cybersecurity network defense & enterprise … · cybersecurity network defense &...

CYBERSECURITY NETWORK

DEFENSE & ENTERPRISE

SECURITY GUIDELINES

Ivan V. S 2017

Abstract This document contains information regarding various cybersecurity conepts:

Section I: Info-Sec Core Concepts, Casing the Establishment, Endpoint & Server Hacking,

Infrastructure Hacking, Application & Data Hacking, Countermeasures, Appendix.

Section II: Enterprise Security Architecture, Risk Management Framework, Access Control & Identify Management, Asset Security Framework, Cryptography Framework.

CYBERSECURITY NETWORK DEFENSE & ENTERPRISE GUIDELINES

IVAN V. S Page | 1

Contents SECTION 1 .............................................................................................................................................. 3

Part I: Casing the Establishment ............................................................................................................ 3

1. Footprinting ................................................................................................................................... 3

2. Scanning ........................................................................................................................................ 4

3. Enumeration .................................................................................................................................. 4

Part II: Endpoint & Server Hacking ........................................................................................................ 5

4. Hacking Windows ......................................................................................................................... 5

5. Hacking UNIX ............................................................................................................................... 8

6. Cybercrime & Advanced Persistent Threats ............................................................................. 9

Part III: Infrastructure Hacking .............................................................................................................. 12

7. Remote Connectivity & VOIP Hacking .................................................................................... 12

8. Wireless Hacking ........................................................................................................................ 15

Part IV: Application & Data Hacking .................................................................................................... 15

9. Web & Database Hacking ......................................................................................................... 15

10. General Network Defense Strategy ..................................................................................... 18

1. MASTERING SECURITY BASICS .............................................................................................. 19

1.1 Confidentiality ............................................................................................................................... 19

1.2 Integrity ......................................................................................................................................... 20

1.3 Availability ..................................................................................................................................... 20

2. EXPLORING CONTROL TYPES & METHODS ............................................................................ 24

2.1 Controls Concepts ....................................................................................................................... 24

2.2 Control Types & Methods Overview.......................................................................................... 26

3. UNDERSTANDING BASIC NETWORK SECURITY .................................................................... 28

3.1 Network Security Overview ........................................................................................................ 28

3.2 OSI Model ..................................................................................................................................... 30

4. SECURING THE NETWORK ........................................................................................................... 30

4.1 Network Defense Concepts........................................................................................................ 30

5. SECURING HOSTS & DATA ........................................................................................................... 33

5.1 Host & Data Defense Concepts ................................................................................................. 33

6. UNDERSTANDING MALWARE & SOCIAL ENGINEERING ...................................................... 34

6.1 Understanding malware types ................................................................................................... 34

6.2 Recognizing common attacks .................................................................................................... 35


IVAN V. S Page | 2

6.3 Blocking malware and other attacks ......................................................................................... 35

7. IDENTIFYING ADVANCED ATTACKS .......................................................................................... 36

7.1 Comparing common attacks ...................................................................................................... 36

7.2 Identifying application attacks .................................................................................................... 37

7.3 identifying application attacks .................................................................................................... 37

8. MANAGING RISK .............................................................................................................................. 38

8.1 Identifying risk .............................................................................................................................. 38

8.2 Checking for vulnerabilities ........................................................................................................ 38

8.3 Identifying security tools ............................................................................................................. 39

9. PREPARING FOR BUSINESS CONTINUITY ............................................................................... 39

9.1 Adding redundancy ..................................................................................................................... 39

9.2 Protecting data with backups ..................................................................................................... 40

9.3 Comparing business continuity elements ................................................................................. 40

9.4 Implementing environmental controls ....................................................................................... 40

10. UNDERSTANDING CRYPTOGRAPHY ....................................................................................... 41

10.1 Providing integrity with hashing ............................................................................................... 41

10.2 Providing confidentiality with encryption ................................................................................. 41

10.3 Using cryptographic protocols ................................................................................................. 42

10.4 Exploring PKI concepts............................................................................................................. 43

11. EXPLORING OPERATIONAL SECURITY .................................................................................. 43

11.1 Exploring security policies ........................................................................................................ 43

11.2 Responding to incidents ........................................................................................................... 44

11.3 Raising security awareness ..................................................................................................... 45

SECTION 2 ................................................................................................................................................. 46

I. ENTERPRISE SECURITY ARCHITECTURE: ............................................................................................ 46

II. RISK MANAGEMENT FRAMEWORK: .................................................................................................. 58

III. ACCESS CONTROL & IDENTITY MANAGEMENT: ............................................................................ 79

IV. ASSET SECURITY FRAMEWORK ..................................................................................................... 85

V. CRYPTOGRAPHY FRAMEWORK: ........................................................................................................ 87


IVAN V. S Page | 3

SECTION 1

Part I: Casing the Establishment ____________________________________________________________________________

1. Footprinting

What is footprinting?

• Gathering information about your target. Scoping the target interest to understand

everything there is to know about that target and how it interrelates with everything

around it, often without sending a single packet to your target.

Table 1-1: Tasty footprinting nuggets that attackers can identify

Technology Identities

Internet

Domain Names

Network blocks and subnets

Specific IP addresses of systems reachable via internet

TCP & UDP services running on each system identified

System architecture (i.e. Sparc vs. x86)

Access control mechanisms and related access control lists (ACLs)

Intrusion-detection systems (IDSs)

System enumeration (user and group names, system banners, routing tables, and SNMP information)

DNS host names

Intranet

Networking protocols in use (i.e. IP, IPX, DecNET, etc.)

Internal domain names

Network blocks

Specific IP addresses of systems reachable via the internet


System architecture (i.e. Sparc vs. x86)

Access control mechanisms and related access control lists

Intrusion-detection systems

System enumeration (user and group names, system banners, routing tables, and SNMP information)

Remote Access

Analog/digital telephone numbers

Remote system type

Authentication mechanisms

VPNs and related protocols (IPsec and PPTP)

Extranet

Domain names

Connection origination and destination

Type of connection

Access control mechanism

Why is footprinting necessary?


IVAN V. S Page | 4

• It gives you a picture of what the hacker sees. If you know what they see, you know what

potential security exposures you have in your environment. When you know the

exposures, you can then prevent exploitation.

Basic Internet Footprinting Methodology:

1. Determine the scope of your activities

2. Get proper authorization

3. Publicly available information

4. WHOIS & DNS enumeration

5. DNS interrogation

6. Network reconnaissance

It is important to remember to minimize the amount and type of information leaked by your

internet presence and to implement vigilant monitoring.

____________________________________________________________________________

2. Scanning

What is scanning?

• If footprinting is the equivalent of casing a place for information, then scanning is

equivalent to inspecting the walls for doors and windows as potential entry points.

Scan Technique

Determining if the System is

Alive

ARP Host Discovery

ICMP Host Discovery

TCP/UDP Host Discovery


Determining Which Services are Running or

Listening

TCP connect scan

TCP SYN scan

TCP FIN scan

TCP Xmas Tree scan

TCP Null scan

TCP ACK scan

TCP Windows scan

TCP RPC scan

UDP Scan

Detecting the Operating System

Making guesses from available ports

Active stack fingerprinting

Passive stack fingerprinting

LEARN NMAP -- https://nmap.org/

Learn how to manage scan data with Metasploit -- https://www.metasploit.com/

____________________________________________________________________________

3. Enumeration

https://nmap.org/

https://www.metasploit.com/


IVAN V. S Page | 5

What is enumeration?

• Enumeration involves active connections to systems and directed queries, it is very

intrusive. Enumeration techniques tend to be platform-specific and are, therefore, very

dependent on information gathered from scanning.

Use NMAP for scans, use tools like Nessus for vulnerabilities --

https://www.tenable.com/products/nessus-vulnerability-scanner

Be aware of:

Risk Description

Fundamental OS Architectures

Windows NT Family’s SMB underpinnings make it easy to elicit user credentials, file-system exports, and application info. Lock down NT and its progeny by disabling or restricting access to TCP 139 and 445 and setting RestrictAnonymous (or the related Network Access settings).

SNMP

Designed to yield as much information as possible to enterprise management suites, improperly configured SNMP agents that use default community string such as “public” can give out this data to unauthorized users.

Leaky OS Services

Finger and rpcbind are good examples of programs that give away way too much information. Disable programs such as finger, user secure implementations of RPC of TCP wrappers, and find out from vendors how to turn off those banners.

Custom Applications

Test your custom apps, audit their design and implementation, keep up to date with newest web hacks – use OWASP

Firewalls

Many of the sources of those leaks can be screened at the firewall. Having a firewall isn’t an excuse for not patching holes directly on the machine in question, but it goes a long way toward reducing the risk of exploitation.

Part II: Endpoint & Server Hacking ____________________________________________________________________________

4. Hacking Windows Unauthenticated Attacks:

• Authentication spoofing: The primary gatekeeper of access to Windows systems is the

frail password. Common brute-force/dictionary password guessing and man-in-the-

middle authentication spoofing remain real threats to Windows networks.

• Network services: Modern tools make it point-click-exploit easy to penetrate vulnerable

services that listen on the network.

• Client vulnerabilities: Client software like Internet Explorer, Outlook, Office, Adobe

Acrobat Reader, and others have all come under harsh scrutiny from attackers looking

for direct access to end-user data.

• Device drivers: Ongoing research continues to expose new attack surfaces where the

operating system parses raw data from devices like wireless network interfaces, USB

memory sticks, and inserted media like CD-ROM disks.

(Protect these avenues of entry to make your Windows system more secure.)

https://www.tenable.com/products/nessus-vulnerability-scanner


IVAN V. S Page | 6

Spoofing Countermeasures:

• Use a network firewall to restrict access to potentially vulnerable services (such as SMB

on TCP 139 and 445, MSRPC on TCP 135, and TS on TCP 3389).

• Use the host-resident Windows Firewall to restrict access to services.

• Disable unnecessary services (be especially wary of SMB on TCP 139 and 445).

• Enforce the use of strong passwords using policy.

• Set an account-lockout threshold and ensure that it applies to the built-in Administrator

account.

• Log account logon failures and regularly review Event Logs.

Windows Authentication Sniffing Countermeasures:

• The key to disabling LM response attacks is to disable LM authentication. If you can

prevent the LM response from crossing the wire, you will have blocked this attack vector

entirely.

• For Kerberos attacks: use the PKINIT preauthentication method, which uses public keys

rather than passwords and so does not succumb to eavesdropping attacks.

• For Kerberos: use the built-in Windows IPSec implementation to authenticate and

encrypt traffic.

Man in the Middle (MITM) Countermeasures:

• Basic network communications and security fundamentals can help to protect against

MITM attacks. The use of authenticated and encrypted communications can mitigate

against rogue clients or servers inserting themselves into a legitimate communications

stream.

Pass-the-hash Countermeasures:

• The pass-the-hash technique is inherent to the NTLM authentication protocol; all

services using this authentication method (SMB, FTP, HTTP, etc.) are vulnerable to this

attack.

• Using two-factor authentication might help.

