LinkedIN Course

Friday, March 23, 2018 10:02

https://www.linkedin.com/learning/it-security-careers-and-certifications-first-steps/government-fisma

FISMA - requires federal agencies to implement comprehensive security policies

GLBA - financial institutions to ensure security of customer information
HIPAA - health care organizations to ensure security of patient information
SOX - requires publicly traded US corporations to have strong internal controls on corporate financial
data
PCI-DSS - requires the retailers to follow strict security controls (when processing credit cards)

SSCP Page 1
Security Fundamentals
Thursday, December 28, 2017 07:47

CIA - Confidentiality, Integrity, Availability

- three primary goals of an information security program are to prevent the loss of confidentiality,
the loss of integrity, or the loss of availability
- Confidentiality
○ Prevent unauthorized disclosure of data
○ Authentication
 Unauthorized users cannot access data
 Identifying and authenticating users & implementing access controls
○ Encryption
 Use only secure algorithms
 xWEP -> xWPA -> WPA2
- Integrity
○ Prevent unauthorized or unwanted modification of data
○ Hash
 Detect alteration of data
 Attacker can change also hash (with message modification)
□ Hash should be encrypted
○ Audit Logs
 System integrity
 Tracks changes to the resource
- Availability
○ Backups
 Keep backup data in offsite location
○ Redundant disks
 RAID
○ Redundant servers
 Failover clustering
○ Redundant connections
○ Redundant sites
 Hot site - ready at moment notice
 Cold site - empty building with electricity and water
 Warm site - something in the middle
○ Build business continuity plans & disaster recovery plans

Least Privilege
- Grant user minimal access to resources required to perform his job

Separation of Duties
- Prevent fraud by ensuring that no single person has complete control over a process

Privacy
- PII - Personally Identifiable Information
○ Persons name, social security number, birthdate, etc.
- PHI - Protected Health Information
○ Medical and health history
- Strong encryption, authentication

Defense in Depth
- Several layers of security
- Combination of multiple controls on several layers

SSCP Page 2
 - Combination of multiple controls on several layers

Nonrepudiation
- Party cannot deny taking an action
- Audit logging, digital signatures
- e-commerce transactions
○ Credit card + signature

AAA
- Authentication
○ Verifies the credentials
○ Three types of factors
 Something you know, something you have, something you are
- Authorization
○ Assigned rights and permissions to resources
- Accounting
○ Tracking activity of a user
- Users must be identified by accounts

Accountability
- If a system can track activity of an individual system, it provides accountability

Due Diligence
- Refers to investigative steps taken prior to taking on something new
- Identify risks that can result in the loss of CIA
- Risk cannot be eliminated
○ Management decides which risks to mitigate

Due Care
- Practice of implementing security policies and practices to protect resources
- Ensures that certain level of protection is applied
- Due negligence - being irresponsible with level of implemented security

SSCP Page 3
Access Controls
Thursday, December 28, 2017 08:52

- Primary controls - identification and authentication

- User must prove his identity with authentication
- Users rights and permissions are granted based upon proven identity
- A control may be physical, logical, or administrative and limits or mitigates a risk.

Authentication
- Typically username/password
- 3 different factors
○ Something you know
 Password, PIN, personal questions, etc.
○ Something you have
 Smart cards, HW & SW tokens, proximity cards, etc.
○ Something you are
 Biometrics
Something you know
- Static password - stays the same over a period of time
- One-time/dynamic password - used only once per session
- Cognitive password - personal challenge questions -> name of the first pet, favorite color
- Passphrase - long string of characters with some meaning

- Password security guidelines

○ Use strong passwords - combination of everything
○ Don’t write passwords down
○ Change often
○ Different passwords of different systems
○ Beware of social engineering
○ Audit passwords - control password policies
○ Use credential management system - keepass, win credential manager

- Windows Group Policy -> Password Policy

○ Enforce password history - prevent reusing last X passwords
○ Maximum password age - password validation period
○ Minimum password age - minimal time for user to wait before changing password again
○ Minimum password length - password must be at least X characters long
○ Complexity requirements
○ Store passwords using reversible encryption - should be disabled
Something you have
- Smart cards - card that has embedded certificate used to identify user
○ Usually requires PIN to use smart card (two-factor authentication)
- Hardware token - generates passwords that change every X seconds
○ Authentication server must know the correct digit combination in given time
○ 2 types
 Synchronous dynamic password - changes password at specific times
□ Server and token must have time synchronized
 Asynchronous dynamic password - method to create one-time dynamic password
- Software token - TOTP and HOTP protocols
○ e.g. Google Authenticator or Symantec VIP Access
○ TOTP - synchronous dynamic passwords based on time
○ HOTP - creates HMAC hash utilizing counter and secret key known by token and server
 Remains valid until used
 Asynchronous dynamic password
○ OPIE - One-time Password in Everything
 Based on S/KEY
 Asynchronous dynamic passwords
- Proximity Cards
○ Access to the building, identification badges
Something you are
- Fingerprints - fingerprint scanner
Can be fooled easily

SSCP Page 4
 ○ Can be fooled easily
- Palms - palm scanner can measure the vein pattern using infrared scanner
- Retina - scan pattern of blood vessels a the back of the eye
- Iris - lighting can affect iris scans
- Behavioral biometrics
○ Keystroke dynamics, handwriting analysis
○ Not reliable
- Can be used for authentication as well as for identification
- Biometric Error Rates
○ FRR (False Rejection Rate) - percentage of times the system falsely rejects known user
○ FAR (False Acceptance Rate) - percentage of times the system falsely identifies unknown user as known
○ CER (Crossover Error Rate) - the point where FAR and FRR of the system are equal
 Lower CER, the better the system

Multifactor Authentication
- Two or more factors for authentication
- Smartcard + PIN
- Fingerprint + password
- HW token + username/password

Identification
- Username, biometrics, face recognition

Single Sign-On (SSO)

- User authenticates only once and then can access multiple systems
- Kerberos
○ Uses symmetric keys and encryption to protect transmission

○ used in Active Directory implementations

○ network that uses Kerberos as its authentication protocol is called a Kerberos realm
○ uses a system based on authentication tickets and timestamps that are issued out to the authenticated user
○ timestamps help prevent replay attacks
 rely heavily on authoritative time sources
 default tolerance for time differences is 5 minutes
○ uses several components
○ Kerberos Key Distribution Center (KDC)
 responsible for authenticating users and issuing out session keys and tickets
 In AD environment KDC is domain controller
Authentication Service (AS)

SSCP Page 5
 ○ Authentication Service (AS)
○ Ticket-Granting Service (TGS)
○ When a user logs into the system, the AS verifies her identity using the credentials stored in AD. The user is then issued a
Ticket-Granting Ticket (TGT) by the AS, which can be used to access resources throughout the domain. The TGT expires after a
certain amount of time, so it must be periodically reissued. When a user wants to access a resource in the domain, the TGT is
presented to the TGS for authentication and the TGS generates a session key for the communications session between the
user and the resource server. This is known as a service ticket and is used for the duration of the access to the resource.
When a user later needs access to the same or a different resource, the older ticket is not reused and a new service ticket i s
generated.
○ uses both TCP and UDP ports 88, and it uses symmetric key cryptography
- Federated Access
○ Allows users in different networks to log on only once and use multiple systems managed by different organizations
○ Federated SSO systems share information via federated database
○ Includes identity information needed by each of the sites
○ Does not include passwords
- SAML
○ open standard that uses XML as its markup language format
○ standardized method of transferring information about authenticating users to an authentication service
○ passing authentication information between services
○ uses three types of information
○ principal - authenticating user
○ identity provider - entity authenticating the user
○ service provider - entity who must accept the authentication
○ web-based single sign-on
○ Provides SSO for web-based application servers
- SESAME
○ Secure European System for Applications in a Multivendor Environment
○ Alternative to Kerberos for EU
- KryptoKnight
○ IBM alternative to Kerberos
○ Rarely used

Centralized vs. Decentralized Authentication

- Centralized - credentials are stored on central server
○ SSO can be implemented
- Decentralized - every node has a separate database that stores credentials

Offline Authentication
- In Windows, system caches credentials
- When user wants to login but is offline to the AD, system authenticates user based on cached credentials
- User can only access resources on local system

Device Authentication
- Prevent unauthorized devices from accessing the network (BYOD)
- MAC address filtering - easy to bypass
- Device fingerprinting
○ OS version, IP address, browser, fonts, plug-ins, storage, resolution, cookies, etc.

Implementing Access Controls

- Subject - accesses the resource
○ Must be properly identified and authenticated
○ User, computer, application, network
○ Attributes
○ Time - prevent subject from logging out of normal hours
○ Remote access - Network access from VPN
○ Location - analyze IP address
- Object - resource being accessed
○ Data, HW, Application, Networks, Facilities
○ Different levels of access (RO, RW, etc.)
- Logical Access Controls
○ ACLs
○ Security kernel - part of OS that controls access to resources

SSCP Page 6
Access Control Models
- Discretionary Access Control (DAC)
○ Granular level of access control
○ NTFS, NFS
○ Users have ownership of the data and can have full control over it
○ Uses DACLs

○ Composed of several access control entries (ACEs)

○ List of subjects along with their permissions
○ CREATOR OWNER - automatic full control permission to file or folder they create
- Non-Discretionary Access Control
○ Security admins control the access granted to users
○ Users do not have automatic ownership of their resources
○ Can be implemented partially - e.g. only for system files
○ Prevents malware from taking ownership of system files
○ Mandatory Access Control, Role-based, Rule-based and Attribute-based models
- Role-based Access Control (RBAC)
○ Subject are placed in specific roles and permissions are granted to the roles
○ Easier to implement
○ Reduce administrative workload, effective in companies with high employee turnover
○ If permission would be assigned individually
○ Administrative overload
○ Permission creep - collecting more and more permissions
- Rule-based Access Control
○ Admins create rules that determine access to resources
○ Implicit deny rule
- Attribute-based Access Control (ABAC)
○ Evaluates subject and object attributes
○ Policy statement elements
○ Subject - user accessing resource, its status, group membership, etc.
○ Object - file, database, application, Youtube, etc.
○ Action - reading, manipulating, accessing specific websites
○ Environment - context of access request, time, location, protocols, encryption, devices, etc.
○ "Allow logged-on users to access Youtube videos using smartphones via the guest network"
- Mandatory Access Control (MAC)
○ Labels to identify subjects and objects
○ Highest level of security
○ Classification for data
○ Top Secret, Secret, Confidential, Unclassified
○ Each classification level does have sub-classifications, need to know
○ Architectures

SSCP Page 7
 ○

○ Bell-LaPadula
 Enforces confidentiality - unauthorized personnel cannot access the data
 Simple security property rule - no read up
 Subjects granted access to any security level may not read and object at higher security level
 The star * property rule - no write down
 Subjects granted access to any security level may not write to any object at a lower security level
○ Biba
 Enforces integrity - unauthorized data modifications
 Simple Integrity Axiom - no read down
 Subjects granted access to any security level may not read an object at a lower security level, at least not as the
authoritative source
 The * Integrity Axiom - no write up
 Subjects granted access to any security level may not write to any object at higher security level
○ Clark-Wilson
 Primary focus on integrity
 Uses certification rules (C1-C5) and enforcement rules (E1-E4) to enforce separation of duties
○ Chinese Wall (Brewer-Nash)
 Prevent conflict of interest and enforce separation of duties
 Data is classified using different conflict-of-interest classes
 If subject has access to data in one class, he/she cannot access data in a conflicting areas

Access Control Matrix vs. Capability Table

- Access Control Matrix - list of objects along with the permissions granted for each object
- Capability Table - list of subjects along with capabilities granted to the subject

Identity Management Lifecycle

- Managing accounts through lifetime
- Rights and privileges
- Identity proofing
○ To prevent fraud
○ Driver's license, CVV, cognitive passwords
- Provisioning and Authorization
○ Creating accounts and granting appropriate privileges
○ Automate account creation
○ Admin accounts
○ Should be isolated and used only for administrative tasks
- Maintenance and Entitlement
○ Account management policies
○ How accounts are created and managed through lifetime
○ Password policies
- Account Lockout Policies
○ Prevent guessing passwords
○ Threshold - how many incorrect passwords are allowed
○ Duration - hot long the account remains locked out

Entitlement and Principle of Least Privilege

- Entitlement
○ Privileges granted to users
○ RBAC
○ Former privileges should be removed from account when it is transferred to other group
- De-provisioning
○ Disabling and deleting inactive accounts
○ Account should be disabled when user leaves and organization

Physical Security Operations

- Physical access controls
Guards

SSCP Page 8
 ○ Guards
○ Locked doors
○ Alarm systems
○ Cameras and CCTVs
○ Facilities
- Personnel should prevent tailgating
○ Someone follows someone through controlled entry point without providing credentials

SSCP Page 9
Basic Networking and Communications
Monday, February 5, 2018 08:26

OSI Model
- Segment (datagram) -> packet -> frame -> bits
- Physical layer
○ Cabling, hubs, repeaters, wireless radio waves
○ Security -> protecting access to network
 e.g. against connecting sniffer
○ Coax, UTP, STP, wireless - easy to tap in
○ Fiber - harder to tap in
- Data link layer
○ 2 sublayers
 MAC sublayer - defines MAC addresses
 Logical Link Control
○ Spoofing MAC address
○ Frames
○ May include ordered delivery and error correction features
- Network Layer
○ IP
○ ACLs - basic packet filtering
- Transport Layer
○ End-to-end communication services
○ Error detection and recovery mechanisms
○ TCP
 Connection-oriented, reliable, guaranteed delivery
 SYN, SYN-ACK, ACK
 SYN flood attack - DoS
○ UDP
 Connectionless
 TFTP
- Session Layer
○ Establishes and maintains sessions between applications
○ RPC - Remote Procedure Call
- Presentation Layer
○ Standardizes data presentation for application layer
○ Encryption, decryption, compression, decompression
- Application Layer
○ Support many security features
 Authentication, access control, encryption, hashing, digital signatures, etc.

