Professional Documents
Culture Documents
Buffer Overflows
Description A buffer overflow attack is a type of cyberattack that exploits a
vulnerability in software to execute malicious code. It occurs
when a program attempts to write more data to a buffer than the
buffer can hold. This can overwrite adjacent memory locations,
potentially altering program instructions or data. Attackers can
craft specific input data to trigger a buffer overflow, allowing
them to inject their own code and gain control of the program.
Countermeasure Good programming practices and developer education
s Automated source code scanners
Enhanced programming libraries, and strongly typed languages
that disallow buffer overflows
Race Conditions
Description Race condition attacks are a type of cyberattack that exploits
vulnerabilities in the way software processes multiple requests or
tasks simultaneously. These attacks occur when two or more
threads or processes attempt to access shared data at the same
time, and at least one of them modifies the data. This can lead to
unpredictable and often undesirable outcomes because the final
state of the data depends on the relative timing of these
operations.
For example, consider a website that allows users to transfer
money between their accounts. If two users attempt to transfer
money from the same account at the same time, a race condition
could occur if the software is not designed to handle this situation
correctly. In this case, the software might end up transferring
money to both users, or it might not transfer money to either
user.
Countermeasure Good programming practices and developer education
s Automated source code scanners
Application security testing
NOTE: Penetration tests are not necessarily restricted to information technology, but may
include physical security as well as personnel security. Ultimately, the purpose is to
compromise one or more controls, which could be technical, physical, or administrative.
NOTE: A “Get Out of Jail Free Card” is a document you can present to someone who thinks
you are up to something malicious, when in fact you are carrying out an approved test.
More than that, it’s also the legal agreement you have between you and your customer that
protects you
from liability, and prosecution.
White White box testing affords the pen tester complete knowledge of the inner
Box workings of the system even before the first scan is performed.
Testing This approach allows the test team to target specific internal controls and
features and should yield a more complete assessment of the system.
The downside is that white box testing may not be representative of the
behaviors of an external attacker, though it may be a more accurate
depiction of an insider threat.
Advantages:
Can identify code-level errors: White-box testing can identify code-level
errors that might not be apparent through black-box testing.
Can be used to test complex algorithms: White-box testing can be used
to test complex algorithms and data structures.
Can be used to test for specific code coverage: White-box testing can be
used to test for specific code coverage, such as statement coverage or
branch coverage.
Gray Gray box testing meets somewhere between the other two approaches
Box [black and white box].
Testing Some, but not all, information on the internal workings is provided to the
test team. This helps guide their tactics toward areas we want to have
thoroughly tested, while also allowing for a degree of realism in terms of
discovering other features of the system. This approach mitigates the issues
with both white and black box testing.
Advantages:
Can identify integration defects: Gray-box testing can identify
integration defects that might not be apparent through black-box
testing or white-box testing.
Can identify security vulnerabilities: Gray-box testing can identify
security vulnerabilities that might not be apparent through black-box
testing or white-box testing.
Can be used to test early and late in the development process: Gray-box
testing can be used to test software early in the development process,
when the source code may not be fully developed or documented, and
late in the development process, when the software is integrated with
other systems.
EXAM TIP: Don’t worry about differentiating penetration testing and red teaming during the
exam. If the term “red team” shows up on your test, it will most likely describe the group of
people who conduct both penetration tests and red teaming.
Developers frequently embed code stubs and test routines into their developmental
software, which can serve as prime examples of unnecessary and hazardous procedures.
Incidents where developers have left test code, including occasionally hardcoded
credentials, in final software versions have been all too common. Upon discovering this
vulnerability, adversaries can effortlessly exploit the software and circumvent security
controls. This issue is particularly insidious because developers sometimes comment out
the code during final testing as a precaution in case the tests fail and they need to revisit
and modify it. They may make a mental note to return to the file and remove this
hazardous code, but they may eventually forget to do so, which is exploited by attackers
if they get access to the source code.
Defensive programming is a crucial practice for software development teams to adopt. It
entails anticipating potential issues and implementing measures to prevent them.
A key aspect of defensive programming is treating all inputs with suspicion,
regardless of their source, until they are verified as legitimate. User input validation
can be a complex process, as it requires understanding the context and expectations
associated with the input. For instance, if you anticipate a numerical value, you need
to define the acceptable range and determine whether this range might change over
time. Addressing these questions is essential for validating input accuracy. Many
security vulnerabilities stem from a lack of input validation. By implementing
defensive programming techniques, you can significantly reduce the risk of such
vulnerability’s exploitation.