Network Service Exploit Countermeasures:

• Test and apply the patch as soon as possible

• In the meantime, test and implement any available workarounds, such as blocking

access to and/or disabling the vulnerable remote service.

• Enable logging and monitoring to identify vulnerable systems and potential attacks, and

establish an incident response plan.

End-User Application Countermeasures:

• Deploy a firewall, ideally one that can also manage outbound connection attempts.

• Keep up to date on all relevant software security patches.

• Run antivirus (AV) software that automatically scans your system and keeps itself

updated.

• Run with least privilege.

• Administrators of large networks of Windows systems should deploy the preceding

technologies at key network choke points (that is, network-based firewalls in addition to

host-based firewalls, antivirus on mail server, and so on) to protect large numbers of

users more efficiently.


IVAN V. S Page | 7

• Read e-mail in plain text.

• Configure office productivity programs as securely as possible.

• Don’t be gullible. Approach browsing with high skepticism. Don’t click links in emails

from untrusted sources!

• Keep your computing devices physically secure.

Driver Exploit Countermeasures:

• Apply vendor patches ASAP.

• Disable the affected functionality (device) in high-risk environments.

Preventing Privilege Escalation:

• Maintain appropriate patch levels for Windows systems.

Pwdump Countermeasures:

• If DLL injection still works on Windows, there is no defense against pwdump derivatives.

Administrator-equivalent privileges are needed to execute this.

Password Cracking Countermeasures:

• Can’t contain the user’s account name or parts of the user’s full name that exceed two

consecutive characters.

• Must be at least eight characters in length

• Must contain characters from three of the following four categories:

o English uppercase characters (A – Z)

o English lowercase characters (A – Z)

o Base 10 digits (0 – 9)

o Nonalphabetic characters (i.e. #, $, %, ^, &)

Password Cache Dumping Countermeasures:

• The best defense against lsadump2 and similar cache-dumping tools is to avoid getting

Admin-ed in the first place. By enforcing sensible policies about who gains admin access

to systems in your organization, you can rest easier.

Dumping Hashes Stored in Memory Countermeasures:

• Keep ALL security members of the Windows domain up to date.

Alternate Data Streams (ADS) Countermeasure:

• One tool for ferreting out NTFS file streams in Foundstone’s sfind, which is part of the

Forensic Toolkit v2.0 available at www.foundstone.com.

Windows Hardening Overview:

• The Center for Internet Security (CIS) offers free Microsoft security configuration

benchmarks and scoring tools for download – www.cisecurity.org.

• Keep up to date with new Microsoft security tools and best practices available at

www.microsoft.com/security.

• Don’t forget exposures from other installed Microsoft products within your environment;

for example, see www.sqlsecurity.com for great info on SQL vulnerabilities.

• Remember that applications are often far more vulnerable than the OS – especially

modern, stateless, web-based apps.

http://www.foundstone.com/

http://www.cisecurity.org/

http://www.microsoft.com/security

http://www.sqlsecurity.com/


IVAN V. S Page | 8

• Minimalism = higher security. If nothing exists to attack, attackers have no way getting

in. Disable all unnecessary services by using services.msc. For those services that are

necessary, configure them securely (for example, disable unused ISAPI extension in

IIS).

• If file and print services are not necessary, disable SMB.

• Use the Windows Firewall to block access to any other listening ports except the bare

minimum needed for function.

• Protect Internet-facing servers with network firewalls or routers.

• Keep up to date with all recent service packs and security patches.

• Limit interactive logon privileges to stop privilege-escalation attacks before they even get

started.

• Use Group Policy (gpedit.msc) to help create and distribute secure configurations

throughout your Windows environment.

• Enforce a strong policy of physical security to protect against offline attacks

.____________________________________________________________________________

5. Hacking UNIX UNIX is a complex system that requires much thought to implement adequate security

measures. The sheer power and elegance that make UNIX so popular are also its greatest

security weaknesses. Myriad remote and local exploitation techniques may allow attackers to

subvert the security of even the most hardened UNIX systems. Buffer overflow conditions are

discovered daily. Insecure coding practices abound, whereas adequate tools to monitor such

nefarious activities are outdated in a matter of weeks. The table below contains some tools that

can help:

Name Operating System

Location Description

Solaris 10 Security

Solaris www.Nsa.gov/ia/_files/os/sunsol_10/s10-cis-appendix-v1.1.pdf

Highlights the various security features available in Solaris 10

Practical Solaris Security

Solaris www.opensolaris.org/os/community/security/files/nsa-rebl-solaris.pdf

A guide to help lock down Solaris

Solaris Security Toolkit

Solaris www.docs.oracle.com/cd/E19056-01/sec.tk42/819-1402-10/819-1402-10.pdf

A collection of programs to help secure and audit Solaris

AIX Security Redbook

AIX www.redbooks.ibm.com/redbooks/pdfs/sg247430.pdf

Extensive resource for securing AIX systems

OpenBSD Security

OpenBSD www.openbsd.org/security.html

OpenBSD security features and advisories

Security-Enhanced Linux

Linux www.nsa.gov/research/selinux/

Enhanced Linux security architecture developed by NSA

CERT UNIX Configuration

Guidelines

General www.cert.org/tech_tips/unix_configuration_guidelines.html

A handy UNIX security checklist

http://www.nsa.gov/ia/_files/os/sunsol_10/s10-cis-appendix-v1.1.pdf

http://www.nsa.gov/ia/_files/os/sunsol_10/s10-cis-appendix-v1.1.pdf

http://www.opensolaris.org/os/community/security/files/nsa-rebl-solaris.pdf



http://www.docs.oracle.com/cd/E19056-01/sec.tk42/819-1402-10/819-1402-10.pdf



http://www.redbooks.ibm.com/redbooks/pdfs/sg247430.pdf

http://www.redbooks.ibm.com/redbooks/pdfs/sg247430.pdf

http://www.openbsd.org/security.html

http://www.nsa.gov/research/selinux/

http://www.cert.org/tech_tips/unix_configuration_guidelines.html

http://www.cert.org/tech_tips/unix_configuration_guidelines.html


IVAN V. S Page | 9

SANS Top 25 Vulnerabilities

General www.sans.org/top25 A list of the most commonly exploited vulnerable services

“Secure Programming for Linux and Unix HOWTO,” by

David A. Wheeler

General www.dwheeler.com/secure-programs

Tips on security design principles, programming methods, and testing

____________________________________________________________________________

6. Cybercrime & Advanced Persistent Threats

What is an APT?

• Advanced Persistent Threat was created by analysts in the US Air Force in 2006. It

described three aspects of attackers that represent their profile, intent, and structure:

o Advanced: The attacker is fluent with cyber-intrusion methods and

administrative techniques and is capable of crafting custom exploits and tools.

o Persistent: The attacker has a long-term objective and works to achieve his or

her goals without detection.

o Threat: The attacker is organized, funded, motivated, and has ubiquitous

opportunity.

APTs involve multiple phases that leave artifacts:

1. Targeting: attackers collect info about the target from public or private sources and test

methods that may help permit access. This may include vulnerability scanning (such as

APPSEC testing and DDoS attacks), social engineering, and spear-phishing. The target

may be specific or may be an affiliate/partner that can provide collateral access through

business networks.

2. Access/Compromise: Attackers gain access and determine the most efficient or

effective methods of exploiting the information systems and security posture of the target

organization. This includes ascertaining the compromised host’s identifying data (IP

address, DNS, enumerated NetBIOS shares, DNS/DHCP server addresses, O/S, etc.)

as well as collecting credentials or profile information where possible to facilitate

additional compromises. Attackers may attempt to obfuscate their intentions by installing

rogue ware or another malware.

3. Reconnaissance: Attackers enumerate network shares, discover the network

architecture, name service, domain controllers, and test service and administrative rights

to access other systems and applications. They may attempt to compromise Active

Directory accounts or local administrative accounts with shared domain privileges.

Attackers often attempt to hide activities by turning off AV and system logging (which

can be a useful indicator of compromise).

4. Lateral Movement: Once attackers have determined methods of traversing systems

with suitable credentials and have identified targets (of opportunity or intent), they will

conduct lateral movement through the network to other hosts. This activity often does

not involve the use of malware or tools other than those already supplied by the

compromised host operating systems such as command shells, NetBIOS commands,

Windows Terminal Services, VNC, or other similar tools utilized by network

administrators.

http://www.sans.org/top25

http://www.dwheeler.com/secure-programs

http://www.dwheeler.com/secure-programs


IVAN V. S Page | 10

5. Data Collection & Exfiltration: Attackers are after information, whether for further

targeting, maintenance, or data that serves their other purposes – accessing and

stealing information. Attackers often establish collection points and exfiltrate the data via

proxied network cut-outs, or utilize custom encryption techniques (and malware) to

obfuscate the data files and related exfiltration communications. In many cases,

attackers have utilized existing backup software or other administrative tools used by the

compromised organization’s own network and systems admins. The exfiltration of data

may be “drip fed” or “fire hosed” out, the technique depending on the attackers’

perception of the organization’s ability to recognize the data loss or the attackers’ need

to exfiltrate the data quickly.

6. Administration & Maintenance: Another goal of an APT is to maintain access over

time. This requires administration and maintenance of tools (malware and potentially

unwanted/useful programs such as SysInternals) and credentials. Attackers will

establish multiple methods of accessing the network of compromised hosts remotely and

build flags or triggers to alert them of changes to their compromised architecture, so they

can perform maintenance actions (such as new targeting or compromises, or “red

herring” malware attacks to distract the organization’s staff). Attackers usually attempt to

advance their access methods to most closely reflect standard user profiles, rather than

continuing to rely upon select tools or malware.

Indicators of a Compromise:

Malware, whether used by APTs or in “normal” situations, wants to survive a reboot. To

do this, the malware can use several mechanisms, including:

• Using various “Run” registry keys

• Creating a service

• Hooking into an existing service

• Using a scheduled task

• Disguising communications as valid traffic

• Overwriting the master boot record

• Overwriting the system’s BIOS

When investigating, or conducting forensics, utilize proper order of volatility:

• Memory

• Page or swap file

• Running process information

• Network data such as listening port or existing connections to other systems

• System registry (if applicable)

• System or application logs

• Forensic image of disk(s)

• Backup media

When investigating, or conducting forensics, utilize a proper kit of tools. Examples

include:

• AccessData FTK Imager

• Sysinternals Autoruns

• Sysinternals Process Explorer

• Sysinternals Process Monitor


IVAN V. S Page | 11

• WinMerge

• Currports

• Sysinternals Vnmap

Common APT Indicators

✓ Networking communications utilizing SQL or private encryption methods, or sending and receiving base64-encoded strings

✓ Services registered to Windows NETSVCS keys and corresponding to files in the %SYSTEM% folder with DLL or EXE extensions and similar filenames as valid Windows files

✓ Copies of CMD.EXE as SVCHOST.EXE or other filenames in the %TEMP% folder

✓ LNK files referencing executable files that no longer exist

✓ RDP files referencing external IP addresses

✓ Windows Security Event Log entries of Types 3, 8, and 10 logons with external IP addresses or computer names that do not match organizational naming conventions

✓ Windows Application Event Log entries of antivirus and firewall stop and restart

✓ Web server error and HTTP log entries of services starting / stopping, administrative or local host logons, file transfers, and connection patterns with select addresses

✓ Antivirus/system logs of C:/ , C:/TEMP, or other protected areas of attempted file creations

✓ PWS, Generic Downloader, or Generic Dropper antivirus detections

✓ Anomalous .bash_history, /var/logs, and service configuration entries

✓ Inconsistent file system timestamps for operating system binaries

APT Detection:

Key detection technologies can help identify and combat these types of attacks,

including the following:


IVAN V. S Page | 12

Summary:

APT is the most dangerous type of cyber threat today. APTs provide ongoing access to

protected institutional information. Such quiet yet dangerous intrusions are not limited in their

scope. They can affect any company, government body, or nation, regardless of sector or

geography.