Network Topologies
- Ethernet
○ CSMA
 Collision Detection - if collision occurs, all devices are alerted and muted for a while
□ Required only in half duplex communication
 Collision Avoidance - listen before transmitting data, Request to Send -> Clear to Send
□ Used in 802.11 networks
- Bus

SSCP Page 10
 ○

○ Expensive to maintain, difficult troubleshooting

○ Single break in cable takes down whole network
- Star
○ Devices are connected to central switch
- Tree
○ Combination of bus and star
- Token Ring
○ 802.5
○ Does not scale well - 5 stations -> 20% of time on station
○ FDDI - dual-ring, fiber optic
- Mesh
○ Full or partial mesh
○ Full mesh - high cost of connections (too many)

Protocols and ports

- Hardening server - removing all unneeded protocols and services

- DHCP
○ Discover -> Offer -> Request -> Ack
- ARP
○ IP to MAC
○ RARP
○ BootP - allows diskless client with MAC address to get an IP and retrieve a bootable ISO
- NDP
○ ARP in IPv6
○ Automatic node configuration, discovery, locate routers, DAD
- DNS
○ Name to IP address
○ Hierarchical system, distributed databases
○ 13 root servers
○ Different types of records
 A record - resolves host name to IP address
 PTR record - resolves IP address to a hostname
 MX record - identifies mail server

SSCP Page 11
  MX record - identifies mail server
 CNAME record - allows system to be known by different names
○ BIND - DNS on UNIX
○ UDP 53 - client query for name resolution
○ TCP 53 - query between DNS servers
- ICMP
○ Can be used in DoS attacks, should be blocked
- IGMP
○ IPv4 multicast
- SNMP
○ Manage network devices
○ Can send traps or process gets for stats
○ V1 and v2 have security flaws
○ V3 uses encryption, verifies integrity and includes authentication
○ SNMP agents receive data on UDP 161 and send traps on UDP 162
 Can use TLS - TCP 10161 and 10162
- FTP
○ Transfer files
○ Authentication in form of username or password
○ TCP 20 and 21
○ TFTP
 UDP 69
 Does not support authentication
○ Transfer of data in clear text
○ SFTP - uses SSH to encrypt FTP traffic
- Telnet
○ TCP 23
○ Data in cleartext, including credentials
- SSH
○ TCP 22
○ Encryption protocol, provides secure session
○ Can be used to encrypt other protocol traffic - FTP, SCP
○ Uses asymmetric and symmetric encryption
- HTTP/HTTPS
○ HTTPS uses SSL/TLS
 TLS is replacement for SSL
 TCP 443
- TLS/SSL
○ Used for encryption of other protocols
○ TLS is replacement for SSL
○ Operations performed on 3 layers
 Transport layer - initial connection
 Session layer - handshake protocol within TLS, negotiating details for TLS session
 Application layer - TLS Record Protocol, provides confidentiality and integrity
- NFS
○ Network File System
○ Access and share files across the network

- Routing protocols - OSPF, RIP, EIGRP

- Email protocols - SMTP, POP3, IMAP4
○ IMAP can show only headers, able to organize mails into folders
- Tunneling protocols - PPTP, L2TP
- IPSec

SSCP Page 12
 - IPSec
○ AH (no encryption, protocol number 51), ESP (protocol number 50)

INTERNETWORK TRUST ARCHITECTURES

- 4 types of networks
○ Internet - public network, highest security risk
○ Intranet - organizations internal network, lowest risk
○ DMZ - layer of protection for servers that need to be publicly available, high risk
○ Extranet - host resources via Internet but available only to trusted third parties
- PAN, LAN, MAN, WAN

Private IP addresses
- Not routable on the Internet
- 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
- IPv6 - fc00::/7

NAT
- On router or proxy server
○ Static - one-to-one private public IP address static mapping
○ Dynamic - first-come first-served basis for mapping Ips in pool
○ PAT - multiple private Ips to single public IP

Trust Relationship
- One-way
○ Allows subject in one domain to access resources in other domain, vice versa does not work
- Two-way
○ Both domains trust each other, vice versa trust
- Transitive trust
○ A trusts B and B trusts C => A trusts C
- Trust does not mean automatic rights, those still need to be assigned

WIRELESS

- WAP capablities - WAP, DHCP, NAT, Routing, FW

Security
- Radio waves are easily captured by attacker
○ In NIC promiscuous mode
- WEP
○ Obsolete
- WPA
○ Easy to crack passphrase
- WPA2
○ 802.11i
○ Support Counter Mode with CCMP
○ Supports TKIP and AES encryption
○ Personal
 Uses pre-shared key

SSCP Page 13
  Uses pre-shared key
 Symmetric encryption
- Change wireless router default access
- SSID - can't be longer than 32 characters
○ Broadcast or hide
 Even if hidden, SSID can be sniffed
- MAC filtering
○ Allow only specific MACs to connect to wifi
○ MAC can be easily spoofed
- Bluetooth
○ PAN
○ Attacks
 Bluesnarfing - pair with BT enabled smartphone and can access data on device
 Bluebugging - access the phone and issue specific commands (call forwarding, send
messages, etc.)
 Bluejacking - send unsolicited messaged to nearby Bluetooth devices
- GSM
○ 2G, 3G (3Mbps, HSPA), LTE and 4G (100Mbps in speed, 3Gbps walking), 5G (2020)
- WiMAX
○ 802.16
○ Broadband wireless coverage to MANs
○ 30 miles, up to 40Mbps
- RFID
○ Radio Frequency Identification
○ RFID tag can be read by reader
 Active - with battery, always transmitting
 Passive - reader excite electronics on tag and cause it to transmit information
- NFC
○ Near Field Communication
○ Transmitting only in short distances
- Protecting Mobile Devices
○ Password - PIN, pattern
○ Encryption - encrypt data
○ Remote wipe - send command to remotely wipe device data
○ GPS - can be used to locate lost device

○ Mobile devices are easily lost but contain valuable information

SSCP Page 14
Advanced Networking and Communications
Wednesday, February 7, 2018 09:18

LAN Security
- Segmentation on L2 - VLAN or router
○ Divide broadcast domains
○ Security, performance, reduced cost
- Secure device management
○ Strong physical security
○ Traffic mirroring - SPAN, RSPAN, ERSPAN

Telecommunications
- Data at transit are always at risk
- Internet connections
○ PSTN - dial-up lines, 50kbps
○ ISDN - circuit-switched telephone network, 120kbps
○ DSL - over telephone networks, up to 40 mbps
○ Cable modem - broadband Internet access, usually 4mbps
○ Cellular - 3g, 4g, hotspot
○ Satellite - in rural areas, unstable
- VoIP
○ SRTP - Secure RTP
 Confidentiality, message authentication, replay protection
 AES for encryption and salting to protect against offline attacks
□ Adds bits to passwords or encryption keys to thwart brute-force attacks
- Securing Phones
○ Protect the system and wiring with physical security
○ Protect and regularly change admin password
○ Restrict numbers that can be used for call forwarding - block or restrict
 prevent attackers from modifying call-forwarding features
○ Restrict long distance calling - enable only on entering authorization number
- Converged Communications
○ FCoE - FC over TCP/IP network
○ Security concerns - not widely used, can be unsecured, discovering vulnerabilities may take
longer time

Proxy Servers

- Usually implements NAT

- Caching and filtering of web content
- Whitelisting or blacklisting

SSCP Page 15
 - Whitelisting or blacklisting
Firewalls
- Network-based or host-based
- Packet-filtering firewall
○ Stateless - cannot determine whether a packet is part of ongoing session
○ Uses ACLs
○ Filters traffic based on IP address, Subnet address, port, protocols, combinations

○ Uses implicit deny

○ Used at Internet boundary - external screening router
- Stateful inspection firewall
○ Monitor complete session
○ Identifies active connections and monitors the status of them (e.g. three-way handshake)
○ Rejects traffic that is not part of active connection or does not initiate new connection
- Application Firewall
○ HTTP proxy to examine web traffic, SMTP proxy for mail traffic, etc.
○ Must recognize communication on L7
○ Requires separate component for each protocol - can affect performance
 Packet-filtering FW drops packets based on port and those which are allowed are
inspected on application FW
- Next-Generation Firewall
○ Integrate multiple capabilities (UTM)
○ Malware blocking, URL filtering, SPAM filtering
- Network-based FWs
○ Provides protection for network
- Host-based FWs
○ Protection for single host
○ Included in OS

Defense Diversity
- e.g. implementing DMZ (created by two FWs) by using two different FW vendors
○ One vulnerability should not compromise both FWs

Remote Access Solutions

- Remote-access via dial-up or VPN (Internet)
- Risks and Vulnerabilities
○ Strong multifactor authentication
○ VPN must be encrypted
- Tunneling protocols
○ SSH - not used for VPNs, encrypting Telnet or FTP
○ L2F - obsolete, does not provide encryption
○ PPTP - uses GRE, Microsoft developed, MPPE encryption (initial authentication process is
not encrypted!)
○ L2TP - doesn’t provide encryption, usually used with IPSec
○ IPsec
 Problem with NAT - NAT-T
 AH - authentication & integrity

SSCP Page 16
  AH - authentication & integrity
 ESP - encryption
 Tunnel/transport (only payload is encrypted) mode
○ TLS
 Used for e.g. HTTPS, 443
 Replacement for SSL
- Authentication
○ PAP - obsolete, credentials passed over network in clear-text
○ CHAP - md5(password + nonce)
 Nonce provided by server when initializing communication
 MS-CHAPv1/v2
□ Mutual authentication - client <-> server
○ EAP
 Doesn’t use specific method, can be used as extension
 PEAP - Protected EAP
□ Encrypts and encapsulates EAP in TLS
□ Requires cert on server
 EAP-TTLS - EAP Tunneled-TLS
□ Uses AV Pairs - can secure other authentication methods
□ Requires certificate on a server
 EAP-TLS
□ Mutual authentication
□ Both client and server must have certificates
□ Best option
○ RADIUS
 AAA
 Credentials are passed from remote access server
 Can be used for VPN authentication, 802.1x, etc.
 VPN server - RADIUS client
 Can be integrated with AD
 Uses UDP and encrypts only password
□ RFC 6613 and 6614 describe TCP and TLS
○ Diameter
 Successor to RADIUS
 TCP, supports IPsec and TLS
○ TACACS+
 TCP, encrypts entire authentication session
- Traffic Shaping
○ Delaying some types of traffic so that others could be prioritized

Access and Admission Control

- NAC - Network Access Control
○ Can control unhealthy clients connecting to internal network
 AV installed, up-to-date OS, host-based FW
○ Automated enforced OS updates, AV updates, control of installed SW

Virtual Environment
- Host, guest, hypervisor
- Host runs hypervisor which manages guest VMs
- VMs usually use shared storage
○ Big and fast
○ Strong access control - VM must not access another VMs storage
- VMs within the same data classification (Secret, Unclassified, etc.) should be on the same host
- Virtual Appliance - VM with preconfigured OS and apps

SSCP Page 17
 - Virtual Appliance - VM with preconfigured OS and apps

- Continuity and Resilience

○ Virtualization contributes to continuity and resilience
 Clouds
○ Capacity of resources can be adapted on demand
○ Easily create backups, snapshots
○ Dynamic resource scheduling, vmotion, etc.
- Separation of Control and Data Plane
○ Data Plane - decides if traffic should be forwarded and where
○ Control Plane - identifying paths to the networks (OSPF, BGP)
○ SDN

- Attacks and Countermeasures

○ Hypervisor - potential risk
 Just a SW
 If attacker can access host from VM, it can possibly access all VMs
○ Risks
 Improperly configured hypervisor - access must be restricted, hardened system
 Infected virtual appliances - especially with free virtual appliances
 Data leakage - relatively easy to export VM with all data
 Improperly configured virtual network - done by server admins
 VM escape - allows guest to interact with host system, known attack

Cloud Computing
- Computing services provided over Internet
- SaaS, PaaS, IaaS

- Security & maintenance responsibilities of vendor and customer above

- SaaS
○ "on-demand software"
○ Gmail, google docs
○ DNS provided by provider
○ VPN services for anonymization of Internet browsing
- PaaS
○ Provides users with computing platform
○ HW, OS and applications
 User can pick which application will be on VM
○ Most of the maintenance is performed by vendor
- IaaS
○ Hardware-as-a-Service
○ Customer is responsible for OS and updating
○ Vendor is responsible only for maintaining HW
Cloud Operation Models
- Public Cloud
○ Provided by third-party vendors and available to anyone
○ iCloud, AWS, Azure
- Private Cloud
○ Available to organization
○ Private DC
BEST SECURITY

