SANS 401.

2
Defense In-Depth
There is no magic when it comes to network security, Multiple layers of protection
must be deployed.

Prevention is ideal, but detection is a must; however, detection

without response has minimal value.

Key Focus of Risk is CIA (Confientiality, Integrity and Availability)

All three area are important for any organization but there is always a piority like :

Confiedentiality: Government

Integrity: Financial instituations

Availabliity: E-Commerce

Approaches to DiD:

Uniform Protection

Most common, Treat all the systems the same.

SANS 401.2 1
 it’s like firewall, VPN, antiviurs…

Protected enclaves

Work group that require additional protection

internal firewalls

VLANs and ACLs

Information centric

Threat Vector analysis

Stop the capability of the threat to use the vector

USB: Disable them

Attachments in E-mails: block or scan

Spoofed e-mails: check address.

The main strategy for fixing an infected system is to rebuild the

sytem from scratch

Configuration management is the discipline of establishing a sknown baseline

condition, and then managing that condition

If your network is not partitioned, nothing prevents the exploit from spreading “you
cannot protect what you do not know”

SANS 401.2 2
 To manage a configuration, you need two things:

An accurate baseline document (Mapping the network and conducting

vulnerability assessments against the computers on the network).

A way to detect when a change occurs to that baseline.

Security is all about understanding, managing and mitigating risk.

Access Control & Password Management

Data Classification
Two Categories, There is public like militarty and private data like commercial stuff.

The government data gets classified to:

Top Secret

Secret

Confidential

Unclassified

As there is no organization able to protect all their data (specially if it’s a big
company). You should classify the data, so you can protect what it’s sensitive.

Data Classification Process

SANS 401.2 3
 Identify roles

Identify classification and labeling criteria

Owner classifies the data

Identify exceptions to the classification policy

Specify the controls for each classification level

Identify declassification, destruction, or trasference procedures

Include an enterprise awareness program about data classification

Access Control Techniques

Discretionary (DAC): Managed by users

Mandatroy (MAC): Requires Matching classification and clearance for access

Role-based (RBAC): Based on group membership

Ruleset-based (RSBAC): Rules for a specific object

List-based: permitted users for each object

Token-based: permitted objects for each user

Single Sign-On (SSO)

Have to logon only once

Credentials are carried with the user

SANS 401.2 4
 Should be used with mutli-factor authentication

Talked about difference between hashing and cracking, John the Ripper.

Strength of a Password Hash

Quality of Algorithm

Key Length

CPU Cycles

Character set support

Password length

Pre-Computation Attack, it’s like get the hash for a lot of values and store them in a
database or whatever, then if you need to crack this hash you can find it’s match in
the database.

A way to defeat Pre-Computation Attack is “Salted Hashes”, Add random value to

the string that you are storing

Biometrics mechanism analyze a physical attribute of a person and compare it to

recorded data known about the person.

Security Policy

Protect the organization, the people and the information

Protects people who are trying to do the right thing

policies it’s like the law of the organization

The more you understand the organization’s concerns, the better you are able
to sell your ideas

A mission statement is the idea behind a brand. It is a statement to your

customers and suppliers of what they can expect from you.

Security Posture is what we actually look like

Enterprise-wide or corporate policy is the highest level of policy and consists of

high-level documents that provides a direction or thrust to be implemented at
lower levels in the enterprise.

SANS 401.2 5
 A Mission Statement has to be operational, otherwise it’s
just good intentions

Some issues to consider:

Allowing home use of laptop

Installing Software

Sending personal information via e-mail

A mission statement points to what the expected overall security posture of an

organization will probably look like.

Policy and Procedure

procedures are derived from policies

An effective and realistic security policy is the key to effective

and achievable security

Standard: are applied to the organization as a whole.

Baseline: more specific implementation of a standard

Policy Table of Contents

Purpose

SANS 401.2 6
 Related documents or references

Cancellation or expiration

backgroud

Scope

Policy Statement

Responsibility

Action

Types of Policies

Program Policy

Issue-Specific Policy

System-Specific Policy

SANS 401.2 7
 Two issue-specific policies

non-disclosure agreement (NDA)

copyright

Cain & Abel Tool (solve this lab) Lab 2.2

Critical Security Controls

You can’t manage what you can’t measure.

We need to priorities and someone to take a stand and provide the industry with a
set of real priorities for defense.

Securing our Nation against cyber attacks has become one of the nations’s highest
piorities.

Project Guiding Principles

SANS 401.2 8
 Defenses should be automated where possible and periodically or continuously
measured using automated measurement techniaues where feasible.

Root cause problems must be fixed in order to ensure the prevention or timely
detection of attacks.