Part III: Infrastructure Hacking ____________________________________________________________________________

7. Remote Connectivity & VOIP Hacking Dial-up & PBX Security Measures

1. Inventory existing in dial-up lines. Note unauthorized dial=up connectivity and snuff it out by whatever means possible. Additionally, consult whoever is responsible for paying the phone bill; this could give you an idea of your footprint.

2. Consolidate all dial-up connectivity to a central modem bank, position the central bank as an untrusted connection off the internal network (that is, a DMZ), and use IDS and a firewall to limit and monitor connections to trusted subnets.

3. Make analog lines harder to find. Don’t put them in the same range as the corporate numbers, and don’t give out the phone numbers on the InterNIC registration for your domain name. Password protect phone company account info.

4. Verify that telecommunications equipment closets are physically secure. Many companies keep phone lines in unlocked closets in publicly exposed areas.

Endpoint security products, including AVs, HIPS, and file

system integrity checking

File system audting products for change

and control and auditing

Network intelligence/defense

products such as intrusion

detection/prevention systems

Network monitoring products for web gateway/filtering,

such as SNORT/TCPDUMP

Security Information/Events

Management products with

correlation and reporting databases


IVAN V. S Page | 13

5. Regularly monitor existing log features within your dial-up software. Look for failed login attempts, late-night activity, and unusual page patterns. Use Caller ID to store all incoming phone numbers.

6. Important! For lines that are serving a business purpose, do not disclose any identifying information such as company name, location, or industry. Additionally, ensure that the banner contains a warning about consent to monitoring and prosecution for unauthorized use. Have these statements reviewed by legal to be sure that the banner provides th3e maximum protection afforded by state, local, and federal laws.

7. Require multifactor authentication systems for all remote access. Multifactor authentication requires users to produce at least two pieces of information – usually something they have and something they know – to obtain access to the system.

8. Require dial-block authentication. Dial-block means that the remote access system is configured to hang up on any caller and then immediately connect to a predetermined number (where the original caller is presumably located). For better security, use a separate modem pool for the dial-back capability and deny inbound access to those modems (using the modem hardware or the phone system itself).

9. Ensure that the corporate help desk is aware of the sensitivity of giving out or resetting remote access credentials. All the preceding security measures can be negated by one eager new hire in the corporate support division.

10. Centralize the provisioning of dial-up connectivity – from faxes to voicemail systems – within one security-aware department in your organization.

11. Establish firm policies for the working of this central division, such that provisioning any new access requires extreme scrutiny. For those who can justify it, use the corporate communications switch to restrict inbound dialing on that line if all that is require is outbound faxing, etc. Get management buy-in on this policy, and make sure the have the teeth to enforce it. Otherwise, go back to step 1 and show them how many holes a simple war dialing exercise will dig up.

12. Go back to step 1. Elegantly worded policies are great, but the only way to be sure that someone isn’t circumventing them is to wardial on a regular basis. We recommend at least every six months for firms with 10,000 phone lines or more, but it wouldn’t hurt to do it more often than that.

Brute-Force Voicemail Hacking Countermeasures:

• Deploy strong security measures on your voicemail system. Deploy a lockout on failed

attempts. Log connections to the voicemail system and watch an unusual number of

repeated attempts.

DISA Hacking Countermeasures:

• If you need DISA, work with the PBX vendor to ensure that DISA is configured with

strong passwords and all default credentials are removed. Enforce a minimum of 6-digit

authentication PINs, do not allow trivial PINs, and define a lockout for accounts of no

more than 6 incorrect attempts.

VPNs:

Google Hacking for VPN Countermeasures:

• The best mechanism is user awareness. Those in charge of publishing web content

should understand the risks associated with putting anything on the internet. Do annual

checkups to search for sensitive information on their websites.


IVAN V. S Page | 14

Probing IPSec VPN Countermeasures:

• You can’t do much to prevent these attacks, especially when you’re offering remote

access IPSec VPN connectivity to users over the internet. Access control lists can be

used to restrict access to VPN gateways providing site-to-site connectivity, but for client-

to-site deployments, this is not feasible as clients often originate from various source IP

addresses that constantly change.

IKE Aggressive Mode Countermeasures:

• The best countermeasure is to discontinue its use. Alternative mitigating controls include

a token-based authentication scheme, which doesn’t patch the issue but makes it

impossible for an attacker to connect to the VPN after the key is cracked, as the key has

changed by the time the attacker breaks it.

Citrix Hacking Countermeasures:

• Ask these questions:

o Can you count the number of users on one hand?

o Do you know them all by name?

o Do you trust them implicitly with a shell on the inside of your network?

• If any of these questions is a NO, you must assess your Citrix environment.

VoIP Attacks:

SIP Scanning Countermeasures:

• Not much you can do against SIP scanning. Network segmentation between the VoIP

network and the user access segments should be in place to prevent direct attacks

against SIP systems; however, once an attacker has access to this segment, they can

scan it for SIP devices.

Pillaging TFTP Countermeasures:

• One method to help secure TFTP is to implement access restrictions at the network

layer. By configuring the TFTP server to accept connections only from known static IP

addresses assigned to VoIP phones, you can effectively control who can access the

TFTP server and thus help mitigate the risk of this attack. Some controls to consider are:

o Disable access to the settings menu on the devices.

o Disable the web server on IP phones.

o Use signed configuration files to prevent configuration manipulation.

VoIP Enumeration Countermeasures:

• Until all software developers settle on a proper way to deal with unexpected requests,

SIP enumeration techniques will always be around. Security engineers and architects

must constantly promote “defense in depth” by segmenting VoIP and user networks and

by placing IDS/IPS systems in strategic areas to detect and prevent these attacks.

Remote Access Security SUMMARY:

• Password policy. Considering requiring two-factor authentication, such as smartcards or

hardware tokens, before granting access from outside your network.

• Develop a policy for provisioning any type of remote access within your organization and

audit compliance regularly with war dialing and other assessments.

• Find and eliminate unsanctioned use of remote control software (such as PCAnywhere)

throughout the organization. The use of PCAnywhere should be reevaluated particularly


IVAN V. S Page | 15

due to the theft of its source code, which gives the attackers the ability to find bugs in the

application that they may not have found without it.

• Be aware that modems aren’t the only thing that hackers can exploit over POTS lines –

PBXes, fax servers, voicemail systems, and the like, can be abused to the tune of

millions of dollars in long-distance charges and other losses.

• Educate support personnel and end users alike to the extreme sensitivity of remote

access credentials so they are not vulnerable to social-engineering attacks. Remote

callers to the help desk should be required to provide some other form of identification,

such as personnel number, to receive any support for remote access issues.

• For all their glitter, VPNs appear vulnerable to many of the same flaws and frailties that

have existed in other “secure” technologies over the years. Be extremely skeptical of

vendor security claims and develop a strict use policy and audit compliance.

____________________________________________________________________________

8. Wireless Hacking Wireless gateways and multilayered encryption schemas have proved to be the best defenses

for the plethora of tools currently floating around the Internet for attacking 802.11 WLANs.

Ironically, wireless tech appears to be vastly different from other communication mediums;

however, the industry model for layering security via multiple authentication and encryption

schemas holds true. Here is a selection of excellent Internet-based resources if you choose to

do more research into wireless tech:

• www.standards.ieee.org/getieee802 : The IEEE designs and publishes the standard for

802.11 wireless transceivers, band usage (in cooperation with the FCC), and general

protocol specifications.

• www.bwrc.eecs.berkeley.edu : The Berkeley Wireless Research Center (BWRC) is an

excellent source for additional information on future communication devices and wireless

technologies, especially those devices with high-integrated CMOS implementations and

low-power consumption.

• www.l-com.com : L-com distributes wireless equipment from a wide variety of

manufacturers, in addition to its own line of 2.4-GHz amplifiers that can be used for long-

range transmitting or cracking.

• www.drizzle.com/~aboda/IEEE : The unofficial 802.11 Security Web Page has links to

most of the 802.11 security papers as well as many general 802.11 links.

• www.airfart.sourceforge.net/ : Airfart is an excellent tool for viewing and analyzing, in

real time, wireless access points and wireless card packets.

• www.hpl.hp.com/personal/Jean_Thourrilhes/Linux/Tools.html : Hewlett-Packard

sponsors this page full of Linux wireless tools and research reports. It is an excellent

source for all things Linux.

• www.wifi-plus.com : WiFi-Plus specializes in high-end antenna designs and sales, with a

collection of antennas with ranged exceeding half a mile.

Part IV: Application & Data Hacking ____________________________________________________________________________

9. Web & Database Hacking

http://www.standards.ieee.org/getieee802

http://www.bwrc.eecs.berkeley.edu/

http://www.l-com.com/

http://www.drizzle.com/~aboda/IEEE

http://www.airfart.sourceforge.net/

http://www.hpl.hp.com/personal/Jean_Thourrilhes/Linux/Tools.html

http://www.wifi-plus.com/


IVAN V. S Page | 16

Typical Web Application Attack/Analysis Framework:

Tools to use for web application analysis:

• Cookie Cruncher

• Encoders/decoders

• HTTP Editor

• Regular Expressions Editor

• Server Analyzer

• SOAP Editor

• SQL Injector

• Web Brute

• Web Discovery

• Web Form Editor

• Web Macro Editor

• Web Macro Recorder

• Web Fuzzer

• Web Proxy

Cross-Site Scripting (XSS) Countermeasures:

• Filter out input parameters for special characters – no web application should accept the

following characters within input if possible: < > (?) # & “.

• HTML – encode output so even if special characters are input, they appear harmless to

subsequent users of the application. Alternatively, you can simply filter special

characters in output (achieving “defense in depth”).

• If your application sets cookies, use Microsoft’s HttpOnly cookies. This can be set in the

HTTP response header. It marks cookies as “HttpOnly,” thus preventing them from being

accessed by scripts.

Authentication

Session Management

Database Interaction

Generic Input Validation

Application Logic


IVAN V. S Page | 17

• Analyze your apps for XSS vulnerabilities on a regular basis using the many tools and

techniques for web apps analysis.