SSCP Page 18
 ○ BEST SECURITY
- Community Cloud
○ Private cloud shared by two or more organizations
- Hybrid Cloud
○ Combination of two or more clouds
Storage
- Cloud storage - might not be secure
- Legal jurisdiction of storage location
○ Sensitive data on Russian server
- E-discovery - electronic discovery
○ Locating and securing data so that it can be used as an evidence
○ Can only be applied on providers within legal jurisdiction of the country
Privacy
- Cloud providers are vulnerable to attacks
- Cracked passwords are responsibility of customer
- Ideally encrypt sensitive data before passing to the cloud - with your own keys
Data Control & Third-Party Outsourcing
- SLA between organization and vendor can include
○ Expectations for data availability and security
○ Data portability - reuse data across interoperable applications
○ Data destruction - when the data is no longer stored with cloud provider, data must be
properly deleted
○ Auditing - auditing access to data in cloud
○ Data resilience - backup/recovery
Compliance
- Organizations have legal responsibilities to comply with law
- HIPAA - US Health Insurance Portability and Accountability Act
- PCI DSS - Payment Card Industry Data Security Standard
- If such organization puts data in the cloud and breach happens, organization is responsible, not
cloud provider
○ Unless compliance included in SLA

SSCP Page 19
Attacks
Wednesday, February 21, 2018 15:22

- To take the system down or gain some information

Hacker - does not break into systems with malicious intent

- White hat
- Ethical hacker
Cracker - attacks system with malicious intent or for personal gain
- Black hat
Gray hats - in between

Advanced Persistent Threats (APT)

- Highly sophisticated group of people who target their attacks
- Usually sponsored by government
- Persistently attack until they succeed

Insider Attacks
- Someone with authorization steals data from organization for personal gain
- Access to system for fired employees should be terminated before they have a chance to perform
malicious action
- Smaller threat than attacks from outsiders
- Prevention - effective access control (strong authentication and authorization) and strong auditing
techniques

Script Kiddies
- Unexperienced attacker who is using downloaded script to perform attacks
- Bored teenagers

Phreak
- Someone who illegally breaks into a phone system

Accidental Threats
- Responding to phishing attempts
- Forwarding malware or bringing it from home
- Unauthorized data access
○ Accidental access, modification, removal…
- Losing HW
○ Losing NTB means losing also data on it

Attack Types and Countermeasures

- Attack developed <-> patch developed
- Basic Countermeasures
○ Patching Systems
○ Hardening Systems
○ Increasing User Awareness

- Spoofing
○ Impersonating as someone or something else
○ Can be on different levels (MAC, IP, HTTP Cookie, email "from")
- DoS
Take down system

SSCP Page 20
 ○ Take down system
○ Disrupt service by taking system down or overloading it
 => service not available
○ e.g TCP SYN flood
 TCP session half-open
 IDS can detect this
○ Ping of Death
 Obsolete
 64kB icmp packet
○ LAND
 Local area network denial
 Tricks system to sending out packets to itself in an endless loop
- DDoS
○ DoS from multiple attackers at the same time
○ Botnets
 Compromised systems commanded by attacker
- Botnet
○ Compromised systems (zombies) commanded by attacker from command and control
center
 Infected by drive-by download - malware downloaded from malicious website
(without users knowledge) or through link in malicious email
○ CAC - can be one or multiple servers controlled by bot herder
 Attacker can send different commands to zombies - launch DDoS, send phishing email,
etc.
○ Are usually rent-out for customers
- Sniffing
○ Packet sniffer, capturing data
○ Mitigation - encrypt all data, protect access to network, use switches instead of hubs,
physical security
○ Promiscuous (capture all data reachable to the system) or non-promiscuous mode (capture
only data addressed to the system)
- Ping sweep
○ ICMP to identify which IP addresses are operational within the range
○ Usually part of reconnaissance
 Afterwards, vulnerability scanners used to obtain details
- Port Scan
○ To detect what ports are open on a system
○ Part of fingerprinting attack
 Gathering information on specific systems
○ Can be easily detected on FW or IDPS (sequential or random port scanning)
- Salami attack
○ Attacker performs large number of minor actions that likely won't be noticed
○ e.g. shaving a penny from each financial transaction
○ Can be used to get information from databases piece by piece
 Inference attack - collecting pieces of small, seemingly inconsequential information
and putting them together to infer or deduce sensitive information
- MITM
○ Eavesdropping by putting system between two communicating parties
 e.g. sniffer
○ TLS MITM - system is acting as TLS proxy, transparent for both parties
○ Can be used legally - e.g. for monitoring users activities
○ active (capture data from specific system) or passive (capture data from any system)
- Session Hijacking
Attacker captures information from ongoing session and then impersonates original client

SSCP Page 21
 ○ Attacker captures information from ongoing session and then impersonates original client
○ e.g. stealing HTTP cookie by sniffing on the session
○ Firesheep, Facesniff
- Replay
○ Started by sniffing on a session
○ Information are used to impersonate other party
○ Mitigation - Kerberos (uses timestamps), CHAP (nonce - number used only once during
authentication)
- Smurf Attack
○ Broadcasts ICMP echo to multiple systems on the network but uses spoofed source IP of
attacked host
 Attacked host is flooded by responses
 Amplifying network - directed broadcast ping (can pass the router)
□ Blocked on routers
- Fraggle Attack
○ Sends packets to UDP port 7 (echo port) or 19 (chargen)
○ If chargen is enabled, it sends random character whenever traffic received on a port
 Usually disabled
- Buffer Overflow
○ Application is not able to handle received data
○ Overflow of assigned memory
○ Can be used to write additional code into protected memory
○ e.g. send large volume of NOOP (no-operation) commands to position memory pointer and
then add the code
○ Gain elevated privileges
○ Starts as a programming error
○ Mitigation - proper error handling in application, input validation, keeping systems up-to-
date
- Injection attacks
○ Inject code into web application
○ SQL Injection
 e.g. entered data into website form contains SQL query
 Mitigation
□ Input validation - restriction of double hyphen (comment in SQL) or semicolon
(end of command), etc.
□ Stored procedures - group of SQL statements that execute as small program
○ Command Injection
 Inserting OS system command into website form
 Mitigation - input validation
- Cross-Site Scripting (XSS)
○ Inject HTML or JavaScript code into webpage
○ Injecting malicious code to harm webpage visitor
 Steal sensitive information from users system (e.g. cookies)
○ Mitigation - server-side input validation
- Cross-site Request Forgery (CSFR)
○ Send malicious command from the users system to the website
 User click malicious link that includes a command
○ Exploits the trust that a site have to users browser
○ e.g. to make purchase on behalf of user
○ Protection
 Verify user before making change
 Avoid clicking unknown links
- Password attacks
Use strong, complex passwords

SSCP Page 22
 ○ Use strong, complex passwords
○ Brute-force
 Try all possibilities until getting match
 Can be mitigated by complex password, limited number of incorrect passwords, etc.
○ Dictionary
 Try all the words in a dictionary
○ Social Engineering
 Tricking user into handing in the password
○ Rainbow table
 List of passwords with hashes
 Protection
□ Key stretching - salts the password before hashing it
 Add random bits to the password
 Use of rainbow tables can speed up password cracking (if hash was already obtained)
- SPAM
○ Unsolicited commercial email (UCE) or instant messages
○ Can be sent by botnets
○ Web-spiders - crawl through websites looking for emails (e.g. @ character)
- Phishing
○ Spam with malicious intent
○ Enter sensitive information
○ Phishing email components
 Impersonation - a legitimate person or company
 Identification of a problem - e.g. "suspicious activity"
 A sense of urgency - to open the document, log in portal, etc.
 Dire consequences - "closing an account", "freezing funds"
○ Drive-by download
 User clicks the link and malicious code is downloaded and executed
 No personal info
○ Spear Phishing
 Targets a specific organization or a group
○ Whaling
 Phishing targeted on CxO executives
 Get attention by using words like "Lawsuit"
 Attached document may be easily malware
○ Vishing
 Trick the user in providing sensitive information using VoIP
 Providing CCN via keypad, etc.
○ Smishing
 Phishing via SMS
- Zero Day Exploits
○ Attacks that take advantage of vulnerabilities
 Unknown and unpublished by vendor
 Known by vendor but not published - patch not released yet
○ Can be prevented by applying defense in depth model
 If one technology has zero-day vulnerability, others may not be susceptible
 Disable unnecessary services on servers
○ If patches are not applied immediately
 Attacker can download patch, reverse-engineer it and find which vulnerability it is
fixing
 Attacker can then develop attack and launch it sooner than patches are actually
applied
- Covert Channel
Mechanism used for transmitting information secretly between two entities

SSCP Page 23
 ○ Mechanism used for transmitting information secretly between two entities
○ e.g. utilizing unused bytes in protocol headers
 TCP handshake - protocol ID field can be used to pass covert information
○ Firewalls usually detect this

Wireless Attacks and Countermeasures

- WPA2
○ Enterprise (802.1x authentication server), Personal (SSID and preshared key)
○ Uses Counter Mode with CCMP (based on AES)
- WIDS & WIPS
○ IDPS for WiFi networks
○ They monitor the frequency and send alerts on suspicious activity
- Rouge AP
○ Unauthorized wifi AP in organization
○ When connected to wired network acting as a sniffer, attacker can receive information from
distance
○ Protect physical access to the network devices, secure ports on switches
- Evil Twins
○ Rouge AP that appears to be legitimate
 Inside organization - Similar or same SSID as legit wifi, stronger signal
 Public APs - free wifi
○ Attacker than performs MITM or collects data
○ Mitigation
 Confirm that wifi network is legit
 Do not enter any credentials on public wifi
 Do not install any software on public wifi
 Use commercial VPN
□ All traffic between client and proxy is encrypted
- Wardriving
○ Driving around with laptop and trying to access wifi networks
- WPA Cracking Attacks
○ Capture wireless packets and look for WPA four-way handshake
 It contains encrypted version of AP passwords
 Offline brute-force is then used to exploit password
○ Use WPA2 and strong passwords
- WPS attacks
○ Brute-force to discover pin to use WPS
 If successful, AP responds with SSID and password
○ Disable WPS when not used

Countermeasures
- Software Security
○ Security embedded in website code
 During development
- Input Validation
○ Checks data before using within application
 If they are valid for operation
○ Checks for valid characters, valid format, valid range, etc.
○ Does not provide accuracy
 e.g. check if zipcode is really from the area you are living in
○ Prevent buffer overflow, SQL injection, XSS
○ Client side validation
 Validating user input
 Embedded in form webpage - saves round trip to the server

SSCP Page 24
  Embedded in form webpage - saves round trip to the server
 Can be easily bypassed
○ Server side validation
 Final security check before using input data
 Both should be implemented
- Application Review
○ Testing application for bugs and vulnerabilities before release
○ Code review or peer review
- Code Signing
○ Associating certificate with software
○ Assurance on who wrote the SW and its integrity
○ If infected by malware, integrity check will fail!
 Can be checked in browser, during installation, etc.
○ Extended Validation Code Signing certificates
 By Symantec
 More thorough background check for issuing certs
○ Configure web browser to block unsinged software
- Sandboxing
○ Run program in isolated area of memory
○ e.g. Antivirus - check new or untrusted apps
○ e.g. virtualization

Social Engineering
- Low-tech attack, but very effective
- Aiming at people to give up sensitive data
- e.g. phone call impersonating CEO (information from company website) telling that he is collecting
information
○ Attacker gains information and then repeats the attack
- They try to build trust, familiarity
- Sense of urge
- Even threats

- Tailgating
○ Someone passes through authorization point without providing credentials by closely
following someone authorized
○ One employee opens the door by his card and lets several other people to pass
○ Mitigation
 Mantrap - enclosure for only one man, who is locked when entered and passed
through other side
□ e.g. in Datacube
 Turnstiles
- Impersonation
○ Masquerading or spoofing
○ As someone else
- Dumpster Diving
○ Sifting through some else's trash
○ Sensitive documents should be shredded or burned, not thrown to dumpster
- Shoulder Surfing
○ Looking over someone's shoulder to gain information (e.g. password)
- Pharming
○ Manipulates hostname resolution to redirect user to bogus site
○ DNS manipulation or host files
- Social Networking attacks
Attacker impersonates social network (e.g. Facebook) in email and lets user know that

SSCP Page 25
 ○ Attacker impersonates social network (e.g. Facebook) in email and lets user know that
messages are awaiting
 But link is malicious

- User Awareness
○ Primary countermeasure
○ Training
○ To change user behavior from unsafe to safe actions
○ Acceptable Use Policy
 Expectations on employee's use of computing resources
 Responsibilities and risks
 Should be acknowledged by each employee
○ Initial Training when hired
 Security training
○ Annual Refresh Training
 Training about current risks and threats
○ Newsletters
○ Periodic emails

SSCP Page 26
Malicious Code and Activity
Wednesday, February 28, 2018 09:08

- Viruses, logic bombs, Trojans, worms and ransomware

Virus
- Piece of code, negative events on PC
- Ability to copy itself into a computer and replicate using different methods
- Infected file must be executed for virus to run
○ Virus can only run with some type of user interaction
- Components
- Replication component
 Copying its code onto other applications and infecting them
 e.g. it may copy itself on USB drive and then replicate further
- Activation component
 It delivers payload - malicious program
 e.g. delete or corrupt system data
 May contact C&C centrum if part of botnet
- Usually tries to stay hidden and collect information of the user
- Forms
- Stealth
 Try to hide from AV by providing misleading info about the virus to AV
 e.g. misreport file size
- Armored
 Additional code to complicate reverse engineering by AV
 e.g. compiler with encryption, different code design
- Polymorphic
 Ability to morph or mutate each time they are copied or run
 e.g. by encrypting file slightly differently each time
 Replication and activation code remains the same
- Metamorphic
 Mutates the code for replication and delivery
 Changes logic of replication and activation - more difficult to detect
- Boot Sector
 Virus is stored in boot sector and executes when system is booted
- Multipartite
 Multiple components - e.g. boot sector with virus
- Macro
 Macro in document is used to launch virus

Worm
- Do not require any interaction to activate, does not need to be executed
- Travels through network and infects nodes
- Can use different protocols
- Use defense in depth
- Host based firewalls, up-to-date AV, switch-off unneeded protocols

Trojan Horse
- Application that looks legit but includes malicious component
- e.g. pop-up updates for Flash
- Always update only from legit webpage, not from pop-ups

Scareware

SSCP Page 27
Scareware
- Malware that describes itself as AV
- Popup with message to fix problem -> installs malware
- Could be used to create zombies in botnet, install backdoors, etc.