Misuse case testing is a process of ensuring that the system's security controls are
effective in mitigating the risks identified in the risk management process. This process
helps to ensure that security is incorporated into the design of the system from the
outset.
NOTE: In certain cases, such as regulatory compliance, the parameters of the audit may be
dictated and performed by an external team of auditors. This means that the role of the
organization is mostly limited to preparing for the audit by ensuring all required resources
are available to the audit team.
Summarizing
Factor: Number of security incidents
• Measurement: Count the number of security incidents that occur each month
• Baseline: The number of security incidents that occurred in the previous month
• Metric: % decrease in the number of security incidents from the previous month
• Indicator: The severity of security incidents
1.2. Security Metrics
Security metrics are often viewed as tedious and irrelevant, with organizations focusing
on easily measurable metrics like ticket closure rates. This approach fails to provide
valuable insights and can even harm security efforts, as prioritizing ticket closure can
lead to missed evidence of ongoing attacks.
Effective security metrics should tell a story, catering to the specific needs of different
audiences.
Board members are interested in strategic threats and opportunities, while business
managers prioritize business unit protection.
Security operations leaders focus on team performance. Each audience requires
tailored security metrics to effectively engage them.
6 characteristics of a good metric that you should consider:
Relevant: The metric should be directly tied to your security goals and indirectly tied
to your organization’s business goals.
Quantifiable: A good metric should be relatively easy to measure with the available
tools at your disposal
Actionable: The best metrics inform your immediate actions, justify your requests,
and directly lead to improved outcomes.
Robust: Will it be relevant in a year? Can you track it over many years? A good
metric must allow you to track your situation over time to detect trends. It should
capture information whose value endures.
Simple: Does it make intuitive sense? Will all stakeholders “get it?” Will they know
what was measured and why it matters to them? If you can’t explain the metric in a
simple sentence, it probably is not a good one.
Comparative: Can it be evaluated against something else? Good metrics are the
result of comparing measurements to each other or to some baseline or standard.
This is why the best metrics are ratios, or percentages, or changes over time.
NOTE: Another commonly used approach is to ensure metrics are SMART [specific,
measurable, achievable, relevant, and time-bound].
NOTE: KPIs and KRIs are used to measure progress toward attainment of strategic business
goals.
NOTE: Privileged user accounts pose significant risk to the organization and should be
carefully managed and controlled.
EXAM TIP: Security awareness [and the training required to attain it] is one of the most
critical controls in any ISMS. Expect exam questions on this topic.
NOTE:
Business continuity is the term used to describe the processes enacted by an
organization to ensure that its vital business processes remain unaffected or can be
quickly restored following a serious incident. Business continuity looks holistically at the
entire organization.
A subset of this effort, called disaster recovery, focuses on restoring the information
systems after a disastrous event.
EXAM TIP: Protection of human life is always the top priority in situations where it is
threatened.
Human should be prioritized over the safety of material possessions during emergencies.
Emergency procedures should focus on safely evacuating personnel, and all personnel
should be familiar with designated exits and gathering spots. These gathering spots
should be chosen considering seasonal weather conditions. A designated person in each
group should ensure everyone is accounted for, while another individual should be
responsible for notifying authorities such as the police, security guards, fire department,
emergency rescue, and management. Proper training will better equip employees to
handle emergencies and prevent impulsive actions like simply running towards the
nearest exit.
If the situation is not immediately life-threatening, designated staff should follow a
specific order of operations to shut down systems in an orderly fashion and remove
critical data files or resources for safekeeping during evacuation. This order is crucial to
avoid causing more harm than good by skipping or adding steps.
When things have settled down, one or more individuals will likely need to interact with
external entities such as the press, customers, shareholders, and civic officials. These
representatives should be prepared to provide a uniform and reasonable response that
explains the circumstances, the organization's response to the disaster, and what
customers and others can expect moving forward. It's important to present this
information quickly to prevent the spread of false rumors. At least one person should be
designated as a media liaison to ensure accurate messaging.
Organizations also need to address the potential for looting, vandalism, and fraud in the
aftermath of a disaster, when they are most vulnerable. Careful planning, such as
providing sufficient security personnel on site, can help mitigate these risks and provide
the necessary level of protection.