SQL Injection Countermeasures:

• Use bind variables (parameterized queries)

• Perform strict input validation on any input from the client.

• Implement default error handling

• Lock down ODBC

• Lock down the database server configuration

• Use programmatic frameworks

Cross-Site Request Forgery Countermeasures:

• The key to preventing CSRF vulnerabilities is somehow tying the incoming request to the

authenticated session. What makes CSRF vulnerabilities so dangerous is the attacker

doesn’t need to know anything about the victim to carry out the attack. Once the attacker

has crafted the dangerous request, it works on any victim that has authenticated to the

website. To foil this, your web application should insert random values, tied to the

specified user’s session, into the forms it generates.

HTTP Response Splitting Countermeasures:

• The core countermeasure is solid input validation on server input.

• Consider performing output validation.

Hidden Tag Countermeasures:

• Limit the use of hidden tags to store information such as price – or at least confirm the

value before processing it.

SSI Countermeasures:

• Use a preparser script to read in any HTML file, and strip out any unauthorized SSI line

before passing it on to the server. Unless your app requires it, disable server-side

includes and similar functionality in your web server’s configuration.

Database Discovery Countermeasures:

• Never expose your databases directly to the internet.

• Segment your internal network and separate databases from other network segments by

using firewalls and configuration options such as a valid-node checking for Oracle. Allow

only a select subset of internal IP addresses to access the database.

• Run intrusion detection tools to identify network port scanning attempts.

DB Vulnerabilities & Countermeasures:

• Network Attacks:

o Segment and use layered defense.

o Apply DBMS vendor patches as soon as they are made available.

• Database Engine Bugs:

o Apply DBMS vendor patches as soon as they are made available.

o Monitor database logs for errors and audit user activity.

• Vulnerable built-in stored objects:

o Apply Patches


IVAN V. S Page | 18

o Follow the least privilege principle, make sure to revoke access to dangerous

database objects.

• Weak or Default Passwords:

o Periodically scan DBs to discover and alert users to weak and default passwords.

o Monitor application accounts for suspicious activity not originating from the

application servers.

• Misconfigurations:

o Create standards for each database platform and periodically scan your

database to discover and alert on any deviations from the standards.

• Indirect Attacks:

o Monitor and alert on suspicious privileged user’s behavior.

o Restrict what can run on the DBA system to known good programs only.

o Do not click untrusted/unknown links in your web browser from your DBA system.

o Strictly control user access to the DBA system.

• There is no service pack for custom code:

o Regularly audit your own web apps

____________________________________________________________________________

10. General Network Defense Strategy Separation of Duties:

The premise behind this strategy is to separate the operational aspects of the

countermeasure so the attacker must defeat multiple parallel factors. These are a few wars to

achieve this:

Prevent, Detect, Respond: Utilizing at least two (ideally all three) of these types of

countermeasures in parallel has been considered a fundamental of information assurance for

many years:

✓ Preventive: endpoint hardening such as host intrusion protection systems

(HIPS) software or network intrusion prevention

✓ Detective: network intrusion detection

✓ Reactive: incident response process execution

Checks & Balances: The classis separation of duties relates to the use of different

accountable personnel to perform a given task. This classic method of protection can be

beneficial and significantly reduce risk by:

✓ Preventing collusion: For example, if the detection personnel colluded with the reaction

personnel, no one would ever know an incident had occurred.

✓ Providing checks and balances: for example, using a firewall rule to prevent access to

a known vulnerable service.

Layering:

✓ Physical: physically secure servers in an access-controlled and monitored data center

facility.

✓ Network: Use firewalls or other network device access control list (ACL) mechanisms to

limit communications to only allowed service endpoints on specific hosts.

✓ Host: Utilize vulnerability management to keep service endpoint software up-to-date and

utilize host-level firewalls and antimalware.

✓ Application: Patch off-the-shelf components and identify and fix bugs in custom

components. Application firewalls.


IVAN V. S Page | 19

✓ Logical: Control access (authentication and authorization) to the application’s

capabilities and data.

Passwords:

✓ Ensure all users have a password that conforms to organizational policy.

✓ Force a password change every 30 days for privileged accounts and every 60-90 days

for normal users.

✓ Implement a minimum password length of eight characters consisting of one alpha

character, one numeric character, and one alphanumeric character.

✓ Disable services that are not used.

✓ Implement password composition tools that prohibit the user from choosing a poor

password.

✓ Don’t use the same password for every system you log into.

✓ Don’t write down your password.

✓ Don’t tell your password to others.

✓ Use one-time passwords when possible.

✓ Don’t use passwords at all. Use public key authentication

✓ Ensure that default accounts such as “setup” and “admin” do not have default

passwords.

Security Patching:

✓ Test and apply the patch as soon as possible.

✓ In the meantime, test and implement any available workarounds, such as blocking

access to and/or disabling the vulnerable remote service.

✓ Enable logging and monitoring to identify vulnerable systems and potential attacks, and

establish an incident response plan.

General Strategy:

✓ There is no such thing as 100% countermeasure effectiveness. The only way to ensure

100% security is to restrict usability 100%, which is not viable. Achieving the right

balance between these opposing goals is key.

✓ One of the key mechanisms to mitigate risk is diversification. By developing multiple,

diverse obstacles, the attacker must invest more and differently at each point, raising the

overall cost of successful attack more dramatically than with one (or many of the same

types of) countermeasure.

✓ “Keep it simple stupid”: attackers go after the low-hanging fruit and frequently move on

to easier targets when they don’t find it. Identify the obvious problems in your

environment, create simple plans to address them, and sleep better at night knowing

you’ve done your due diligence, based on empirical studies like the Verizon Data Breach

Report.

1. MASTERING SECURITY BASICS

1.1 Confidentiality Confidentiality prevents the unauthorized disclosure of data.


IVAN V. S Page | 20

1.1.1 Encryption

Encryption scrambles data to make it unreadable by unauthorized personnel.

1.1.2 Access controls

Identification: Users claim identity with a unique username.

Authentication: Users prove their identity with authentication, such as with a password.

Authorization: You can grant restrict access to resources using an authentication

method, such as permissions.

1.1.3 Steganography

The practice of hiding data within data. Ex: embed a hidden message in an image by

modifying certain bits within the file.

➢ Confidentiality ensures that data is only viewable by authorized users. The best way to

protect the confidentiality of data is by encrypting it. Access controls help to protect

confidentiality by restricting access. Steganography helps provide confidentiality by hiding

data, such as hiding text files within an image file.

1.2 Integrity Integrity provides assurances that data has not changed. This includes that no one has

modified, tampered with, or corrupted the data.

1.2.1 Hashing

Hashing verifies integrity. You can use hashing techniques to enforce integrity (MD5,

SHA-1, and HMAC). A hash is simply a number created by executing a hashing

algorithm against data, such as a file or message. Hashes are created at the source and

destination or at two different times. If the hashes are the same, integrity is maintained. If

the two hashes are different, data integrity has been lost.

Hashing doesn’t tell you what modified that data, it only tells you that the data has been

modified, with the implication that the information should not be trusted as valid.

➢ Integrity verifies the data has not been modified. Loss of integrity can occur through

unauthorized or unintended changes. Hashing algorithms such as MD5, HMAC, or SHA-1,

calculate hashes to verify integrity. A hash is simply a number created by applying the

algorithm to a file or message at different times. By comparing the hashes, you can verify

integrity has been maintained.

1.2.2 Digital signatures, certificates, and non-repudiation

A digital signature is similar in concept to a handwritten signature. Digital signatures can

verify the integrity of emails and files. Digital signatures require certificates and also

provide authentication and non-repudiation.

1.3 Availability Availability indicates that data & services are available when needed.

1.3.1 Redundancy & fault tolerance

Redundancy adds duplication to critical systems & provides fault tolerance. If a critical

component has a fault, the duplication provided by the redundancy allows the service to

continue without interruption.


IVAN V. S Page | 21

You can increase availability by adding fault tolerance & redundancies, such as RAID,

failover clusters, backups, HVAS systems, and generators.

1.3.2 Patching

Patching increases availability. Utilize patch management to stay up to date.

1.3.3 Safety

Ensure safety of both individuals and organization’s assets. You can replace things, but

you cannot replace people, so safety of people should be a top priority.

1.4 Layered security / Defense in Depth

Layered security/defense in depth refers to the security practice of implementing

several layers of protection. You can’t simply take a single action, such as implementing a

firewall or installing antivirus software, and consider yourself protected. You must implement

security at several different layers. This way, if one layer fails, you still have additional layers to

protect you. Layered security/Defense in depth combines multiple layers of security, such as a

firewall, an IDS, content filtering, and antivirus software.

1.5 Basic Risk Concepts

Reducing risk is a security goal. Risk is the possibility of likelihood of a threat exploiting

a vulnerability resulting in a loss. A threat is any circumstance or event that has the potential to

compromise confidentiality, integrity, or availability. A vulnerability is a weakness. It can be

weaknesses in the hardware, software, configuration, or even the user’s operating system.

Reducing risk is also known as risk mitigation. Risk mitigation reduces the chances that a

threat will exploit a vulnerability. You reduce risks or impact of risks by implementing security

controls (aka countermeasures and safeguards).

1.6 Exploring authentication concepts

Authentication proves an identity with some type of credential, such as a username and

password. The importance of authentication cannot be understated. You can’t have any type of

access control if you can’t identify a user. In other words, if everyone is anonymous, then

everyone has the same access to all resources. Authentication is not limited to users. Services,

processes, workstations, servers, and network devices all use authentication to prove their

identities. Many computers use mutual authentication, where both parties authenticate to each

other.

1.6.1 Comparing identification, authentication, and authorization

When users type in their usernames or email addresses, they are claiming or professing

an identity. Users then provide authentication (such as with passwords) to prove their

identity. Access control systems (authorization) authorize access to resources based on

permissions granted to the proven identity.

1.6.2 Verifying identities with identity proofing

Identity proofing is the process of verifying that people are who they claim to be prior to

issuing them credentials, or if they alter lose their credentials. An additional use of

identity proofing is with password reset or password recovery systems.

1.7 Comparing authentication factors

Authentication is often simplified as types, or factors, of authentication. The factors are:

• Something you know, such as a password or PIN


IVAN V. S Page | 22

• Something you have, such as a smart card or USB token

• Something you are, such as a fingerprint or other biometric identification

• Somewhere you are, such as your location using geolocation technologies

• Something you do, such as gestures on a touch screen

1.7.1 Something you know

The something you know authentication factor is the first factor of authentication,

typically refers to a shared secret, such as a password or even a PIN. This factor is the

least secure form of authentication. You can increase security by following these

guidelines:

• Use strong passwords

• Change passwords regularly

• Verify a user’s identify before resetting a password

• Do not reuse the same passwords

• Implement account lockout policies

• Change default passwords

• Do not write passwords down

• Do not share passwords

1.7.2 Something you have

The something you have authentication factor refers to something you can physically

hold.