Ransomware
- Takes control of users computer and demands ransom to release it
- Preventing from logging in, or prevents access to data (by encrypting them)
- Accuses user of participating in illegal activities and demands fine
- Or encrypts data and demands money for releasing decryption key
- Sense of urge (72 hours to lawsuit, deleting of key, etc.)

Keylogger
- Capture all keystrokes entered on computer
- HW or SW based
- Can be installed via Trojan

Logic Bomb
- Code that executes in response to some event or point in time or specific actions
- Keylogger may include logic bomb on emailing keystrokes after user visits specific website

Rootkit
- Program that runs on system with root-level access undetected
- Remote control of node
- Can hide itself from AV scan or restrict data returned to the scan
- Usually installed via Trojan or virus
- Kernel PatchGuard - prevention from rootkits in kernel, requires digitally signed drivers

Mobile Code
- Can transfer itself between the systems without user taking any action to install it
- e.g.
- JavaScript or VBScript
 Embedded into webpage or PDF, Word, etc.
- Java Applets and ActiveX
 Mini-programs embedded into webpage
 They run when webpage is displayed
 Block unsigned applets
- Documents with macros
 They run when file is opened
 Disable macros

Backdoor and Trapdoor

- Code that provides access to application, code or data or OS via a covert method
- Can be added by app developers for debugging
- Should be removed when app released

RAT
- Remote Access Trojan
- Control via Internet

Spyware
- Spying on user activity, e.g. for targeted advertisement
- Steal financial data, person's identity, etc.
- Installed via Trojan

SSCP Page 28
 - Installed via Trojan

Malware Hoax
- False message about malware risk
- Sense of urge

Stages of Regin
- Regin - advanced class of malware
- Collect data
- Via RAT features, screenshots, stealing pass, retrieving deleted files, monitoring network
traffic, etc.
- Six stages
- Stage 0
 Dropper stage - initial infection, installing Trojan
- Stage 1
 Loads OS kernel drivers
 Decrypt, load and execute stage 2
 (subclass.sys, adpu160.sys)
 Only stage with plain visible code on station
□ Other stages are encrypted
- Stage 2
 Stored in NTFS extended attribute
 Removing code after stage 1
- Stage 3
 Decrypts, install and execute stage 4
 Build encrypted file system
 Modular framework for stages 4,5
- Stage 4
 Loads modules for stage 5
 Different features can be enabled and executed
- Stage 5
 Collects data and stores them within encrypted file system
 Sends data to attacker via standard protocols
- Includes also C&C functionality
- All communication is encrypted and encapsulated within ICMP or UDP

Malware Delivery Methods

- Drive-by downloads
- Webpage attempts to download malicious code and install it on station
- Usually executed from legit webservers
- Keep OS and AV up-to-date
- Malvertising
- Via malicious banner ads
- On compromised websites
- E-mail
- Infected attachments
- USB Drives
- Using same USBs in organization and at home
 Between controlled and uncontrolled environment
- AV protection, restrict USBs

Malicious Code Countermeasures

- Install antivirus and antispam on all systems and email servers
- Antivirus and content filtering on FW

SSCP Page 29
- Antivirus and content filtering on FW
- Preform regular antivirus and vulnerability scans
- Keep systems and AV up to date
- Educate users

- Antivirus
- Real-time (when user opens a file) or on-demand (started manually) or scheduled scan
- Signature based detection
 Match unique characteristics of the virus - e.g. byte pattern
 Signatures are generated by reverse engineering the file in AV company
 Detection can be avoided by using polymorphic or metamorphic virus
□ Many different variations of virus
 Database must be up-to-date!!! - update often
- Heuristic based detection
 Can detect previously unknown and non-reverse engineered viruses
 Detection based on behavior
□ e.g. picture file is trying to change system files
 Can use sandbox technique
□ Activity is evaluated in isolated environment
- Spam Filter
- Detect and block unsolicited email
- Sender Policy Framework (SPF)
 Identifying spoofed email
 SPF record can be used on DNS server to identify authorized server for sourcing traffic
from given domain
 When email-server receives email, it can check if the domain in email header is
matching server that sent the email
- Content-Filtering
- Filters traffic in and out of the network
- Deep-packet inspection, sandboxing on the edge, etc.
- Can be used as proxy - validating certificates, URLs, etc.
- Must be deployed at border with external network
 All traffic coming from Internet must be inspected before passed onto internal
network
- Part of defense in depth
 FW with content-filter, AV and AS filtering entry to network
 AV on endpoints filtering traffic that passed signatures on FW by applying heuristic
method
- Keep OS up-to-date
- Patch vulnerabilities
- Scanners
- Vulnerability scanners - Nessus, Rapid7
- Check system for vulnerabilities and report findings
- Beware of shortened links
- Different hypertext shortcut
- Obfuscated links
- e.g. bit.ly, tinyurl.com
- LongURL - demystify link
- Sandboxing
- Heuristic-based analysis in isolated environment
- e.g. virtualization
- Least Privilege
- Users should not have admin privileges to install apps
- Even admins should not use admin accounts for day-to-day activity

SSCP Page 30
 - Even admins should not use admin accounts for day-to-day activity
- Software security
- Input validation, code signing, application review
- Application Whitelist and Blacklist
- Which apps are allowed and blocked
- Security Awareness and Training
- Educate users on safe computer habits
- Turn on AV, don’t open suspicious attachments, links, etc.
- Download files directly from source website

Common Vulnerabilities and Exposures

- CVE list
- List of known security vulnerabilities, exploits and malware
- https://cve.mitre.org/cve

SSCP Page 31
Risk, Response and Recovery
Monday, March 5, 2018 09:45

Risk - probability that threat will exploit a vulnerability can cause a loss
Threat - activity that can be possible danger
Vulnerability - weakness in system

Risk = Threat x Vulnerability

- Result = Loss

- Some risks have higher impacts

To lower the risk, you need to reduce vulnerabilities (by implementing safeguards and controls)
- Or reduce impact of the risk
- It's rarely possible to reduce threats

Total risk - combined risk to all of the organizations assets

Identifying Threat Sources

- Threat source = attacker
- Adversarial
- Include individuals (internal or external) or groups that purposely attempt to exploit
weaknesses
- Internal, external attacks
- Accidental
- Include erroneous actions taken by individuals in the course of executing everyday
responsibilities
- Accidental damage to data, power cuts, etc.
 Impact level is dependent on privilege level of user
- Structural
- Failures of IT equipment, env. controls and software
- e.g. loss of AC in DC
- Environmental
- Natural and manmade disasters
- Tornadoes, floods, fire

Identifying Threat Events

- Threat event = any type of activity that can result in a loss of CIA
- Perform reconnaissance and gather information
- Techniques to learn more about the target
- Gathering information from public sources and using sniffers and scanners
- Trick user to install malware to perform reconnaissance
- Craft or create attack tools
- Attackers create different attack tools
- Creative phishing attacks (spoofing source)
 Malware as attachments
- Deliver/insert/install malicious capabilities
- Way to get malware on user system
- e.g. ZIP attachment in email, attack websites and install malware to be downloaded on visit

SSCP Page 32
 - e.g. ZIP attachment in email, attack websites and install malware to be downloaded on visit
- Exploit and compromise
- Technical and nontechnical methods
- e.g. tailgating, exploiting vulnerabilities in unpatched systems, zero-day attacks
- Achieve results
- Cause impact and obtain information
- Exploit was successful
- Adverse impact include any results that affect CIA of systems and data
- Maintain a presence or set of capabilities
- Attacker takes steps to obscure their actions
- Bypass or circumvent IDPS and auditing capabilities
- Maintaining presence for further time
- Many more

Vulnerabilities
- Vulnerability = any weakness in a system, network, infrastructure or organization
- Weakness in and information system, system security procedures, internal controls or
implementation that could be exploited by threat source
- Examples
- Poor and nonexistent AV protection
- Terminated employees - accounts should be disabled right after employee is terminated
- Weak access control - identification, authentication and authorization techniques
- Poor or nonexistent change-management practices - problems caused by unintentional
side effect of making change to system
- Poor hardening practices
- Lack of redundancies for key systems - on multiple levels
- Uneducated users - social engineering

Impact
- Impact = magnitude of harm that could result if a threat exploits a vulnerability
- Can be high (risk is high priority) or low (risk is not priority)
- e.g. fire
- Likelihood = low
- Impact = high
- Overall risk = high
 Purchase insurance to reduce impact

Risk management
- Identify, assess and mitigate risk to an acceptable level for the organization
- Needs to change and evolve with the threats
- Continual process
- Reduce vulnerabilities and impact, not threats
- Choices in response to risk
- Mitigate - reducing vulnerabilities by implementing controls and safeguards
- Avoid - by avoiding activity that causes the risk
- Share or transfer - share or transfer risk to another party, e.g. insurance (only partial impact
reduce)
- Accept - accept risk and potential losses, when asset value is low
 Or accept the remaining risk after taking steps to reduce the risk to acceptable level

Residual Risk
- Amount of risk that remains after reducing risk to an acceptable level

SSCP Page 33
 -

- Management must decide which controls will be implemented and when is the risk acceptable

Identifying Assets
- Important first step in risk management
- Asset
- Has high value to organization
- Can be valued using tangible and intangible values
 Tangible = direct loss, e.g. on revenue
 Intangible = side loss, e.g. customers turn to other organization

Risk Visibility and Reporting

- Organization is aware of risks that threaten its resources
- Takes time and analysis
- Risk assessment - identify risks
- Continuous monitoring - AV, DLP, FW, IDS, SIEM, etc.

Risk Register
- Central depository for known organizational risks
- e.g. risk register for web server

- Can be public - e.g. CVE list, NVD list

Performing Risk Assessments

- Point-in-time evaluation - looks at risks at specific time
- Should be performed periodically

Quantitative Analysis
- Numerical-based data to identify the actual cost associated with a risk
- Single Loss Expectancy (SLE)
- Identifies the actual loss of single occurrence of a threat
- e.g. website down for an hour causes loss of 10000$
- Exposure Factor
- Magnitude of loss as a percentage of assets value
- e.g. if value is 1000 and insurance covers 750, Exposure Factor is 25%
- Annual Rate Occurrence (ARO)
- How often the SLE is expected to happen in a given year
- Annual Loss Expectancy (ALE)
- SLE x ARO
- Cost of control
- Cost of implemented security controls
- Including side costs like admin training, etc.
- If ALE < Cost of control, it may not be justified to implement control

SSCP Page 34
 - If ALE < Cost of control, it may not be justified to implement control
SLE ARO ALE before ALE after ARO after Cost of Savings Impleme
before control control control control nt?
$10000 control
3 (SLExARO)
$30000 $10000 0 $5000 30000-5000= Yes
25000
-
$10000 3 $30000 $10000 1 $5000 30000-10000 Yes
-5000 =
$2000 2 $4000 $2000 0 $10000 15000
4000 - 10000 No
= -6000
- Advantage - analyze actual value of control
- Disadvantage - it's hard to obtain values of Assets, SLEs, etc.

