Does not provide confidentiality
- One way encryption
○ It's not possible to extract plaintext from hash (may be possible by using rainbow tables)
- Algorithms
MD5 128-bit hash, cryptographically broken
SHA-1 160-bit hash, vulnerabilities, obsolete
SHA-2 224 to 512-bit hash, similar to SHA-1, may be broken soon
○ SHA-3 224 to 512-bit hash, different algorithm than SHA-1/2
HMAC Works with MD5 or SHA, adds shared secret key to hashing, adds authenticity
- Receiver must have the secret to validate hash (and sender is
authenticated)
Salting passwords
- Adds random number of bits to the passwords
- Salt has to be saved with resulting hash to database
- Salt has to be random number (even if 2 passwords are the same, they must have different hash)
Symmetric Encryption
SSCP Page 67
Symmetric Encryption
- Single key for encryption and decryption
- e.g. ROT13 encryption - rotating text
Asymmetric Encryption
- Public/private key pair
- Anything encrypted with public can be decrypted only by private and vice versa
- Requires PKI to create, manage, distribute, validate and revoke certificates
- Use:
○ Privately share symmetric key for encryption
○ Digitally sign email
- Public key is embedded in certificate and freely shared
RSA
- NIST recommends using 2048-bit and longer keys
- Uses large prime numbers to create secure pub/priv keys
○ These are multiplied to create composite number and that is used for key pair generation
○ RSAs strength lies in the fact that if those numbers are large enough, factoring the
composite number is computationally infeasible
TLS
SSCP Page 68
TLS
- Encrypts HTTP over port 443
- Uses asymmetric encryption to share the symmetric key for encryption (faster)
- Establishing TLS connection - https://www.acunetix.com/blog/articles/establishing-tls-ssl-
connection-part-5/
SSL
- Obsolete by TLS
- POODLE and Hearthbleed vulnerabilities
- https://www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/
Diffie-Hellman (DH)
- Public key algorithm to share symmetric keys between systems
- Focused on secure key exchange
S/MIME
- Standard to encrypt and digitally sign email
- Non-repudiation
○ Prevents from individual denying they took an action
- Digital signature
○ Hash of message encrypted with senders private key
Authentication (primary goal) - as the senders private key was used, it is proof that
message comes from him
Integrity - hash is validated on recipients side
Non-repudiation - sender cannot deny that message was created and sent by him
○ ECDSA
○ Message is not encrypted when digitally signing - no confidentiality!
Encrypting Email
- With recipients public key
○ Only matching private key (hold by recipient) can be used to decrypt message
- Symmetric key is generated and used for encrypting email
○ Symmetric key is encrypted by recipients public key and sent with message
Steganography
- Hiding data in a plain sight
- e.g. modify least significant bit in a byte
○ Makes a change of color tint in a picture or slight change in audio file
Not distinguishable
SSCP Page 69
○ Not distinguishable
- The larger the file the longer message can be encoded
- There is no encryption
- Steganalysis techniques - to detect the use of steganography
○ e.g. if you have a hash of original file, new hash won't match it
IPSec
- AH (authentication only) & ESP (authentication and confidentiality)
- Can be used by VPNs
Certificate
- Primary purpose - distribution of public key
○ Other purposes
Authentication - prove the identity of users and computers
Encryption
Protecting email - encryption and digital signatures
Code signing - authentication of the developer and integrity for the code
□ Extended Validation Code Signing
- Include following information
○ Who it was issued to
○ Issuer
○ Validity dates
○ SN
○ Public key
○ Certification path (trust chain to the root CA)
Certificate Authority
- Issues and manages certificates through their lifetimes
- Public or private
- Registration Authority - accepts certificate requests, validates data and passes requests to CA
○ Optional, never issues certificates
Revoking Certificates
- Before its expiration
○ e.g. when matching private key is compromised
○ CRL - list of revoked certificates on CA
○ CRL distribution point is included in certificate
Client can request copy of CRL list and verify that given certificate is not on it
Validating Certificates
- User's system examines certificate itself - if it has not expired (validation dates), validates the
SSCP Page 70
- User's system examines certificate itself - if it has not expired (validation dates), validates the
domain it was asking for with the domain for which the certificate was issued
- User's system checks with CA - request for the copy of CRL
○ Or OCSP (Online Certificate Status Protocol)
SN of certificate is sent to OCSP responder which identifies health of certificate and
returns status (good, revoked or unknown)
CRL does not need to be transmitted
Key Escrow
- Storing a copy of private key for safekeeping
- e.g. keys of employees can be stored on offline storage
○ Recovery agent is authorized to recover keys
○ Strong auditing
○ Separation of duties
○ Etc.
Cryptanalysis Attacks
- Process of deciphering codes through analysis to compromise confidentiality or integrity of the
data
- Used by both black hats and white hats to look for weaknesses
SSCP Page 71