Smart card requirements are an embedded certificate and a public key infrastructure

(PKI). A common access card (CAC) and personal identity verification (PIV) are a type of

smart card used by U.S. federal agencies. Smart cards are often used with dual-factor

authentication where users have something (the smart card) and know something (such

as a password or PIN).

A token or key fob is an electronic device about the size of a remote key for a car. The

token is synced with a server that knows what the number is at any moment. This

number is a one-time use, rolling password. Users often use tokens to authenticate via a

web site. They enter the number displayed in the token along with their username and

password. This provides dual-factor authentication because the use must have

something (the token) and know something (their password).

HOTP and TOTP are both open source standards used to create one-time use

passwords. HOTP creates a one-time use password that does not expire. TOTP creates

a one-time password that expires after 30 seconds.

1.7.3 Something you are

This factor of authentication is defined by biometrics, it is the strongest method

because it is the most difficult for an attacker to falsify. Biometric methods include

fingerprints, retina scans, and palm scanners.


IVAN V. S Page | 23

1.7.4 Somewhere you are

This factor identifies a user’s location. Geolocation is a group of technologies used to

identify a user’s location and is the most common method used in this factor. Many

systems use IP addresses for geolocation.

1.7.5 Something you do

This factor refers to actions you can take such as gestures on a touch screen; how you

write or how you type.

1.7.6 Dual factor & multifactor authentication

Two or more methods in the same factor of authentication (such as a PIN and a

password) is single-factor authentication. Dual-factor (or two-factor) authentication uses

two different factors such as a USB token and a PIN. Multifactor authentication uses two

or more factors.

1.8 Comparing authentication services

1.8.1 Kerberos

Kerberos is a network authentication protocol within a Microsoft Windows Active

Directory domain or a UNIX realm. It uses a database of objects such as Active

Directory and a KDC (Key Distribution Center) or TGT [ticket granting tickets] server to

issue timestamped tickets that expire after ascertain time period. Kerberos uses

symmetric-key cryptography to prevent unauthorized disclosure and ensure

confidentiality.

1.8.2 LDAP & Secure LDAP

LDAP (lightweight directory access protocol) is based on an earlier version of X.500.

Windows Active Directory domains and UNIX realms use LDAP to identify objects in

query strings with codes such as CN=Users and DC=Home. Secure LDAP encrypts with

SSL or TLS.

1.8.3 Single sign-on

Single sign-on (SSO) enhances security by requiring users to use and remember only

one set of credentials for authentication. Once signed on using SSO, this one set of

credentials is used throughout a user’s entire session. SSO can provide central

authentication against a federated database for different operating systems. SAML

(security assertion markup language) is an XML-based standard used to exchange

authentication and authorization information between different parties. SAML provides

SSO for web-based applications.

1.9 Authenticating RAS clients

Remote access service (RAS) provides access to an internal network from an outside

source. Clients access a RAS server via either dial-up or a virtual private network (VPN). Some

RAS mechanisms include:

2. PAP (password authentication protocol - PAP authentication uses a password or a PIN.

A significant weakness is that PAP sends the information across a network in clear text,

making it susceptible to sniffing attacks.

3. CHAP (challenge handshake authentication protocol) - CHAP is more secure than PAP

because passwords are not sent over the network in clear text. Both PAP & CHAP use

PPP (point-to-point protocol).


IVAN V. S Page | 24

4. MS-CHAP/ MS-CHAPv2 – Microsoft improvements of CHAP

5. RADIUS (remote authentication dial-in user service) – provides centralized

authentication.

6. Diameter – a better RADIUS, supports many additional capabilities, including securing

transmissions with EAP (extensible authentication protocol).

7. XTACACS / XTACACS+ (extended terminal access controller access-control system) –

proprietary to Cisco

1.9.1 AAA protocols

AAA protocols provide authentication, authorization, and accounting. Authentication

verifies a user’s identification. Authorization determines if a user should have access.

Accounting tracks user access with logs. RADIUS & TACACS+ are both considered AAA

protocols because they provide all three services. Kerberos does not provide any

accounting services.

2. EXPLORING CONTROL TYPES & METHODS

2.1 Controls Concepts 1. Security controls are classified as technical (implemented with technology),

management (using administrative methods), and operational (for day-to-day operations,

implemented by people).

2. Technical controls use technology to reduce vulnerabilities. Some examples include

encryption, antivirus software, IDSs, firewalls, and the principle of least privilege.

Technical physical security and environmental controls include motion detectors and fire

suppression systems.

3. Preventative controls attempt to prevent security incidents. Hardening systems

increases a systems basic configuration to prevent incidents. Security guards can

prevent unauthorized personnel from entering a secure area. Change management

processes help prevent outages from configuration changes. An account disablement

policy ensures that accounts are disabled when a use leaved the organization.

4. Detective controls attempt to detect when vulnerabilities have been exploited. Some

examples include log monitoring, trend analysis, security audits, and CCTV (closed-

circuit television) systems.

5. In the event of a fire, door access systems should allow personnel to exit the building

without any form of authentication. Access points to data centers and server rooms

should be limited to a single entrance and exit whenever possible.

6. Cipher locks require users to enter a code to gain access. It’s important to provide

training to users on the importance of keeping the code secure. This includes not giving

it out to others and preventing shoulder surfers from seeing the code when users enter

it. Cipher locks do not identify users.

7. Proximity cards are credit card-sized access cards. Users pass the ward near a

proximity card reader and the card reader then reads the data on the card. Some access

control points use proximity cards with PINs for authentication.

8. Door access systems include cipher locks, proximity cards, and biometrics. Cipher

locks do not identify users. Proximity cards can identity and authenticate users when

combined with a PIN. Biometrics can also identify and authenticate users.


IVAN V. S Page | 25

9. Tailgating is a security violation that occurs when one user follows closely behind

another user without using credentials. Mantraps allow only a single person to pass at

time. Sophisticated mantraps can identify and authenticate individuals before allowing

access.

10. Security guards are physical security controls that can protect access to restricted

areas. Security guards can be an effective deterrent to prevent tailgating. They can also

check individual’s identification against a preapproved access list.

11. Video surveillance provides reliable proof of a person’s location and activity. It can

identify who enters and exits secure areas and can record theft of assets.

12. Barricades provide stronger barriers than fences and attempt to deter attackers. Bollards

are effective barricades that can block vehicles.

13. Cable locks are effective threat deterrents for small equipment such as laptops and

some workstations. When used properly, they prevent losses due to theft of small

equipment.

14. Locking cabinets in server rooms provide an added physical security measure. A locked

cabinet prevents unauthorized access to equipment mounted in server bays.

15. Principle of least privilege is a technical control. It specifies that individuals or

processes are granted only those rights and permissions needed to perform their

assigned task or functions.

16. Group policy is implemented on a domain controller within a domain. Administrators use

it to create password policies, lock down the GUI, configure host-based firewalls, and

much more.

17. Password policies include several elements. The password history is used with the

minimum password age to prevent users from changing their password to a previously

used password. Maximum password age causes passwords to expire and requires

users to change their passwords periodically. Minimum password length specifies the

minimum number of characters in the password. Password complexity increases the key

space, or complexity, of a password by requiring more character types such as special

characters.

18. Password policies should apply to any entity using passwords. This includes user

accounts and any accounts used by services and applications. Applications using

internally developed password policies should still adhere to an organization’s password

policy.

19. An account disablement policy identifies what to do with accounts for employees who

leave permanently or on a leave of absence. Most policies require administrators to

disable the account as soon as possible, so that ex-employees cannot use the account.

Disabling the account ensures that data associated with it remains available. Security

keys associated with an account remain available when the account is disabled, but are

no longer accessible is the account is deleted.

20. Time-of-day restrictions prevent users from logging on during restricted times. It also

prevents logged-on users from accessing resources during certain times.

21. Account expiration dates automatically disable accounts on the expiration date. This is

useful for temporary accounts such as temps or contractors.

22. You can identify when a user logs on to a local system and when a user accesses a

remote system by monitoring account logon events. Configuring account logon

monitoring is an important security step for system monitoring.


IVAN V. S Page | 26

23. A role-BAC (based access control) model uses roles based on jobs and functions. A

matrix is a planning document that matches the roles with the required privileges.

24. Group-based privileges reduce the administrative workload of access management.

Administrators put user accounts into groups, and assign privileges to the groups. Users

within a group automatically inherit the privileges assigned to the group.

25. Rule-BAC is based on a set of approved instructions, such as an access control list

(ACL). Some rule-BAC systems use rules that trigger in response to an event such as

modifying ACLs after detecting an attack, or granting additional permissions to a user in

certain situations.

26. The DAC (discretionary access control) model specifies that every object has an owner,

and the owner has full, explicit control of the object. Microsoft NTFS uses the DAC

model.

27. The MAC (mandatory access control) model uses sensitivity labels for users and data. It

is commonly used when access needs to be restricted based on a need to know.

Sensitivity labels often reflect classification levels of data and clearances granted to

individuals.

2.2 Control Types & Methods Overview

2.2.1 Understanding control types

• The three primary security control types are technical (implemented with technology),

management (using administrative methods), and operational (for day-to-day

operations).

• A technical control is one that uses technology to reduce vulnerabilities. Encryption,

antivirus software, IDSs, firewalls, and the principle of least privilege are technical

controls.

• Management controls are primarily administrative and include items such as risk and

vulnerability assessments.

• Operational controls help ensure that day-to-day operations of an organization comply

with their overall security plan. Some examples include security awareness and training,

configuration managements, and change management

• Preventive controls attempt to prevent security incidents. Examples include system

hardening, user training, guards, change management, and account disablement

policies.

• Detective controls attempt to detect when a vulnerability has been exploited. Examples

include log monitoring, trend analysis, security audits (such as a periodic review of user

rights), video surveillance systems, and motion detection systems.

• Corrective controls attempt to reverse the impact of an incident or problem after it has

occurred. Examples include active intrusion detection systems, backups, and system

recovery plans.

• Deterrent controls attempt to prevent incidents by discouraging threats.

• Compensating controls are alternative controls used when it isn’t feasible or possible to

use the primary control.

2.2.2 Comparing physical security controls

• Door access control systems should allow personnel to exit without any form of

authentication, especially if the systems lose power such as during a fire. Controlled


IVAN V. S Page | 27

areas such as data centers and server rooms should only have a single entrance and

exit point.

• Cipher locks require users to enter a code to open doors. Shoulder surfers can discover

the code by watching users enter it, and uneducated user might give out the code to

unauthorized personnel. Training reduces these risks.

• Tailgating occurs when one user follow closely behind another user without using

credentials. A mantrap can prevent tailgating. Security guard should be especially

vigilant to watch for tailgating in high-traffic areas.

• Security guards are a preventative physical security control and they can prevent

unauthorized personnel from entering a secure area. A benefit of guards is that they can

recognize people and compare an individual’s picture ID for people they don’t recognize.

• Closed-circuit television (CCTV) systems provide video surveillance. They provide

reliable proof of a person’s identity and activity, and can be used to identify individuals

entering and exiting secure areas.

• Barricades provide stronger physical security than fences and attempt to deter attackers.