Qualitative Analysis
- Subjective, scenario-based data, categorizes risk using works such as low, medium and high

- It's also possible to assign values to the ratings

- Advantage - provides clear priority of the different risks

- Disadvantage - difficult to use the results in cost/benefit analysis

Risk Assessment
1. Prepare for Risk Assessment
- Identify purpose, scope, information sources,
- Identify assumptions and constraints - which controls are in place, etc.,
- Identify risk model and analytic approach - quantitative or qualitative analysis
2. Conduct Risk Assessment
- Identify threat sources, threat events, vulnerabilities
- Perform analysis to determine the likelihood of a risk occurring, impact and overall risk
- Threats - internal/external, natural/manmade, intentional/accidental
- Likelihood x impact = risk score
 Risk score can be overridden subjectively

SSCP Page 35
  Risk score can be overridden subjectively
- You can evaluate prospective controls or safeguards
 Risk score evaluation without and with new control
3. Communicate and Share Risk Assessment Results
- Provide results to decision makers
- Content
 Executive summary - summarizes risk assessment
 Risk assessment preparation - identifies purpose, scope, etc. from Step 1
 Threat sources, events and vulnerabilities
 Risk scores - tables, graphs including likelihood and impact
 Controls and countermeasures - evaluation of new controls and countermeasures
 Uncertainties - caused by missing data, subjective opinions and assumptions
 Appendixes
4. Maintain Risk Assessment
- Evaluates threats and vulnerabilities at a specific time
- Periodically repeat and update risk assessment for key systems
 Monitoring risk factors
Address Findings
- Identified risks must be mitigated by implementing controls

Responding to Incidents
- Security incident - any violation of policies or security practices that has potential to result in an
adverse event
- Adverse event - event with a negative consequence (system crash, data damage, etc.)
- Lifecycle of incident response

- Preparation - includes creating incident response plan

- After detecting and verifying an incident, it's important to contain the incident as quickly as
possible

- Common types of incidents

- DoS - reduce system ability to provide a service
 IDS, IPS and DDoS protection systems
- Malware - any type of malicious software
- Inappropriate usage - violating acceptable usage policy for IT systems
- Unauthorized access - individual or software accesses data which should not be accessible

- Preparation
- Steps to prevent an incident by securing systems
- Planning for incidents and planning for response
- CIRT/CSIRT/IRT
 People responsible for responding to incidents
 Ready access to tools and resources (every minute spent looking for them is wasted)
□ Contact information - who and when needs to be notified
□ Reporting forms - record specific information about an incident
□ Forensics tools - collect and analyze evidence, maintain chain of custody
□ Documentation - systems and network infrastructure, performed changes
□ Software and hardware - to create reports, doing research or perform analysis
□ War room - where the team meets and solves the issue
 These tools may be stored in network location or "crash cart" (in case network goes
down)

SSCP Page 36
 down)
- Detection and Analysis
- Incident is discovered, investigated and analyzed
- Detection - by AV, suspicious activity, SIEM, IDS, etc.
- Analysis - whether the event is an incident and prioritization (minor, critical, etc.)
- Containment, Eradication and Recovery
- Contain incident as quickly as possible - prevent from spreading
 e.g. unplug PC from network
 To quickly contain incident, detection and analysis must be fast
- Eradication - reverse all actions taken by the malware and remove it from system
completely
- Recovery - bring system back online, move data, etc.
- Post-incident Activity
- Examine the incident and response
- Determine whether the existing plans and procedures adequately address the incident
 They may be improved
- Generate post-incident report (can be used later in risk assessment)
 Lessons to be learned, speed of detection and responding to incident, recovery time,
documentation up-to-date, new controls to implement
 All of this can be improved
- Avoid finger pointing and blame storming

SSCP Page 37
Monitoring and Analysis
Thursday, March 8, 2018 08:08

- Prevent, detect and correct possible security incidents

IDS
- Detect attack and raise alert
- Passive - monitoring and recording events in log, sends notification when attack detected
- Active - takes action to modify environment to stop the attack (e.g. modify ACL)
- Network (NIDS) or host based (HIDS)
- Alerts
○ Notification via email or sms
○ Send alert to SIEM or display in dashboard
○ May be false positive - must be investigated by personnel if it is incident or not
○ Triggered when specific threshold reached
 e.g. if same IP is trying to open communication in multiple ports in 60 minutes (port
scan)
○ Difficult to define the threshold
 Better tighten it up and receive false positives than vice versa
- NIDS
○ Monitors network traffic for attacks
○ Uses agents to monitor traffic on network devices
 They forward the traffic to a central management console
○ Can be inline or outline (harder to detect for attacker)
- HIDS
○ Installed in individual system
○ Monitors activity on a host (processes, running apps, etc.)
○ Can be CPU intensive
○ Can be detected by attacker and disabled or logs deleted
○ Can be included in UTM
- Using NIDS + HIDS is part of defense-in-depth strategy
- Detective security control

IPS
- Placed inline with the traffic on boundary of the network (behind first line FW)
- Is active, blocks potentially malicious traffic
- Prevents the traffic from entering the network (not just modify environment)
- HIPS or NIPS
- Preventive security control

Detection methods for IDS and IPS

- Signature-based
○ Knowledge-based
○ Similar to AV signatures
○ Attacks unique characteristics are documented in signature file
○ Must be periodically updated
○ Drawback - only detects known unmodified attacks
- Anomaly-based
○ Behavior-based, heuristic-based
○ Device first monitors normal behavior => baseline
○ Device than monitors behavior and compares to baseline
 If the current activity differs significantly from baseline => alert
Identify normal activity and detect abnormal activity

SSCP Page 38
 ○ Identify normal activity and detect abnormal activity
○ Usually generate higher level of false positives than signature-based
○ If the environment is modified, it is important to update baseline
- Hybrid
○ Combination of anomaly and signature based
○ Common
- Whitelisting
○ host-based IDS
○ App whitelist allows only specific apps and processes on endpoint
○ Whitelisting MACs on switch

WIPS and WIDS

- Wireless IDS and IPS
- Monitors wireless traffic, countermeasure against wireless attacks

Analyzing results
- Important part of monitoring
- Analyzing individual events - if they are incidents
- Reviewing security analytics and metrics - e.g. number of false positives each week, adjust
threshold
- Identifying trends - determine if security controls are providing adequate protection
- Creating graphics for visualization - graphs, see trends
- Communicating findings - report to decision makers

Detection Systems and Logs

- Logs must be protected, for attacker not to alter them
- Remote logs are most valuable source to recreate the events that occurred during or prior to the
attack
○ Logs may be modified
- File Integrity Checkers
○ Detect unauthorized changes to critical system files
○ Hashing
○ Can be used also for logs, executables
- Unauthorized Connections
○ Based on predefined authorized connections
○ Use only authorized protocols
- Honeypot
○ Trap for attackers to hack in
○ Opportunity to observe the tactics used by attacker, what data is he looking for, etc.
○ Observe new exploits
○ Honeynet - two or more honeypots
 Simulate network activity and live environment
○ Padded cell - combines honeypot with IPS
 When attack detected by IPS, attacker is redirected to honeypot

Security Information and Event Management (SIEM)

- Gather information from systems and network devices
- Analyze and correlate the data
- Report in interesting items
- Can include components for IDS, compliance monitoring, etc.
- Benefits
○ Single interface to monitor activity
○ Database capabilities - everything in one database, security, system, firewall, backup logs,
etc.

SSCP Page 39
 etc.
○ Ability to define or fine-tune items of interest - modify thresholds, correlate events, define
incidents, etc.
○ Alerting capabilities - visual indications, pop-ups, emails, sms, etc.
○ Secure storage of data - central storage is easier to protect than distributed on multiple
stores, harder to manipulate logs

Performing Security Assessment

- Discover vulnerabilities, report recommendations
- Vulnerability assessments
○ Technical weaknesses, social engineering, etc.
○ Vulnerability scanners, etc.
○ Test Types
 White box or internal testing (full knowledge) - internal security professional
performs assessment on known network with full access
 Black box or external testing (zero knowledge) - testers don’t have any knowledge
about network, consultants from other companies
 Gray box testing (partial knowledge) - in between white and black box
○ Vulnerability scanners
 Automated scans of network
 Can use sniffers
 Nmap
□ Identify active IPs and services running on them, if HIPS is in the system, etc.
 Nessus
□ Can use Nmap for initial scan
□ Fingerprinting scan
□ Complex detailed analysis of individual systems, auditing passwords for
complexity, checking systems for compliance
□ Checking for existence of PII information on system
 Personally Identifiable Information
 Must be protected
 Nessus can be used for compliance check
○ Analyze results and address all vulnerabilities that can be mitigated
 Reports contain sensitive information - should be protected

Reviewing infrastructure security configurations

- Assess network vulnerabilities - vulnerability scanning
- Verify appropriate host hardening - HIPS enabled, service hardening
- Check border security - FW, UTM, DMZ configuration, paths from external network

- Steps
a. Gain permission from management - so that scans are not evaluated as attacks
b. Discovery - reconnaissance and vulnerability scanning
c. Analyze results - scanner may generate false positives
- Manual check
- May also generate false negatives!
d. Document vulnerabilities - create report
e. Identify and recommend methods to reduce vulnerabilities - configuration changes,
patching, implementing new control, etc.
f. Present recommendations - to management
g. Remediate - implement fixes
i. Most important step
ii. Repeat scan to check if vulnerability is patched

SSCP Page 40
Penetration tests
- Next step after vulnerability scan
- Exploit discovered vulnerabilities
- May cause loss of CIA
- White, black, gray box
- Intrusive test
○ Goal is to prove that exploiting a vulnerability can affect the mission of organization

- Steps
1. Gain permission - written!!!
2. Perform vulnerability assessment
i. Discovery and reconnaissance - nmap, social engineering, etc.
ii. Fingerprinting - scanner
iii. Identify vulnerabilities
3. Attempt to Exploit Vulnerabilities
i. Do not cause outage or other real damage
ii. Data should not be disclosed, corrupted, etc.
4. Report results
i. To management
ii. Should include recommendations for mitigation
1) What to mitigate, what to accept

SSCP Page 41
Controls and Countermeasures
Monday, March 12, 2018 16:29

Risk mitigation -> implement security controls

Security Controls (safeguards, countermeasures)
- Means, methods, actions, procedures, processes or devices that reduce the vulnerability of
system or reduce probability of exploiting vulnerability and causing loss
- Technical (hw or sw) or non-technical (managerial, processes, security policies)

Cost-Benefit Analysis (CBA)

- Compares the cost of control with the potential benefits of the control
○ Also cost of the control with associated losses if control not implemented
○ Cost of control should be significantly lower than ALE (Annual Loss Expectancy) without
the control
○ ROI analysis
- Initial cost - cost of the product
- + Implementation costs - work cost, training for personnel, etc.
- + Compatibility costs - can affect usability

Security Controls Life Cycle

1. Select Security Controls

- Select and evaluate controls based on risk and vulnerability assessments
- Perform CBA
2. Implement Security Controls
- Deploy HW, install SW, configure, put to production
3. Assess Security Controls
- Evaluate to verify correct implementation
- Verify that control meets requirements
4. Monitor Security Controls
- Determine effectiveness
- Monitor changes, incidents, etc.

Security Control Goals (NIST-SP 800-53)

- Prevention, detection and correction

- Controls can combine all three of goals

- AV = detective + corrective

SSCP Page 42
 - AV = detective + corrective
- Backup = preventive + corrective
- Prevention
- Written security policies, standards and procedures
- Background checks
- Separation of duties and least privilege
- Access control process (strong authentication)
- Password policies
- Employee termination process (disable accounts)
- Classification of data
- Encryption of data
- Physical security - cameras, fences, guards
- Detective - detecting occurring or already occurred event
- Physical inventories
- IDS
- Antivirus SW - detect malware
- Audit logs
- Forensics analysis
- Reconciliation - comparing different sets of data with each other
- Corrective - takes action to reverse the effects of an events
- IPS
- Antivirus - removing or quarantining malware
- Backup and restore procedures (preventive + corrective)
- Disaster recovery and business continuity plans
- Other
- Compensating
 In place in case primary control fails or is unavailable
 Separation of duties -> problem with vacations -> may not be effective as during the
vacation, responsibility is on one man
□ Implement periodic reconciliation auditing to detect anomalies
- Deterrent
 Deter attackers or users trying to circumvent policies
 Proxy blocking access to website (reminding user that activity is recorded)
 Encourage someone not to take specific action
 Preventive type
- Directive
 Mandated by higher authority
 HIPAA - how to protect PHI (Personal Health Information)
- Recovery
 Recovery after failure
 Backups, procedures how to restore backups, etc.
 Corrective

Classes of Controls
- Management (administrative), Technical (logical) and Operational

SSCP Page 43
 -

- + Physical Security Controls

1. Management/Administrative Security Controls

- Written documents - security policies
- Risk and vulnerability assessments
- Incident response plans
- Background checks for potential employees
- User awareness and training
- Etc.
2. Technical Security Controls
- Identification and authentication controls
- Access controls (authorization)
- Auditing and tracking controls
- NAC
- Encryption
- Etc.
3. Operational Security Controls
- Implemented during day-to-day operations
- Backup procedures
- Routine procedures to ensure safety, fire prevention, etc.
- Patch management programs
- Configuration and change management practices
4. Physical Security Controls
- Any control that control, restrict and/or monitor physical access and provide environmental
protection
- Perimeter barriers, fences, doors
- Lighting in potential breaking areas
- Access badges
- Primary and backup power sources, generators
- Heating, ventilation, AC (HVAC)
- Personnel safety should be priority over IT security :)

Combining Controls Goals and Classes

- Locked door - preventive, physical
- Audit logs - detective, technical
- Este natrenovat!!!

Basic Controls
- NIST-SP 800-53
- Hardening Systems
- Remove or disable unused protocols - decrease attack surface
- Remove or disable unneeded services - fewer opportunities to attack system

SSCP Page 44
 - Remove or disable unneeded services - fewer opportunities to attack system
- Change defaults - e.g. passwords
- Keep systems up to date - patching bugs in SW
- Enable firewalls - and AV
- Install AV software
- Policies, Standards, Procedures and Guidelines
- Policies - high-level documents used to provide guidance to members of organization
(authoritative)
- Standards - document criteria such as a proven norm or method (can influence policies)
- Guidelines - recommendations to members of an organization (not authoritative, derived
from policies)
- Procedures - specific action steps to complete tasks (derived from policies)

- e.g. Security Policy

 Define overall goals of security
 Outlines basic security requirements
- Acceptable Use Policy
 What user can and cannot do with IT systems owned and controlled by organization
- Backup policy
 Defines data that should be backed up and backup retention

- Configuration control procedures - baselining configuration for servers, enforcing using

baseline config

- An organization can choose, which standard to follow - ISO 20000, ISO 27000, NIST-SP, etc.