Measures should be established that faciliate common ground for measuring

the effectiveness of security measures, providing a common language to
communicate about risk.

Three control priority families

System (Controls 1-10)

Network (Controls 11-15)

Application (Controls 16-20)

Each control has to map to an actual known attack

Some Explantion

2: it’s like pivoting, using compromised machine to get access to other

machines on the same network

Example for that is The blackhole Exploit Toolkit (BET)

SANS 401.2 9
 Defenses

Device a list of authorized software. This list should be monitored by file-

integrity checking tools.

Deploy application whitelisting

Deploy software-inventory tools, Covering each of the os types in use,

including servers, workstations and laptops

Virtual Machines or Air-gapped system

Core Evaluation Tests

One or two tests that could be performed for each of the critical controls, which
would help teh evaluation team determine whether or not the defined business
goal of the control has been met.

You likely will not pass all the tests the first time you try the goal
is to reduce the organization’s risk level

Effectiveness Measures

These measures help the organization to measure themselves

in light of the core evaluation tests

SANS 401.2 10
 Two different Measure Types:

Boolean: Do you have this capability?

Timing based: How long does something take to occur?

We can believe you can use to automatically collect information from your
security sensors to give you a better perspective on the risk your organization
faces.

These are automation measures that we believe organizations should consider

implementing as a part of an initial measures program.

The Critical Security Controls creates the framework for meeting

these challenges

Malicious Code and Exploit Mitigation

Mitnick-Shimomura
The Mitnick attack is historic and can teach us a lot about modern-day security and
provide us with the key lessons learned.

Shimomura, that is the one that got hacked, and he was a security researcher 🙂.

SANS 401.2 11
 Mitnick was able to do DOS attack via SYN flooding, then he silents
one of the trusted machines and spoofed it’s IP address to gain
access to the desired computer. From this system, Mitnick could
obtain the files he wanted.

The stroy of this attack quite intersting and shimomura wrote a book about it called
“Take down: The pursuit and capture fo kevin mitnick, America’s Most wanted
computer outlaw”

Some Defences that shimomura could have done:

Patching Systems

Hardening the system: Disabling unused services

Using Network Vulnerability Scanner

Host-Based Intrusion Detection (HIDS)

Network-Based Intrustion system (NIDS)

SANS 401.2 12
 Firewalls

APT (Advanced Persistent Threat)

If we do not understand the threats that we face, we cannot
properly remediate the vulnerabilities that really matter.

SANS 401.2 13
 With APT the game has changed and the question you have to ask is: Do you know
the rules of the new game ?

Offense must inform the defense

The only way to protect yourself 100% is turn off your computer

The next photo it’s funny 🙂

If you wondering how to scehdule your computer to turn on remotly or at sepcific

times: Look at this article

Primary Goal for APT is long-term occupation for data mining, malicious activities to
ensure future use.

APT Requires New approach to Defense:

Constant Aggressor.

SANS 401.2 14
 Organization

Technology

APTs are different from other traditional threats in

1. Persistent (Targeted)

2. Advanced

APT Exploitation Process

SANS 401.2 15
 There is no technology that will make you secure. Every technoloy
has a purpose and works well for the purpose it was designed for,
but no technology will be effective for all type of threats

Common Defense Model

Anti-Virus

Firewalls

IPS/ IDS

Email Filters

There is two primary design components of traditional security solutions:

Signature based

Payload Analysis

Today’s adversary uses unique code for each attack, so the signature will be
different each time they launch this attack, even if the same expliot is needed, they
will use obfuscation techniques and re-compile the code which will no longer
contain the original signature.

SANS 401.2 16
 Also for the payload if it’s encrypted, it will go through the security defenses
undetected, unless you have other techniques to detect it.

APT Remediation

Once the critical data is identified a plan of attack known as an assessment

strategy needs to be developed. At this stage, it is important to make sure you
have the proper resources (both people and tools) tot properly assess and
indentify exposure points.

Part of the remediation plan has to envolve forensics and cleaning up the
system

it’s always important to pirotize your assets, One of the challenges is the
organizations try to do too much and end up doing very little. So you have to
focus on the critical assets …

Purpose of Some Attacks

Confientiality attacks: Attacker increase the value of the information to

themselves, As they can take benefit from it LIKE:

Intelligence

Theft software, information, physical.

Fraud

Perception management

Decrease Integrity: Decrease value to defense

Tamper, penetrate, fabricate

Decrease availability

SANS 401.2 17
 Theft, DoS, sabotage, ransomware

BOOK to read for Malcolm Gladwell’s Tipping point: How little

things can make big difference

SANS 401.2 18