Bollards are effective barricades that allow people through, but not block vehicles.

• Physical security also includes basic locks. Cable locks secure mobile computers such

as laptop computers in a training lab. Server bays include locking cabinets as an

additional security measure within a server room. Small devices can be stored in safes

or locking office cabinets to prevent the theft of unused resources.

2.2.3 Implementing logical access controls

• The principle of least privilege is a technical control that uses access controls. It

specifies that individuals or processes are granted only the rights and permissions

needed to perform assigned tasks or functions, but no more.

• Group Policy manages user and computers in a domain, and it is implemented on a

domain controller within a domain. Administrators use it to create password policies, lock

down the GUI, configure host-based firewalls, and much more.

• Password policies provide a technical means to ensure users employ secure password

practices:

o Password length specifies the minimum number of characters in the password.

o Password complexity ensures passwords are complex and include at least three

of the four character types, such as special characters.

o Password history remembers past passwords and prevents users from reusing

passwords.

o Minimum password age is used with password history to prevent users from

changing their password repeatedly to get back to the original password.

o Maximum password age or password expiration forces users to change their

password periodically. When administrators reset user passwords, the password

should be immediately expired.

• Password policies should apply to any entity using a password. This includes user

accounts and accounts used by services and applications. Applications with internally

created passwords should still adhere to the organizations password policy.

• An account disablement policy ensures that inactive accounts are disables. Accounts for

employees who either resign or are terminated should be disabled as soon as possible.

Configuring expiration dates on temporary accounts ensures they are disabled

automatically.


IVAN V. S Page | 28

• Time restrictions can prevent users from logging on or accessing network resources

during specific hours.

• Account logon events include when a user logs on locally, and when the user accesses

a resource such as a server over the network. These events are logged and can be

monitored.

2.2.4 Comparing access control models

• The role-based access control (role-BAC) model uses roles to grant access by placing

users into roles based on their assigned job, functions, or tasks. A matrix matching job

titles with requires privileges is useful as a planning document when using role-BAC.

• Group-based privileges are a form of role-BAC. Administrators create groups, add users

to the groups, and then assign permissions to the groups. This simplifies administration

because administrators do not have to assign permissions to users individually.

• The rule-based access control (rule-BAC) model is based on a set of approved

instructions, such as ACL rules in a firewall. Some rule-BAC implementations use rules

that trigger in response to an event, such as modifying ACLs after detecting an attack.

• In the discretionary access control (DAC) model, every object has an owner. The owner

has explicit access and establishes access for any other user. Microsoft NTFS uses the

DAC model, with every object having a discretionary access control list (DACL). The

DACL identifies who has access and what access they are granted. A major flaw of the

DAC model is its susceptibility Trojan horses.

• Mandatory access control (MAC) uses security or sensitivity labels to identify objects

(what you’ll secure) and subjects (users). It is often used when access needs to be

restricted based on a need to know. The administrator establishes access based on

predefined security labels. These labels are often defined with a lattice to specify the

upper and lower security boundaries.

3. UNDERSTANDING BASIC NETWORK SECURITY

3.1 Network Security Overview

3.1.1 Reviewing basic networking concepts:

• TCP & UDP default ports identify specific protocols.

• ARP (address resolution protocol) resolves MAC (media access control) addresses to

IPv4 addresses. NDP (network discovery protocol) performs similar functions on IPv6.

• Several encryption protocols encrypt data in transit to protect its confidentiality. They

include SSH, FTPS, SFTP, SCP, IPsec, SSL, and TLS.

• SSH (secure shell) uses TCP port 22. SSH encrypts SFTP (secure FTP) traffic, SCP

(secure copy) traffic, and TCP wrappers. SSH uses port 22 when encrypting other

protocols.

• SSL (secure sockets layer) & TLS (transport layer security) can encrypt many protocols,

including HTPPS, SMTP, and LDAP. They both utilize certificates. TLS is the designated

replacement for SSL.

• HTTP uses port 80 for web traffic. HTTPS encrypts HTTP traffic in transit, and uses port

443.


IVAN V. S Page | 29

• FTP can upload and download large files and it uses TCP port 20 for data and TCP port

21 for control signals. It can be secured with SSH (as SFTP) or with SSL (as FTPS).

• Telnet uses TCP port 23. SSH is a more secure alternative than Telnet.

• SNMP (simple network management protocol) is used to monitor and configure network

devices and uses notification messages known as tramps. SNMP uses UDP port 161

and 162.

• NetBIOS uses ports 137 – 139. Kerberos uses UDP port 88.

• Microsoft SQL Server is database software and it uses port 1433.

• RDP (remote desktop protocol) is used to remotely connect to systems and it uses port

3389.

• SMTP (simple mail transfer protocol) sends email using TCP port 25. POP3 receives

email using TCP port 110. IMAP4 uses TCP port 143.

• IPv6 uses 128-bit addresses and is displayed as eight groups of hexadecimal

characters. It provides a significantly larger address space than IPv4 and natively

supports IPsec.

• DNS (domain name system) zones include A records for IPv4 addresses and AAAA for

Ipv6 addresses. Zone data is updated with zone transfers and secure zone transfers

help prevent unauthorized access to zone data. DNS uses TCP port 53 for zone

transfers and UDP port 53 for DNS client queries. Most internet-based DNS servers run

BIND software on Linux or UNIX servers.

3.1.2 Understanding basic network devices:

• Switches are used for network connectivity and they map MAC addresses to physical

ports.

• Loop protection protects against switching loop problems, such as when a user

connects two switch ports together with a cable. Spanning Tree Protocol (STP)

protects against switching loops.

• VLANs can logically separate computers or logically group computers regardless of their

physical location.

• Port security limits access to switch ports. It includes limiting the number of MAC

addresses per port and disabling unused ports. You can also manually map each port to

a specific MAC address or group of addresses.

• An 802.1x server provides stronger port security with port-based authentication. It

prevents rogue devices from connecting to a network, by ensuring that only authorized

clients can connect.

• Implicit deny indicates that unless something is explicitly allowed, it is denied. Firewalls

often use implicit deny by explicitly allowing some traffic and then implicitly denying all

other traffic that is not identified. Anything not explicitly allowed is implicitly denied.

• A host-based firewall helps you protect a single system from intrusions. Some Linux

systems use iptables or xtables for firewall capabilities.

• A network-based firewall controls traffic going in and out of a network.

• A firewall controls traffic between networks using rules within an ACL (access control

list). The ACL can block traffic based on ports, IP addresses, subnets, and protocols.

• More firewalls use an implicit deny strategy by blocking all traffic that isn’t explicitly

allowed. This is implemented with a deny all, or deny any rule at the end of the ACL.


IVAN V. S Page | 30

• A web application firewall (WAF) protects a web server against web application

attacks such as buffer overflow and cross-site scripting attacks.

3.1.3 Protecting the network perimeter:

• A DMZ (demilitarized zone) provides a layer of protection for servers that are

accessible from the internet.

• NAT (network address translation) translates public IP addresses to private IP

addresses, private back to public, and hides IP addresses on the internal network from

users on the internet.

• A proxy server forwards requests for services from a client. It can filter requests based

on URLs, cache content, and record users’ internet activity.

• A unified threat management (UTM) security appliance includes multiple layers of

protection, such as URL filters, content inspection, and malware inspection.

3.2 OSI Model • Know the OSI layers by number & name. The lowest layer is the physical layer and the

highest layer is the application layer.

• Switches operate on layer 2 and VLANs are defined on this layer.

• Routers operate on Layer 3 and use ACLs to restrict traffic.

4. SECURING THE NETWORK

4.1 Network Defense Concepts

4.1.1 Understanding IDSs & IPSs

• Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) inspect

traffic using the same functionality as a protocol analyzer.


IVAN V. S Page | 31

• A host-based IDS (HIDS) can detect attacks on local systems such as workstations and

servers. The HIDS protects local resources on the host and can detect some malware

that isn’t detected by traditional antivirus software.

• A network-based ISD (NIDS) detects attacks on networks.

• A signature-based IDS uses signatures to detect known attacks or vulnerabilities.

Vendors create a number to identify each signature, or use the number in the Common

Vulnerabilities and Exposures (CVE) list.

• An anomaly-based (also called heuristic-based or behavior-based) IDS requires a

baseline and detects attacks based on anomalies or when traffic is outside expected

boundaries.

• A false positive sends an alert indicating an attack when an attack is not active. False

positives increase the workload of administrators. A false negative is when an attack is

active, but not reported.

• Honeypots and Honeynets appear to have valuable data and attempt to divert

attackers away from live networks. Security personnel use them to observe current

attack methodologies and gather intelligence on attacks.

• An intrusion prevention system (IPS) is similar to an active IDS except that it’s placed

in-line with the traffic, and can stop attacks before they reach the internal network. An

IPS can actively monitor data streams, detect malicious content, and mitigate the effect

of malicious activity.

• IDSs and IPSs can also protect internal private networks, such as private supervisory

control and data acquisition (SCADA) networks.

4.1.2 Securing wireless networks

• You can limit the coverage of a wireless access point (WAP) to a single room or

building by reducing the power level or modifying the placement of the antenna. This can

help prevent unauthorized users from connecting to the wireless network. You can

increase the wireless footprint by increasing power levels.

• Most WAPs have omnidirectional antennas. A Yagi antenna is a high-gain directional

antenna and you can connect two buildings with WAPs and Yagi antennas.

• Site surveys identify the footprint of a wireless network and potential threats.

Administrators perform site surveys during the planning stage, and perform periodic site

surveys to identify threats.

• Wired Equivalent Privacy (WEP) is an older wireless protocol that is not secure. Wi-Fi

Protected Access (WPA) was an initial improvement over WEP and it uses Temporal

Key Integrity Protocol (TKIP) with Rivest Cipher 4 (RC4), which is compatible with older

hardware.

• WEP implemented RC4 incorrectly using a small initialization vector (IV). IV attacks

often use packet injection to generate traffic and crack the encryption key.

• WPA cracking attacks capture the four-way authentication handshake and then perform

a brute force attack to discover the passphrase.

• Wi-Fi Protected Access II (WPA2) is the current standard and it supports Counter

Mode Cipher Block Chaining Message Authentication Code Protocol (CCMP).

• WPA/WPA2 Enterprise Mode is more secure than Personal Mode because it adds

authentication. It uses an 802.1x authentication server implemented as a RADIUS

server.


IVAN V. S Page | 32

• 802.1x serves as one of the Extensible Authentication Protocol (EAP) versions, such as

Protected EAP (PEAP), EAP-Tunneled Transport Layer Security (EAP-TTLS), EAP-

TLS, or Lightweight EAP (LEAP).

• The most secure EAP method is EAP-TLS, and it requires a certificate on the server and

on each of the wireless clients. PEAP and EAP-TTLS require a certificate on the server,

but not the client. PEAP is often implemented with Microsoft Challenge Handshake

Authentication Protocol version 2 (MS-CHAPv2). LEAP is proprietary to Cisco and does

not require a certificate.