- Guideline - may recommend that whole database should be backed up

- Response Plans
- Business continuity plan (BCP) - prepare for emergencies that can interrupt the mission of
the business
- Business impact analysis (BIA) - identify critical functions for organization, plan to keep
those functions operating
- Disaster recovery plan (DRP) - steps to recover critical systems after disaster
- Change Control
- Helps to prevent unintended outages from changes
- Change request should be submitted and reviewed by expert (approve or reject)
- Configuration Management
- Ensures that information about a systems configuration is available
- Baselining configuration
- Develop and maintain system and security configuration
- Testing Patches, Fixes and Updates
- Patch management process
1. Evaluate patch - if patch is necessary for given system (if service which is patched is running
on server)
2. Testing patch - to avoid problems that can be caused by the patch (apply patch on testing
(e.g. admin) PC)
3. Applying patch - can be automated, e.g. WSUS, SCCM
4. Auditing system - ensure that systems have all approved patches, can be done by WSUS,
vulnerability scanner
5. Documenting patches - documentation of approved changes and patches, useful for
rebuilding system
- Endpoint Device Security
- Controls - Password protection, data encryption, remote wipe, GPS location
- Or prohibiting use of mobile devices in certain areas

SSCP Page 45
 - Or prohibiting use of mobile devices in certain areas

Bring Your Own Device (BYOD)

- Personal endpoints used to connect to work environment and use for work
- Benefits
- Reduced cost for providing those devices to employees
- Improved productivity
- Challenges
- Keeping those devices secure and up to date
- Many types of devices to understand
- e.g. Android is open-source, modified by each vendor, employees have different phones
 Impossibru to keep it secure
- Managing data - who owns the data if user owns the device?
- BYOD policies must be implemented and set
Corporate-owned, Personally Enabled Devices (COPE)
- Devices are owned and controlled by organization

Telecommuting
- Work from home
- Must deploy secure VPN
- Devices owned by telecommuter cannot be controlled by organization
- Access to VPN must be strictly controlled
- NAC - check predefined health characteristics before allowing access for endpoint
Mobile Device Management (MDM)
- Patch management for mobile devices (iOS, Android, etc.)
- Microsoft ConfigMgr
USB Devices
- Significant risks - data leakage and infection by malware
- Easy to connect and easy to copy
- Can be mitigated by enforcing encryption of data in rest and AV deployment

Thin Clients
- Virtualization of workstation
- If workstation is stolen, no data is lost
Virtualization
- VM escape attacks
- Attacker connects to VM and "escapes" to host - can gain full control over all VMs on given
host
- Keep hypervisors up to date
Application White/Blacklisting
- Prevent users from installing any application - only approved by organization
- List of allowed or blocked apps
- e.g. Apple Store is reviewing each app before published for security
Endpoint Encryption
- Full disk or full device encryption
- Automatic on iOS and Android (from 5.0) devices
- If the device is jailbroken, root-access can be granted to user - but also to malware
Trusted Platform Module (TPM)
- Stores crypto keys which system can use to encrypt/decrypt data
- HW chip on motherboard
- Creates storage root key, which encrypts application keys (e.g. BitLocker key)
Sandboxing in browsers
- Browser runs in isolated area of computer
- Web applications cannot access your personal files or HW (webcam)

SSCP Page 46
 - Web applications cannot access your personal files or HW (webcam)
User awareness and training programs
- Users to understand security policies and procedures
- Social engineering tactics, etc.

Fault Tolerance
- Avoid single point of failure by adding redundancies
- RAID
- Can improve performance and provide fault tolerance
- Can be SW or HW based
- 0
 Two or more disks, stretched data
 Improves performance, does not provide fault tolerance
 If one disk fails, all data are lost
- 1
 Two disks that are mirrored (one is backup)
 Parallel reading from both disks at the same time - improves performance
 Halves the combined capacity of both disks
- 5
 Three or more drives, stripping with parity
 Parity - either odd or even value (XOR of data bits)
 2 drives carry the data, one drive carries parity
□ Each stripes parity is on different disk

 Subsystem can contain spare drives, which are used automatically if one of the drives
fail
- 6
 Uses 2 parity blocks
 Can survive failure of 2 disks
 Minimum of four disks
 Recommended over Raid-5 due to URE (unrecoverable error rate)
□ Lower if two disks can fail
- 10 (1+0)
 Combines 1 and 0
 Minimum of 4 disks
 Increased performance and fault tolerance
- Failover Cluster
- Fault tolerance at server level
- Allows service to operate even if one server fails
- Can be active/active, active/passive, per service or other, etc.
- Load-balancing cluster
- Redundant connections
- Link fault tolerance

Backups

SSCP Page 47
Backups
- Backups are useful only if they can be restored
- Backup plans should include restore test to verify usefulness of backup
- Tape drives, tapes, backup software, backup servers - additional cost, but justified
- Backup policies should define what and when to backup
- Disk-to-disk-to-tape strategy
- e.g. copying DB to tape can take long time, so it is first copied on fast disk and then
processed offline to tape
- Full Backups
- Backs up entire contents of target data
- Can take very long time, during which data cannot be accessed
- Full/Incremental Backup
- Full back up at start and then only incremental periodic back up changes
 Incremental backs up only changes since last full or incremental back up

- Restoring data
 First full backup needs to be restored
 Then every incremental backup since full back up up to the point of failure must be
restored
- Minimizes the time needed for incremental backups
- Recovery can take longer due to multiple backups to be restored
- Full/Differential Backup
- Full back up at start, then differential backups periodically
 Differential backs up all changes since last full backup

- Recovery
 First full backup needs to be restored
 Then only most recent differential backup must be restored
- Takes longer to backup, as differential backup is bigger every day
- Recovery time is reduced - maximum 2 backups need to be restored

SSCP Page 48
Auditing
Friday, March 23, 2018 11:01

Auditing provides accounting component, which tracks and records individual actions.
Auditing methods
1. Auditing activity through logs - logs inspected by auditors to reconstruct events
2. Auditing activity through an inspection process - periodic security inspections to ensure
organization is following required policies and procedures

- To hold users accountable with audit logs, strong authentication practices must be used
○ e.g. if multifactor authentication is implemented, user cannot deny that he did not commit
given action
- Audit logs provide nonrepudiation

- Audit logs combined with strong authentication and authorization practices provide
nonrepudiation (users cannot deny what they did)

- Audit through logs

○ Logs - who, what, when and where for any event of interest
○ To reconstruct events during the incident
○ Can provide deterrency - users are aware that AUP is logged and they won't do forbidden
actions
 e.g. logging of website usage on proxy servers
○ Audit logging can reduce incidents simply by deterring users from engaging in
unauthorized behaviors
- Clipping Levels
○ Generate alert after system detects present number of events (e.g. 3 failed logins)
○ Clipping level - ignores events such as normal user errors until the auditing system reaches a
predetermined threshold
- Audit Trails
○ One or more logs that track events occurring on system or network
○ Technical detective control
 Should record who, what, when and where
 Logs should be secured and strongly authenticated
 Logs should be backed up frequently

Audit logs
- OS logs
○ Track activity on individual computers and servers
○ Logging must be configured
 e.g. audit access only to sensitive or proprietary data
○ System log - events from OS (e.g. driver stops)
○ Application log - events from specific apps (e.g. DNS)
○ Setup log - setup of certain applications
○ Event Viewer - see logs in Windows
○ Copies of logs should be stored on remote systems
 Increases difficulty for attacker to erase tracks
- *Nix log
○ Unix
○ /var/log, /var/adm, /usr/adm
Syslog (overall system activity), sulog (all attempts to use SU command), auth

SSCP Page 49
 ○ Syslog (overall system activity), sulog (all attempts to use SU command), auth
(authentication on SSH), maillog
- Proxy Server logs
○ Log user activity on Internet
○ Caching web pages
○ Can use as a deterrent to unacceptable behavior
- Firewall logs
○ Blocked and forwarded traffic
○ Other events
○ Should be aggregated by SIEM

Reviewing logs
- Look for anomalies
- Archive logs
- Strong authentication & authorization - clearing, reading logs, etc.
○ First log after clearing logs in windows is "Logs cleared"
- Set retention policies
○ To be able to investigate

Security Audits
- Help organization identify vulnerabilities in processes and procedures
- After audit -> implement fixes -> reduce discovered vulnerabilities
- Compliance audits (e.g. HIPAA) - law enforced
○ Audits help to prove that organization is following procedures according to standard
- Password Auditing
○ If users are following policies related to passwords
 Complexity (by password cracking), retention, etc.
- Security Policies Audit
○ Review of written security policy to ensure that it still meets organizations requirements
○ e.g. lack of awareness and training for users

ISACA
- Standardization for IT security audits
- CISA, CISM
- Developed COBIT framework

PCI DSS
- For organizations that process credit card payments
- Protect customer personal and credit card data
- PCI DSS Control Objectives

SSCP Page 50
 -

- Compliance Reports
○ PCI DSS compliant organizations must submit regular reports
 Document processes, how are they complying to 12 requirements, etc.
 Reports are sent to acquiring bank and global payment brand
- Compliance Audits
○ Organization with low volume of credit card use - only Self-Assessment Questionnaire (SAQ),
submit to bank
○ With high volume of credit cards
 Hire and independent expert to perform audit
 PCI Security Standards Council can revoke the business authorization to process credit
card payments or give a fine

Auditing Physical Access Controls

- Auditing logs from proximity card readers
○ Can discover tailgating, which can be used by social engineer to get into area

Configuration Management
- Ensuring that systems are configured with security in mind and configuration is tightly controlled
- Establish baseline configuration with hardening
- FIPS Pub 200
○ Requirements to enforce security configuration settings
- Strong change management - change authorization, review, etc.
- Imaging Technologies
○ Contains baseline configuration
○ Easy to check later if configuration changed - if baseline is established
○ configure security settings such as auditing, a password policy, an account lockout policy, a
password-protected screen saver, and much more
- Group Policy
○ Centralized administration of systems

Change Management
- Ensure that changes don’t result in unintended outages
- e.g. change review before implementation
- Documentation trail
- Propose changes to system -> examine the request (approve or reject)
- Steps in change control process

SSCP Page 51
-

- CRB (Change Review Board), CAB (Change Authorization Board)

SSCP Page 52
Security Operations
Tuesday, April 10, 2018 10:42

Handling data
- Value and risks must be recognized
Classifying data
- First step in determining data security
- e.g. Top Secret, Secret, Confidential, Unclassified
○ Principle of need-to-know should be also applied
- e.g
○ Confidential - company proprietary information, R&D, trade secrets
○ Private - intended for internal use only - employee records, customer data
○ Sensitive - data that requires special precautions for its protection - financial data
○ Public - either publicly available or does not cause any harm if public
Marking and Labeling data
- To quickly identify category of given data
○ Watermarks, title page, headers, covers for Top Secret
- HW holding data should be also marked
○ e.g. red label USBs for classified data
○ Encryption should be enforced based on UUID

Roles and Responsibilities

- Management - define data classification and requirements for its protection, in data and security
policy
- Data owner - primary responsibility for protecting data based on its classifications and
requirements in policy
○ When they create data, they label it according to policy, periodical review of data
classification
○ Ultimately responsible for data security
- Custodian - performs tasks delegated from data owner - e.g. periodic backup
- Administrator - configure the controls, assign permissions, etc.
- User - accesses the data, also responsible for security by data they handle by doing so in a defined
manner in policy

Protecting data from Cradle to Grave

- Data must be protected from its creation till someone destroys it
- If stored on a system, the system must be protected on same level as is required for data
○ Same for network transfer
- Data should be always correctly wiped
○ e.g. when disk in server fails, wipe it before throwing it away - there may be residual data

Data in Motion/in Use/at Rest

- Strong access controls - for accessing data
- Data in Use
○ Protection must be provided by application that is accessing the data
 Safe code
○ Processes the data in unencrypted format
- Data in Motion
○ Transmitted over network, encryption should be used
 TLS, SSL, IPSec
- Data at Rest
○ Data stored on HW (disks, USBs)
Should be encrypted

SSCP Page 53
 ○ Should be encrypted
 e.g. AES
○ When passed to application, data is decrypted

Data Management Policies

- These policies identify methods to protect sensitive data
- Storage Media
○ How data at rest is stored
○ Covers HDDs, USBs, tapes, etc.
○ USBs - easy to lose or misuse
 Encryption should be enforced, whole USB or just the file
○ Encryption everywhere!!!
○ Labeling of media
- Transmission
○ Data management policies define minimal encryption methods used for data in motion
○ FTP over SSH, TLS, HTTPS, etc.
- Archiving and Retention Requirements
○ Archiving and required retention should be addressed in data policy
○ Retention can be enforced by law for specific data
○ Retention should be defined with cost in mind
- Removing Data Remnants
○ Policy for removing residual data (data remanence) from storage drives before reusing or
disposing
○ 2 methods
 Sanitizing - remove all residual elements of data, media can be reused or disposed
afterwards
 Destruction - destroy the media totally
○ Applies also to physical data - papers should be shredded (crosscut), etc.
○ Formatting does not actually remove data
 Special apps to delete data or wipe the disk by overwriting bits
○ Degaussing - using powerful magnet to remove data
 Works only on mechanical drives (HDD, backup tapes)
○ SSDs, CD, DVD must be physically destroyed
 Shredding, burning, incinerating,
- Cloud Computing
○ Specific security requirements for storing data in a cloud

Deduplication
- Ensuring that the file is stored only once on the system
○ Even though multiple users have their own copies
- Problem with encryption
○ If files are encrypted, deduplication software cannot identify same files
 Encryption weakening -> decreases security

Data Loss Prevention

- Monitor data usage and prevent unauthorized use, prevent data from leaving network
- For data at rest or data in motion (e.g. emails, attachments -> network DLP - scanning traffic)
- Data are classified and labeled and policies are built in DLP for each category
- Can limit the use of HW (e.g. USBs)

Social Network Usage

- Social engineering, phishing, uploading data to SNs
- Answering secret questions (e.g. as a part of FB questionnaire)
- Usually, access to SNs is prohibited in companies

SSCP Page 54
 - Usually, access to SNs is prohibited in companies

Information Rights Management (IRM)