Data collection for assessing disaster recovery and business continuity processes should
ideally be conducted before any real emergencies arise, but the best data is often
captured during an actual emergency situation. Debriefings, also known as hot washes,
should be held immediately after any real or training events while memories are still
fresh. These discussions should cover what happened, how it was handled, what went
well, and how improvements can be made in the future. Hot wash notes and after-
action review [AAR] reports are valuable sources of security process data for disaster
recovery and business continuity.
2.3.2. Benefits of using hot washes and AARs in information security business
continuity:
Hot washes and AARs are valuable tools that can be used to improve information
security business continuity. By using these tools, organizations can identify and address
problems before they escalate, and they can improve their overall security posture.
Followings highlight the benefits of using hot-washes and AARs:
i. Improved communication: Hot washes and AARs can help to improve
communication between different departments and teams within an organization.
ii. Increased awareness: Hot washes and AARs can help to increase awareness of
security risks and vulnerabilities.
iii. Enhanced decision-making: Hot washes and AARs can provide valuable information
that can be used to improve decision-making.
iv. Reduced downtime: Hot washes and AARs can help to reduce downtime following
an incident or event.
3. Reporting
Report writing is an essential but often disliked task for security professionals. While
they prefer hands-on work, they must be able to effectively communicate their findings
to both technical and non-technical audiences. True security professionals understand
the role of information security within the organization's broader context and can tailor
their communication accordingly. Technical reports are important but may not resonate
with decision-makers who are not inherently technical. To have a business impact,
reports must be both technically sound and written in the language of business.
3.1.1. Remediation
Vulnerability assessments often uncover issues beyond software defects. Many
vulnerabilities stem from misconfigured systems, inadequate policies, flawed business
processes, or untrained personnel. Addressing these vulnerabilities requires
collaboration beyond IT or security teams. Even mundane system patches need careful
coordination with all affected departments. Vulnerability remediation should involve all
stakeholders, including those outside the IT or security realm. Effective remediation
necessitates the sound analyses described earlier. Gaining support from all levels of the
organization is crucial, so educating stakeholders about the findings, their impact, and
necessary actions is essential. Remediation efforts may impact business operations, so
contingency plans and exceptional case handling strategies are vital.
NOTE:
The language of your audience
You cannot be an effective communicator if you don’t know your audience. Learning
to speak the language[s] of those you are trying to inform, advise, or lead is
absolutely critical. It has been said that accounting is the language of business, which
means you can generally do well communicating in terms of the financial impacts of
your findings. The fact that risks are expressed as the probability of a certain amount
of loss should make this fairly easy as long as you have some sort of risk
management program in place.
Still, in order to up your game, you want to be able to communicate in the language
of the various disciplines that make up a business. Human resource leaders will care
most about issues like staff turnover and organizational culture. Your marketing [or
public affairs] team will be focused on what external parties think about your
organization. Product managers will be very reluctant to support proposals that can
slow down their delivery tempo. We could go on, but the point is that, while the
facts and analyses must be unassailable, you should always try to communicate
them in the language of…whoever it is you’re trying to persuade.
Ethical Disclosure
Occasionally, security assessments reveal vulnerabilities that affect other
organizations. These vulnerabilities may be discovered during code reviews,
penetration tests, or other security assessments. Upon discovering such
vulnerabilities, an ethical obligation arises to promptly disclose them to the
appropriate parties. If the vulnerability affects your own product, inform your
customers and partners as soon as possible. If the vulnerability affects a third-party
product, notify the vendor or manufacturer immediately to allow for timely
patching. Ethical disclosure aims to inform affected parties swiftly to enable patch
development before threat actors exploit the vulnerability.
When proposing security controls, it is essential to consider their lifecycle costs and
compare them to the risks they mitigate. If the cost of implementing a control
[$180,000] is less than the risk it mitigates [$1,000,000], it is generally advisable to
implement the control. However, controls are not perfect and may fail. Therefore, it is
important to factor in the likelihood of a control's effectiveness.
For example, if a control has an 80% success rate and the organization has a 10% chance
of being attacked, the residual risk would be 2% of $1,000,000, or $20,000. This residual
risk should be added to the control's cost [$180,000] to determine the total effective
cost [$200,000].
1.Given Values:
Control's Success Rate = 80%
Organization's Chance of Being Attacked = 10%