• WAPs in hot sports often use Isolation mode to segment, or separate, wireless users

from each other. Additionally, they disable security to make it easy for users to connect

or use WEP with Open System Authentication.

• You can restrict access to wireless networks with media access control (MAC) filtering.

However, an attacker with a wireless sniffer can discover authorized MACs and perform

a spoofing attack.

• A wireless audit checks WAP power levels, antenna placement, wireless footprint, and

encryption techniques. It often includes war driving techniques and can detect rogue

access points.

• Disabling the service set identifier (SSID) broadcast (the network name) hides a wireless

network from casual users. However, an attacker with a wireless sniffer can easily

determine the SSID even if the SSID broadcasting is disabled.

• A rogue access point is an unauthorized WAP. Attackers can use them to capture data

on your network. Unauthorized users can access your network via a rogue access point.

• An evil twin is a rogue access point using the same SSID as an unauthorized WAP.

• Bluejacking involves sending unsolicited messages to a phone. Bluesnarfing involves

accessing data on a phone such as email and contact lists.

4.1.3 Exploring remote access

• VPNs provide remote access to an internal network for mobile users. Firewall ACLs

include rules to allow VPN traffic based on the tunneling protocol.

• VPN concentrators provide secure remote access to a large number of remote users.

• Some VPNs use IPsec to encrypt data in a secure tunnel during transit.

• IPsec is a common tunneling protocol used with VPNs. It can secure traffic in a site-to-

site tunnel and form clients to the VPN. IPsec uses Tunnel mode for VPNs. ESP

(encapsulating security payload) encrypts VPN traffic and provides confidentiality,

integrity, and authentication.

• Firewalls identify IPsec ESP traffic with protocol ID 50 and AH (authentication header)

traffic with protocol ID 51. IKE (internet key exchange) creates the security association

for the IPsec tunnel and uses port 500.

• Other tunneling protocols include SSTP, secure socket tunneling protocol, (using SSL

over port 443), L2TP, layer 2 tunneling protocol, (over UDP port 1701), and PPTP, point-

to-point tunneling protocol, (over TCP port 1723).

• NAC (network access control) inspects clients for specific health conditions such as up-

to-date antivirus software, and can redirect access to a remediation network for

unhealthy clients. NAC can be used with VPN clients and with internal clients.


IVAN V. S Page | 33

5. SECURING HOSTS & DATA

5.1 Host & Data Defense Concepts

5.1.1 Implementing host security

• Hardening servers and applications makes them more secure from their default

installation and improves their overall security posture. Key hardening steps are

disabling unnecessary services, protocols, and accounts.

• Disabling unnecessary services and protocols reduces the attack surface. Disabling

unnecessary accounts and changing default passwords helps prevent unauthorized

access.

• Baselines document the starting point for systems. Security baselines provide a

secure starting point for systems and applications. System and application

configuration baselines document proper configuration settings. Host software

baselines (or application baselines) identify approved software along with software

installed on systems.

• Administrators use baselines to identify anomalies by comparing settings, services, and

applications in the baseline with settings, services, and applications on live computers.

• Application whitelisting allows authorized applications to run, but blocks all other

applications. Application blacklisting blocks unauthorized applications, but allows other

applications to run.

• Virtualization allows multiple servers to operate on a single physical host. They provide

increased availability with various tools such as snapshots and easy restoration.

• Sandboxing within virtual environments combined with snapshots provides a high level

of flexibility for testing security controls and testing patches.

• Virtual local area networks (VLANs) separate or segment traffic. You create them with

physical switches on physical networks and with virtual switches on virtual networks.

• Patch management procedures ensure operating systems and applications are kept up

to date with current patches. This ensures they are protected against known

vulnerabilities.

• Static computing environments include supervisory control and data acquisition

(SCADA) systems and embedded systems. A key method of protecting them is to use a

combination of redundant controls and diverse controls. VLANs and network intrusion

prevention systems (NIIPSs) protect networks holding static systems.

5.1.2 Securing mobile devices

• You can protect mobile devices with encryption data, screen locks, and remote wipe

capabilities. Remote wiping removes all the data from a lost phone.

• Disabling the use of removable media on mobile devices prevents users from saving

data on USB thumb drives and other removable media.

• GPS tracking can help locate lost or stolen mobile devices. Geo-tagging uses GPS

features and adds geographical information to files such as pictures when posting them

on social media sites.

• Radio-frequency identification (RFID) provides automated inventory control and can

detect movement of mobile devices.

• Ensuring mobile devices are up to date with current patches and antivirus signature files

is a primary concern. Mobile device management (MDM) tools can ensure that devices


IVAN V. S Page | 34

meet these requirements and block network access if devices do not meet these

requirements.

• Data security is one of the primary security concerns related to bring your own device

(BYOD) policies.

• VLANs can isolate mobile device traffic from the primary network.

5.1.3 Protecting data

• The primary method of protecting the confidentiality of data is with encryption and

strong access controls. Encryption protects both data at rest (stored on a device) and

data in motion (transmitted over a network).

• You can encrypt individual columns in a database (such as credit card numbers), entire

databases, individual files, entire disks, and removable media.

• Whole disk encryption and full device encryption procedures protect all data on a disk

and are useful when protecting data on USB flash drives. Many mobile devices and

removable devices support full disk encryption. Encryption protects the data if the device

is stolen.

• Hardware encryption is faster and more efficient than software encryption.

• A trusted platform module (TPM) is a chip in a motherboard included with many laptops.

TPMs have a storage root key used to generate and protect other encryption keys.

TPMs support full disk encryption.

• A hardware security module (HSM) is a removable or external device used for

encryption. An HSM generates and stores RSA encryption keys and can be integrated

with servers to provide hardware encryption.

• Network-based data loss prevention (DLP) devices reduce the risk of data leakage.

They can analyze outgoing data, such as emails, and detect when employees send out

confidential company data. Endpoint DLP can block users from copying or printing

certain files.

5.1.4 Understanding cloud computing

• Provider clouds provide increased capabilities for heavily utilized systems and networks.

• Software as a service (SaaS) includes web-based applications such as web-based

email.

• Infrastructure as a service (IaaS) provides hardware resources via the cloud. It can help

an organization limit the size of their hardware footprint and reduce personnel costs.

• Platform as a service (PaaS) provides an easy-to-configure operating system and on-

demand computing for customers.

• Physical control of data is a key security control an organization loses with cloud

computing.

6. UNDERSTANDING MALWARE & SOCIAL ENGINEERING

6.1 Understanding malware types • Malware includes several different types of malicious code, including viruses, worms,

ransomware, logic bombs, rootkits, backdoors, and more.

• An armored virus uses one or more techniques to make it difficult to reverse engineer.

Polymorphic malware changes to make it difficult to detect.

• A worm is self-replicating, unlike a virus, which must be executed.


IVAN V. S Page | 35

• A logic bomb executes in response to an event, such as a day, time, or condition.

Malicious insiders have planted logic bombs into existing systems, and these logic

bombs have delivered their payload after the employee left the company.

• Backdoors provide another way of accessing a system. Malware often inserts

backdoors into systems, giving attackers remote access to systems.

• A Trojan appears to be one thing, such as pirated software or free antivirus software,

but is something malicious. Drive-by downloads attempt to infect systems with Trojans.

• A botnet is a group of computers called zombies controlled through a command-and-

control server. Attackers use malware to join computers to botnets.

• Ransomware is a type of malware that takes control of a user’s system or data.

Criminals attempt to extort payment as ransom combined with threats of damaging a

user’s system or data if the user doesn’t pay.

• Rootkits take root-level or kernel-level control of a system. They hide their processes to

avoid detection. They can remove user privileges and modify system files.

• Adware often causes pop-up windows to appear with advertisements.

• Spyware is often installed on user systems without the user’s knowledge or consent and

it monitors the user’s activities/ it can result in the loss of confidentiality as it steals user

secrets.

6.2 Recognizing common attacks • Social engineering is the practice of using social tactics to gain information or trick

users into performing an action they wouldn’t normally take.

• Social engineering attacks can occur in person, over the phone, while surfing the

internet, and via email. Many social engineers attempt to impersonate others.

• Shoulder surfing is an attempt to gain unauthorized information through casual

observation, such as looking over someone’s shoulder, or monitoring screens with a

camera.

• Tailgating is the practice of one person following closely behind another without

showing credentials. Mantraps help prevent tailgating. Cameras with recording

capabilities are a cheaper substitute to deter tailgating.

• Dumpster divers search through trash looking for information. Shredding or burning

documents reduces the risk of dumpster diving.

• Spam is unwanted or unsolicited email. Attackers often use spam in different types of

attacks.

• Phishing is the practice of sending email to users with the purpose of tricking them into

revealing sensitive information, installing malware, or clicking on a link.

• Spear phishing and whaling are types of phishing. Spear phishing targets specific

groups of users and whaling targets high-level executives.

• Vishing is a form of phishing that uses voice over the telephone and often uses Voice

over IP (VoIP). Some vishing attacks start with a recorded voice ant then switch over to

a live person.

6.3 Blocking malware and other attacks • Antivirus software can detect and block different types of malware, such as worms,

viruses, and Trojans. Antivirus software uses signatures to detect known malware.


IVAN V. S Page | 36

• When downloading signatures manually, hashes can verify the integrity of signature

files.

• Antivirus software typically includes a file integrity checker to detect files modified by a

rootkit.

• Pop-up blockers can block many pop-up windows used by adware.

• Anti-spam software attempts to block unsolicited email. You can configure a spam filter

to block individual email addresses and email domains.

• Anti-spyware software helps protect user’s personal information while online by

detecting and blocking spyware. Some antivirus software applications include anti-

spyware elements.

• Security-related awareness and training programs help users learn about new

threats and security trends, such as new viruses, new phishing attacks, and zero-day

exploits. Zero-day exploits take advantage of vulnerabilities that aren’t known by trusted

sources.

• Social engineers and other criminals employ several principles to help increase the

effectiveness of their attacks. They are authority, intimidation, consensus/social proof,

scarcity, urgency, familiarity/liking, and trust.

7. IDENTIFYING ADVANCED ATTACKS

7.1 Comparing common attacks • A DoS (denial of service) attack is an attack launched from a single system and

attempts to disrupt services.

• A DDoS (distributed DoS) attacks are DoS attacks from multiple computers. DDoS

attacks typically include sustained, abnormally high network traffic.

• Smurf attacks spoof the source IP address and use a directed broadcast ping to flood

victims with ping replies. Smurf attacks often use amplifying networks. Configuring

routers to block directed broadcasts prevents a network from becoming an amplifying

network.

• Replay attacks capture data in a session with the intent of using information to

impersonate one of the parties. Timestamps and sequence numbers thwart replay

attacks.

• Account lockout policies thwart online password attacks such as dictionary and

brute force attacks that attempt to guess a password. Complex passwords thwart

offline password attacks.

• Password salting adds additional characters to passwords before hashing them, and

prevents many types of attacks, including dictionary, brute force, and rainbow table

attacks.