- Different methods used to protect information from unauthorized access
- Focuses on documents
- IRM policies apply to document even after it is out of the control of organization
○ IRM policies can restrict what can recipient of attached document perform with the
document
○ Block forwarding, downloading, copying, printing, etc.
○ Can specify expiration date after which users are unable to open document

Databases
- IBM, Microsoft, Oracle
- Relational databases
- Key elements
○ Row (tuple) - contains unique data element
○ Primary Key - uniquely identify each row
○ Column - attribute
○ Foreign key - relationship to another table, points to primary key in another table
○ Field - piece of information in row or column
- Views
○ Virtual table that provides access to specific columns in one or more tables
○ To control authorization on what given user can see
- SQL
○ Communication and manipulation with database
○ Data Definition Language (DDL) - create the structure of database, tables, keys, etc.
○ Data Manipulation Language (DML) - manipulate data in database (add, delete, modify,
retrieve, etc.)
- Database organization methods
○ Online Transaction Processing (OLTP)
 The transaction is recorded in database as it occurs
 e.g. purchasing via website
 Data normalization
 Databases need to be quick and record all transactions in the logs before making
changes
○ Online Analytical Processing (OLAP)
 Reorganizes data from data warehouses into multidimensional cubes -> easier
retrieval
 Include redundant data
 Are slower than OLTP
 Retrieval of data -> data mining
Data inference attack
- Attempts to collect public or unclassified pieces of information to predict or guess an outcome
- Deducting sensitive information from insensitive
- Use deduction to learn detailed information from large quantity of public information

Data diddling
- Unauthorized changing of data before entering it into a system
○ e.g. increasing overtime hours before logging them into system

Securing Big Data

- Same process with other databases
- Strong authentication, authorization, encryption
- Vulnerability testing of applications accessing the data

SSCP Page 55
 - Vulnerability testing of applications accessing the data
- Use System Development Life Cycle (SDLC)

Regulatory Requirements
- Protection of some data is regulated end enforced by law
- Personally Identifiable Information (PII)
○ Information that personally identifies an individual
○ If data breach occurs, companies are obligated to inform customers
- Health Insurance Portability and Accountability Act (HIPAA)
○ Cover U.S. organizations processing health information
○ Identifies Protected Health Information (PHI)
○ Failing to follow requirements of HIPAA can result in serious fines
- Sarbanes-Oxley Act (SOX)
○ Mandates special protection for data related to publicly held companies
○ Requires high level officers to personally verify accuracy of financial data
- Training
○ Some laws mandate specific training and awareness related to data
○ e.g. FIPS Publication 200

Asset Management
- Helps organization to track its assets
○ e.g. track HW and SW owned by company
- HW
○ Inventory tracking
○ Desktops, laptops, servers, routers, switches, etc.
○ Must be actual and managed
○ RFID tags can be put on each device to scan them easily
- SW
○ Track OS and applications throughout their life-cycle
○ Track licensing (if there are not more copies installed than licensed)
○ Patch management
○ Check actual software installed on system
- Can also track media files, data should be properly classified, marked and labeled
- Procedures have to be defined on what can and cannot be performed with data

Certification and Accreditation

- Certification - evaluate, describe and test system
- Accreditation - if system is certified, accreditation is formal declaration from accrediting authority
- Within U.S. Government - Designated Approving Authority (DAA) provides accreditation by
approving the system for operation at specific risk level
- NIST-SP 800-47, FIPS Pub 200

Common Criteria
- Framework used to evaluate systems
- International standard
- Evaluation Assurance Level (EAL) - indicate the level of quality assurance steps that personnel
have taken to ensure the reliability of security features
• EAL1 Functionally tested. The threats to security are low, so a high level of security
assurance is not required.
• EAL2 Structurally tested.
• EAL3 Methodically tested and checked.
• EAL4 Methodically designed, tested, and reviewed. Many commercial operating systems
achieve EAL4
• EAL5 Semiformally designed and tested.

SSCP Page 56
 • EAL5 Semiformally designed and tested.
• EAL6 Semiformally verified design and tested.
• EAL7 Formally verified design and tested. This provides the highest level of assurance.
It’s applicable in extremely high-risk situations

Risk Management Framework

- NIST-SP 800-37

1. Determine security category of the system based on the data it processes and stores
2. Select set of baseline security controls for given category
3. Implement
4. Examine controls to verify they are working correctly
5. Authorize system
6. Monitor security control to know what are they doing

System Development Life Cycle

- SDLC
- Track systems from cradle to grave

- Initiation - documenting the purpose of the system and high-level requirements

○ System should be protected at least at the level of classification of data it stores/processes
○ Security issues should be addressed through whole lifecycle
- Development/Acquisition - design, purchase, program or develop system
○ Conduct a risk assessment to baseline controls to protect system and data
- Implementation/Assessment - install, configure and test system
○ Test security controls to evaluate whether they meet security requirements
- Operations/Maintenance - system performs its mission, regular maintenance
○ Change to the system during operation/maintenance can reduce effectiveness of security
controls
Change management and configuration management should be implemented

SSCP Page 57
 ○ Change management and configuration management should be implemented
○ Periodic system auditing
- Disposal - remove the system from service -> sanitize all media
○ Migrate data and sanitize the system before disposal
○ Destroy media, or overwrite them
○ Dispose data if not required for hold

SSCP Page 58
Security Administration and Planning
Friday, April 20, 2018 08:33

Security Policies
- Written document that provides the organization with a high-level view of security goals
- Management (administrative) control that focuses on management of risk and IT security
- Authoritative document
- Stages of policy
○ Initial stage - draft the security policy
○ Approval stage - policy approved by senior management
○ Publication stage - policy is provided to relevant personnel for implementation
○ Implementation stage - implementing and enforcing the policy
○ Maintenance stage - periodic reviews of policy
- Often, there are several security policies, with top level policy driving them

- Characteristics (best practices)

○ Organization mission statement - understand the vision of organization and how can
security enhance this
○ Statement of accountability - defines the roles and responsibilities of users, management
and IT staff
○ Data classifications - how to determine data classifications and guidance on protecting data
based on the classification
○ Backup plans - requirements for overall backups (offsite storage of backups, retention, etc.)
○ Classification of resources - identify resources that need higher level of protection
○ Network access - types of access authorized on the network (e.g. specify encryption
requirements for wireless devices, create authorization maps)
○ Risk management - risk and vulnerability assessments, requirements (how often to perform,
quantitative or qualitative, etc.)
○ Auditing - what should be audited and how often
○ Business continuity - business continuity and disaster preparation
○ Incident response - defines a security incident for and organization and provides information
for response to incident (may require creation of ©IRT)
○ Physical security - e.g. zone document for building (specific protections required when
processing different types of classified data)
○ Acceptable use - to let users know what is acceptable use of computer equipment and
networks (users have to acknowledge it periodically)
 Ensures that users understand their responsibilities when using an organizations IT
resources
○ Enforcement section - how a security policy is to be enforced
○ Passwords and other authentication requirements - password complexity requirements,
two-factor authentication
Account lockouts - when to lock account, how to unlock it

SSCP Page 59
 ○ Account lockouts - when to lock account, how to unlock it
○ Hardware usage - e.g. prohibit use of USB drives
○ Ethics statement - minimal acceptable behavior by members of the organization, resolve
ethical dilemmas

Enforcing Security Policies

- Security controls are used to enforce security policies

- Security controls are implemented in support of security policy

- Combination of control creates defense in depth model

Value of security policy

- Prevent direct and indirect losses to organization
○ Direct losses - e.g. loss of revenue (immediate)
○ Indirect losses - e.g. losing customers due to damaged reputation, share value decrease, etc.
- May limit organizations liability (when breached)

Code of Ethics
- Employees have an obligation to abide by the ethics of the organization
- Protecting society, acting honorably, etc.
- For the places that are not covered by security policy
○ Norms and principles of correct conduct
- Part of that should be that employees should not retaliate against attackers
○ e.g. security professional launching attack back
○ IP address can be spoofed, you may cause even more damage to organization

Policy Awareness
- Personnel must be aware of security policy
○ e.g. every employee of AUP
- Not all policies must be understood by all employees
- Awareness should be acknowledged

Increase user awareness of security policies

- Easy to read language - target audience must understand it by reading
- Warning banners - explaining who is authorized and non-authorized, privacy expectations
(monitoring), etc.
○ Remind users that activities are monitored
- Training sessions - annual training for AUP, avoiding phishing attacks; specialized training
(forensics) for IRT, etc.
- Security flyers and posters - security is also users responsibility

Updating Security Policies

- Vulnerabilities and threats change, so need to security policy
- Should be updated regularly, e.g. once a year

SSCP Page 60
 - Should be updated regularly, e.g. once a year
○ Also supporting policies, to ensure they are aligned with security policy
- Should be reviewed also after breach
○ Updated or additional trainings for employees, etc.

Business Continuity Plan (BCP)

- Prevent the loss of mission-critical services for unacceptable length of time
- Includes BIA (Business Impact Analysis) and DRP (Disaster Recovery Plans), backup policies
- Development of BCP

- BCP and supporting policies

- Business Impact Analysis (BIA)

○ Identifies impact to the organization if business functions are lost due to incident
○ What business functions are critical?, required resources to support business continuity
○ Evaluates direct and indirect costs
○ Characteristics
 Maximum Acceptable Outage (MAO)
□ Also MTD (Maximum Tolerable Downtime) or MTO (Maximum Tolerable
Outage)
□ Maximum outage time before the outage affects business critical functions
 Recovery Time Objective (RTO)
□ Maximum amount of time personnel can take to restore a system or service
 If this time is exceeded, critical business functions are affected
□ It is equal to MAO
 Recovery Point Objective (RPO)
□ Maximum amount of data and organization can afford to loose
□ How often to backup
 If database is updated few time a week RPO of 1 week should be enough
 If database is recording online transactions on web server generating 5k
$/h RPO may be up to moment of failure

SSCP Page 61
 $/h RPO may be up to moment of failure
□ Lower the RPO, more expensive the solution can be
 RPO should be based on BIA to justify the expenses
□ Database backup strategies
 Full backup
 Differential backup
 Backup of transaction logs
◊ Record every database transactions since the last backup
◊ Can be used to recover database up to the moment of failure
○ Output
 Document that identifies losses that can result from the outage of critical business
functions
 How much money can be lost if critical systems are down
 Prioritize different functions based on probability of incident occurring and impact
 Should use historical data to predict the probability of specific disasters (e.g.
earthquake in San-Francisco)
- Disaster Recovery Plan (DRP)
○ Plan to restore critical operations after a disaster
 Clear-cut steps to recover systems as fast as possible
 In form of checklist
○ Is not the same thing as fault tolerance
 Fault tolerance - ensuring that system works after component failure (e.g. RAID)
 Disaster recovery - steps to take to recover system after total outage
○ Includes emergency response plans and procedures
 DRPs for different types of disasters

BCP vs. DRP

- BCP - provides the information to keep critical systems running during disaster
- DRP - how to recover one or more systems after disaster, part of BCP

Restoration Planning
- Identify critical business functions (output of BIA)
- Identify restore targets (BIA -> MAO, RTO and RPO)
- Create plan to restore system
○ Within required times
○ Extremely clear and in order (e.g. first restore database, then web-server)

Testing and Drills

- NIST SP 800-84
- Tabletop exercises, structured walkthrough
○ Discussion based scenarios, scenario is presented, looking for problems in process
- Functional exercises
○ Simulation of real-time recovery operation
○ e.g. recover database server from backups
- Drills - e.g. for fire

Alternative Locations
- Hot Site
○ All of the resources required to take over operations of another location in a very short time
○ Servers, network, data, personnel is already there
○ e.g. mirrored site = 100% availability
○ Most expensive
○ e.g. regional sites taking over for each other but also functioning individually
Easy to test - everything is already ready

SSCP Page 62
 ○ Easy to test - everything is already ready
- Cold Site
○ Building with a roof, running water and electricity
○ Hard to test
○ Cheaper than hot site
- Warm Site
○ Compromise between hot and cold (with cost and time)
○ e.g. this site can be active within 24 hours
 Some manual steps must be taken to make it operational
- Mobile Site
○ e.g. container with servers
○ Equipment is already installed, but usually SW and data are out of date
○ Cost is usually as a warm site

Security Organizations
- National Institute of Standards and Technology (NIST)
○ Special Publications (SPs)
○ Also publishes FIPS documents
○ http://csrc.nist.gov/publications/PubsSPs.html
- US-CERT
○ Response support and defense against cyber-attacks for US government entities
- SANS Institute
○ Security certifications and trainings
○ SANS Reading Room: www.sans.org/reading-room/
○ Sponsors Internet Storm Center: https://isc.sans.edu/diaryarchive.html
- CERT Division
○ Works with DHS (Department of Homeland Security)
○ Software Engineering Institute

SSCP Page 63
Legal Issues
Friday, April 27, 2018 08:36

Computer Forensics
- Inspecting computer systems for evidence about an event or crime
- Primary goal - preserve data integrity
- Incident Handling
○ NIST 800-61 - Computer Security Incident Handling Guide
○ Incident - any violation of policies or security practices that has the potential to result in
adverse event (system crash, data breach)
○ Create incident response policy
1. Discovering an incident
- How do you know which event is incident?
- User reports erratic behavior of PC, admin starts to investigate, finds out that PC was
infected -> incident
2. Responding to incident
- According to incident response plan
□ Actions to take for specific incidents
- e.g. disconnect the PC from network if infected by malware (containment)
- Protecting evidence while investigating
3. Escalating an incident
- If personnel cannot resolve it
- Escalate to supervisor or higher level technicians
4. Reporting an incident
- e.g. report to member of IRT
- Always document every incident that happened
- Reporting may be enforced by law
□ e.g. GDPR for PII
Implementing Feedback Loop
- Ensure that organization examines each incident to learn from it
- e.g. find out why PC was infected and implement countermeasures to avoid recurrence
○ e.g. enforce AV updates more often, training to users on phishing tactics

Implementing Countermeasures
- Based on organizations acceptable level of risk

First Responders and Preserving the Scene

- In medical field - first one to arrive on the scene (EMS, EMT, police, etc.)
- In IT field - first forensics trained person on scene
○ Someone with advanced forensics training
○ Must be someone who understands the basics of handling evidence, preserving scene,
maintaining chain of custody
- NIST 800-86
- Most important goal - PRESERVING EVIDENCE
○ Cannot be tainted because then it cannot be used as evidence in legal proceedings
- First step may be to disconnect PC from network

Phases of Computer Forensics Investigation

- Acquire, authenticate and analyze evidence
○ NO MODIFICATIONS during the process
1. Acquire the evidence
Most sensitive part of the process (easy to modify evidence if not done properly)

SSCP Page 64
 ○ Most sensitive part of the process (easy to modify evidence if not done properly)
○ Bit-copy or drive-imaging tools to capture the data (with write-blocker)
- Must be exact bit-by-bit copy of original drive
○ Capture content of computer's memory
- Recently run processes and applications
- Memory is volatile - you must keep system on
○ For first responders
- Do not access any files
- Do not shutdown the PC
- Create multiple copies of disk and memory
○ Toolkits for acquiring evidence
- FTK Imager, Forensics Toolkit, COFEE, Sleuth Kit, EnCase, SANS SIFT
2. Authenticate the evidence
○ After collection, create chain-of-custody
- Documents who obtained the evidence, where, when and how it was controlled since
it was first collected
- Records every interaction and provides proof that evidence was properly controlled,
was not subject to tampering and is valid
○ Maintain control of evidence - to avoid being subjected to tampering
○ Authenticate drives and files
- By comparing hash values
- Create hash from original drive and then from drive that was analyzed - if they match,
there was no tampering
3. Analyze the evidence
○ Process must be performed on copies of original drive
- Sometimes original must be analyzed (you have only one shot)
○ Process must be repeatable

Forensics Evidence Guidelines and Principles

- Forensics security policies
1. No actions taken should change data which may be subsequently relied on court
2. If original data must be accessed and analyzed, this can be done only by highly qualified person
3. Audit trail of all processes applied to digital evidence should be created and preserved
- Independent third party should be able to repeat the steps and achieve same results
4. Person in charge of investigation is responsible for ensuring that the law and these principles are
adhered to

Computer Abuse and Computer Crime

- Computer Abuse
- Unethical or dishonest use of computer in unauthorized manned
- Does not involve breaking laws
- Computer Crime
- Breaking law
- Can result in prosecution, fines and jail-time
- Cybercrime
- Need to commit a crime
- Means, Opportunity and Motive (MOM)
- Cyberbullying - harassment, intimidation via computer, spread lies on social networks
- Computer abuse
- Cyberstalking - gather information on victim, monitor its activities, steal identity
- Computer crime
- Cyberwarfare - politically motivated attack on entities in other countries, APTs
- Crime

SSCP Page 65
Fraud and Embezzlement Crime
- Fraud - use of deception for unlawful gain or unjust advantage
- Embezzlement - special type of financial fraud where an individual steals money or property from
employer, customers, client, etc.
- "Ponzi scheme"
- "Salami attacks"
- Minor actions to large gains
- To reduce the risk of internal fraud and embezzlement
- Mandatory vacations
- Goal is to let another person to perform job to increase possibility of exposing an
suspicious activities
- Requires employees to take vacations for a minimum period
- Job rotation
- Moving employees periodically between different jobs
- Increases chance to expose internal fraud
- Combined with "separation of duties" practice

Privacy Issues
- Key element to avoid data leakage is due diligence - actively taking steps to protect data
- Defining data breach
- Unauthorized personnel gains access to data
- European Directives
- Data Protection Directive - processing and protection of personal data in EU (obsolete by
GDPR)
- E-Privacy Directive - protection of digital data (e.g. cookies)
- Safe Harbor Program
- COPPA (Children Online Privacy Protection Act) - applies to collection of information on
children under the age of 13
- California Online Privacy Protection Act (OPPA) -

SSCP Page 66
Cryptography
Saturday, April 28, 2018 12:34

- Provides
○ Confidentiality - prevent unauthorized access to data (encryption)
○ Integrity - prevent unauthorized modifications to system and data (hashing)
○ Authenticity - assurances that data is coming from a known source and s valid and reliable

Terminology
- Plaintext - cleartext
- Ciphertext - encrypted or scrambled format, can be decrypted back to plaintext with proper key
- Encryption - process of converting plaintext to ciphertext
- Encryption algorithm - mathematical process of converting plaintext to ciphertext
- Symmetric encryption - data is encrypted and decrypted with the same key
- Asymmetric encryption - encryption and decryption is provided using different keys
(private/public key pair)
- Cryptography - science of encryption, study of algorithms
- Cryptographic system - includes algorithms for encryption/decryption
- Cryptanalysis - science of studying cryptographic methods (looking for weaknesses)
- Hashing - process of producing hash from data

Data Sensitivity
- Drives the selection of encryption algorithms (according to data classification)
- Encryption has high requirements for performance, storage, etc.

Regulatory Requirements
- Encryption of PII and PHI at rest (encryption on disk) or in motion
- PCI DSS - enforces the use of strong crypto algorithms

Integrity
- Enforced by hashing
○ Number calculated from data, if data changes also hash changes
- Does not provide confidentiality
- One way encryption
○ It's not possible to extract plaintext from hash (may be possible by using rainbow tables)
- Algorithms
MD5 128-bit hash, cryptographically broken
SHA-1 160-bit hash, vulnerabilities, obsolete
SHA-2 224 to 512-bit hash, similar to SHA-1, may be broken soon
○ SHA-3 224 to 512-bit hash, different algorithm than SHA-1/2
HMAC Works with MD5 or SHA, adds shared secret key to hashing, adds authenticity
- Receiver must have the secret to validate hash (and sender is
authenticated)

Salting passwords
- Adds random number of bits to the passwords
- Salt has to be saved with resulting hash to database
- Salt has to be random number (even if 2 passwords are the same, they must have different hash)

Symmetric Encryption

SSCP Page 67
Symmetric Encryption
- Single key for encryption and decryption
- e.g. ROT13 encryption - rotating text

Composing and Rotating Keys

- Protect key from cracking and guessing
- Keys should be long enough to survive brute-force attacks
○ Longer the key, more complex the operation with it
- Rotate the keys - ideally not use the same key with same data set twice

Block and Stream Ciphers

- Block cipher - encrypts blocks (fixed-length of bits) of data individually
- Stream cipher - encrypt bits as a stream
○ Susceptible to vulnerabilities
○ But secure when implemented properly
- Advanced Encryption Standard (AES)
○ Strong, efficient, 128-bit block cipher
○ Used by WPA2, TPMs, etc.
○ Uses keys of various sizes
 AES-128
 AES-192
 AES-256
- DES - broken
- 3DES - slow and CPU-intensive, but strong
- Blowfish - 32 to 448 bit keys, strong cipher
- Bcrypt - key-stretching, used by salting password in UNIX
- Password-based Key Derivation Function 2 (PBKDF-2) - key-stretching technique
- IDEA - 64-bit block, 128-bit keys
- RC4 - symmetric stream cipher, has been cracked

Asymmetric Encryption
- Public/private key pair
- Anything encrypted with public can be decrypted only by private and vice versa
- Requires PKI to create, manage, distribute, validate and revoke certificates
- Use:
○ Privately share symmetric key for encryption
○ Digitally sign email
- Public key is embedded in certificate and freely shared

RSA
- NIST recommends using 2048-bit and longer keys
- Uses large prime numbers to create secure pub/priv keys
○ These are multiplied to create composite number and that is used for key pair generation
○ RSAs strength lies in the fact that if those numbers are large enough, factoring the
composite number is computationally infeasible
TLS

SSCP Page 68
TLS
- Encrypts HTTP over port 443
- Uses asymmetric encryption to share the symmetric key for encryption (faster)
- Establishing TLS connection - https://www.acunetix.com/blog/articles/establishing-tls-ssl-
connection-part-5/

SSL
- Obsolete by TLS
- POODLE and Hearthbleed vulnerabilities
- https://www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/

Diffie-Hellman (DH)
- Public key algorithm to share symmetric keys between systems
- Focused on secure key exchange

Elliptic Curve Cryptography (ECC)

- Uses mathematically defined curve to generate public and private keys
- Strong security with smaller key sizes
- Elliptic Curve Digital Signing Algorithm (ECDSA), Elliptic Curve Diffie-Hellman (ECDH)

Secure Shell (SSH)

- Public key cryptography to encrypt data in motion
- Can be used to transfer other protocols (SFTP, SCP, etc.)

S/MIME
- Standard to encrypt and digitally sign email
- Non-repudiation
○ Prevents from individual denying they took an action
- Digital signature
○ Hash of message encrypted with senders private key
 Authentication (primary goal) - as the senders private key was used, it is proof that
message comes from him
 Integrity - hash is validated on recipients side
 Non-repudiation - sender cannot deny that message was created and sent by him
○ ECDSA
○ Message is not encrypted when digitally signing - no confidentiality!

Encrypting Email
- With recipients public key
○ Only matching private key (hold by recipient) can be used to decrypt message
- Symmetric key is generated and used for encrypting email
○ Symmetric key is encrypted by recipients public key and sent with message

Pretty Good Privacy (PGP)

- Application that provides encryption and authentication using digital signatures
- Can be plugged in email client

Other Encryption Schemes

Steganography
- Hiding data in a plain sight
- e.g. modify least significant bit in a byte
○ Makes a change of color tint in a picture or slight change in audio file
Not distinguishable

SSCP Page 69
 ○ Not distinguishable
- The larger the file the longer message can be encoded
- There is no encryption
- Steganalysis techniques - to detect the use of steganography
○ e.g. if you have a hash of original file, new hash won't match it

IPSec
- AH (authentication only) & ESP (authentication and confidentiality)
- Can be used by VPNs

Public Key Infrastructure (PKI)

- Includes all the component needed to create, manage, distribute, validate and revoke certificates
- Based on X.509 protocol and standard

Certificate
- Primary purpose - distribution of public key
○ Other purposes
 Authentication - prove the identity of users and computers
 Encryption
 Protecting email - encryption and digital signatures
 Code signing - authentication of the developer and integrity for the code
□ Extended Validation Code Signing
- Include following information
○ Who it was issued to
○ Issuer
○ Validity dates
○ SN
○ Public key
○ Certification path (trust chain to the root CA)

Certificate Authority
- Issues and manages certificates through their lifetimes
- Public or private
- Registration Authority - accepts certificate requests, validates data and passes requests to CA
○ Optional, never issues certificates

Certificate Trust Chain

- Root CA -> intermediate CA
- If client trust root CA and has valid trust chain, it automatically trusts intermediate CA and hence
the certificates issued by intermediate CA

Trusted Root Certification Authorities

- For CA to be trusted, its certificate must be installed into Trusted Root CAs store on a system
- There is default store of trusted CAs

Revoking Certificates
- Before its expiration
○ e.g. when matching private key is compromised
○ CRL - list of revoked certificates on CA
○ CRL distribution point is included in certificate
 Client can request copy of CRL list and verify that given certificate is not on it

Validating Certificates
- User's system examines certificate itself - if it has not expired (validation dates), validates the

SSCP Page 70
 - User's system examines certificate itself - if it has not expired (validation dates), validates the
domain it was asking for with the domain for which the certificate was issued
- User's system checks with CA - request for the copy of CRL
○ Or OCSP (Online Certificate Status Protocol)
 SN of certificate is sent to OCSP responder which identifies health of certificate and
returns status (good, revoked or unknown)
 CRL does not need to be transmitted

Key Escrow
- Storing a copy of private key for safekeeping
- e.g. keys of employees can be stored on offline storage
○ Recovery agent is authorized to recover keys
○ Strong auditing
○ Separation of duties
○ Etc.

Alternative Certificate Trusts

- Web-of-trust, cross-certification trust
- Differs from hierarchical PKI
- Transfer of trust between entities
- PGP is based on web of trust
○ Designated individuals are allowed to introduce certificates to web of trust
○ Level of assurance is provided by how many people trust the certificate
- Cross-certification trust
○ Allows to transfer trust between two private PKIs

Cryptanalysis Attacks
- Process of deciphering codes through analysis to compromise confidentiality or integrity of the
data
- Used by both black hats and white hats to look for weaknesses

Managing Cryptographic Keys

- Crypto algorithms best practices with regards to keys
○ Key rotation - periodically replacing old key with the new one
○ Key composition - strong keys (random and sufficient in length) so that they cannot be
guessed

Known Plaintext Attack

- When attacker has samples of both plaintext and ciphertext data
- Chosen-plaintext attack - when part of plaintext can be predicted and ciphertext is captured ->
rest of the message can be decrypted
○ E.g. mail message header "From:"

Ciphertext Only Attack

- Analysis of ciphertext to determine plaintext
- Successful when weak crypto algorithms are used
○ e.g. key is used too long, it is not protected or it is weak
○ WEP

SSCP Page 71