• DNS poisoning attacks modify DNS data and can redirect users to malicious sites.

Pharming attacks often modify the hosts file to redirect web site traffic to a malicious web

site.

• Attackers buy domain names with minor typographical errors in the hopes of attracting

traffic when users enter the incorrect URL.


IVAN V. S Page | 37

• Attackers exploiting unknown or undocumented vulnerabilities are taking advantage of

zero-day vulnerabilities. The vulnerability is no longer a zero-day vulnerability after the

vendor releases a patch to fix it.

7.2 Identifying application attacks • A common coding error in web-based applications is the lack of input validation.

• Input validation checks the data before passing it to the application and prevents many

types of attacks, including buffer overflow, SQL injection, command injection, and

cross-site scripting (XSS) attacks.

• Server-side input validation is the most secure. Attackers can bypass client-side input

validation, but not server-side input validation.

• Error- and exception-handling routines within applications can prevent application

failures and protect the integrity of the operating systems. Error messages shown to

users should be generic, but the application should log detailed information on the error.

7.3 identifying application attacks • Buffer overflows occur when an application receives more data, or unexpected data,

then it can handle and exposes access to system memory.

• Buffer overflow attacks exploit buffer overflow vulnerabilities. A common method uses

NOP instructions or NOP sleds such as a string of x90 commands. Two primary

protection methods against buffer overflow attacks are input validation and keeping a

system up to date.

• SQL injection attacks provide information about a database and can allow an attacker

to read and modify data within a database from a web page. Input validation and stored

procedures provide the best protection.

• Client-side attacks originate from the client such as within a web browser. Transitive

access attacks attempt to access resources via a transitive trust relationship. SQL

injection is an example of a client-side transitive access attack.

• Cross-site scripting (XSS) allows an attacker to redirect users to malicious websites

and steal cookies. It uses HTML and JavaScript tags with < and > characters.

• Cross-site request forgery (XSRF) causes users to perform actions on web sites

without their knowledge and allows attackers to steal cookies and harvest passwords.

• XSS and XSRF attacks are mitigated with input validation techniques.

• Lightweight directory access protocol (LDAP) injection attacks attempt to access

data on servers hosting a directory service, such as Microsoft Active Directory.

• Transitive access attacks can attack back-end servers via a front-end server. For

example, SQL injection attacks start as a client-side attack, but access back-end

databases via a web server.

• Fuzzing sends random data to an application to test the application’s ability to handle

the random data. Fuzzing can cause an application to crash if proper input validation

techniques are not used.


IVAN V. S Page | 38

8. MANAGING RISK

8.1 Identifying risk • A risk is the likelihood that a threat will exploit a vulnerability. A threat is a potential

danger that can compromise confidentiality, integrity, or availability of data or a system.

A vulnerability is a weakness

• Risk management methods include risk avoidance, transference, acceptance,

mitigation, and deterrence. You avoid a risk by not providing a service or not

participating in a risky active. Purchasing insurance, such as fire insurance, transfers the

risk to another entity. Some controls such as security guards deter a risk.

• You cannot eliminate risk. Risk management attempts to reduce risk to a level that an

organization is able to accept, and the remaining risk is known as residual risk. Senior

management is responsible for managing risk and the losses associated from residual

risk.

• Quantitate risk assessments use numbers, such as costs and asset values. The single

loss expectancy (SLE) is the cost of any single loss. The annual rate of occurrence

(ARO) indicates how many times the loss will occur annually. You can calculate the

annual loss expectancy (ALE) as SLE x ARO.

• Qualitative risk assessments use judgement to prioritize risks base on probability and

impact. These judgements provide a subjective ranking.

• Risk assessment results are sensitive. Only executives and security professionals

should be granted access to risk assessment reports.

8.2 Checking for vulnerabilities • A port scanner scans systems for open ports and attempts to discover what services

and protocols are running.

• An advanced persistent threat (APT) typically attacks from another country and can

launch sophisticated and targeted attacks.

• Vulnerability assessments determine the security posture of a system or network.

• Vulnerability scanners passively test security controls to identify vulnerabilities, a lack

of security controls, and common misconfigurations. They are effective at discovering

systems susceptible to an attack without exploiting the systems.

• A false positive from a vulnerability scan indicates the scan falsely detected a

vulnerability, and the vulnerability doesn’t actually exist.

• A penetration test is an active test that attempts to exploit discovered vulnerabilities. It

starts with a vulnerability scan and then bypasses or actively tests security controls to

exploit vulnerabilities.

• Significant differences between vulnerability scans and penetration tests are that

vulnerability scans are passive and less invasive, while penetration tests are active and

more invasive.

• A baseline review identifies changes from the original deployed configuration.

• Code reviews are a type of assessment where a peer programming goes through code

line-by-line looking for vulnerabilities, such as race conditions or susceptibility to buffer

overflow attacks.

• Design reviews ensure that systems and software are developed properly, following

standard security best practices.


IVAN V. S Page | 39

• In black box testing, testers perform a penetration test with zero prior knowledge of the

environment. White box testing indicates that the testers have full knowledge of the

environment, including documentation and source code for tested applications. Gray

box testing indicates some knowledge of the environment.

• Black hat indicates a malicious attacker, whereas white hat identifies a security

professional working within the law.

• Penetration testers should gain consent prior to starting a penetration test. A rules-of-

engagement document identifies the boundaries of the test.

• Continuous security monitoring helps an organization maintain its security posture, by

verifying that security controls continue to function as intended.

8.3 Identifying security tools • Protocol analyzers (sniffers) can capture and analyze data sent over a network.

Attackers use protocol analyzers to capture cleartext data sent across a network.

• Administrators use protocol analyzers for troubleshooting communication issues by

inspecting protocol headers to detect manipulated or fragmented packets.

• Captured packets show the type of traffic (protocol), source and destination IP

addresses, source and destination MAC addresses, and flags.

• Routine audits help an organization verify they are following their own policies, such as

the principle of least privilege and account management control best practices.

• A user rights and permissions review ensures that users have only the access they

need and no more. It also verifies that inactive accounts are either disabled or deleted.

• Security logs track logon and logoff activity on systems. System logs identify when

services start and stop.

• Firewall and router logs identify the source and destination of traffic.

• Centralized log management protects logs when systems are attacked or

compromised.

9. PREPARING FOR BUSINESS CONTINUITY

9.1 Adding redundancy • A single point of failure is any competent that can cause the entire system to fail if it

fails.

• RAID disk subsystems provide fault tolerance and increase availability. RAID-1

(mirroring) uses two disks, RAID-5 uses three or more disks and can survive the failure

of one disk, and RAID-6 uses four or more disks and can survive the failure of two disks.

• Server redundancies include failover clusters and load balancing. Failover clusters

remove a server as a single point of failure. If one node in a cluster fails, another node

can take over.

• Load balancing spreads the processing load over multiple servers to ensure availability

when the processing load increases. Many web-based applications use load balancing

for higher availability.

• A UPS system provides fault tolerance for power fluctuations and provides short-term

power for systems during power outages. Generators provide long-term power for

systems during extended power outages.


IVAN V. S Page | 40

9.2 Protecting data with backups • Backup strategies include full, full/differential, and full/incremental strategies. A full

backup strategy alone allows the quickest recovery time.

• Full incremental back up strategies minimize the amount of time needed to perform

daily backups.

• Test restores verify the integrity of backups. A test restore of a full backup verifies a

backup can be restored in its entirety.

• Backups should be labeled to identify the contents. A copy of backups should be kept

off-site.

9.3 Comparing business continuity elements • A business impact analysis (BIA) is part of a business continuity plan (BCP) and it

identifies a systems and components that are essential to the organizations success.

• The BIA identifies maximum downtimes for these systems and components, various

scenarios that can affect these systems and components, and the potential losses from

an incident.

• Recovery time objective (RTO) identifies the maximum amount of time it should take to

restore a system after an outage. The recovery point objective (RPO) refers to the

amount of data you can afford to lose.

• Continuity of operations planning (COOP) sites provide alternate locations for

business functions after a major disaster.

• A hot site includes everything needed to be operational within 60 minutes. It is the most

effective recovery solution and the most expensive. A cold site has power and

connectivity requirements and little else. It is the least expensive to maintain.

• Warm sites are a compromise between hot sites and cold sites. Mobile sites do not

have dedicated locations, but can provide temporary support during a disaster.

• Disaster recovery planning is part of overall business continuity planning. A disaster

recovery plan (DRP) includes the steps to return one or more systems to full operations.

BCPs or DRPs include a hierarchical list of critical systems identifying the order of

restoration.

• BCPs and DRPs commonly include a communication plan. It identifies alternate

methods of communication, such as a war room or push-to-talk phones. It also identifies

who to contact, such as response team members, employees, suppliers, customers,

media, and regulatory agencies.

• Succession planning ensures that an organization can continue to operate even if key

leaders are unavailable. Succession planning charts identify roles and responsibilities to

follow during a disaster, along with a clear chain of command.

• Periodic testing validates BCPs and DRPs. Disaster recovery exercises validate the

steps to restore individual systems, activate alternate sites, and other actions

documented within a plan. Tabletop exercises are discussion-based only. Functional

exercises are hands-on exercises.

9.4 Implementing environmental controls • Heating, ventilation, and air conditioning (HVAC) systems control airflow for data centers

and server rooms. Temperature controls protect systems from damage due to

overheating.


IVAN V. S Page | 41

• Higher-tonnage HVAC systems provide more cooling capacity. You can increase the

mean time between failures (MTBF) times and overall availability by keeping server

rooms at lower operating temperatures.

• Humidity controls protect against ESD damage by ensuring humidity isn’t too low.

They also protect against water damage from condensation if humidity gets too high.

• HVAC systems should be integrated with the fire alarm systems and either have

dampers or the ability to be turned off in the event of a fire.

• EMI shielding prevents problems from EMI sources such as fluorescent lighting fixtures.

It also prevents data loss in twisted-pair cables.

10. UNDERSTANDING CRYPTOGRAPHY

10.1 Providing integrity with hashing • Hashing verifies the integrity of data, such as downloaded files and email messages.

• A hash (sometimes called a checksum) is a fixed-size string of numbers or hexadecimal

characters.

• Hashing algorithms are one-way functions used to create a hash. You cannot reverse

the process to re-create the original data.

• Passwords are often stored as hashed instead of the actual password. Salting the

password thwarts many password attacks.

• Common hashing algorithms are Message Digest 5 (MD5), Secure Hash Algorithm

(SHA), and Hash-based Message Authentication Code (HMAC). HMAC provides both

integrity and authenticity of a message.

• Transport encryption protocols such as internet protocol security (IPsec) and transport

layer security (TLS) use HMAC-MD5 and HMAC-SHA1.

10.2 Providing confidentiality with encryption • Confidentiality ensures that data is only viewable by authorized users. Encryption

provides confidentiality of data, including data at rest (any type of data stored on disk)

and data in transit (any type of transmitted data).

• Symmetric encryption uses the same key to encrypt and decrypt data. As an example,

Remote authentication dial-in user service (RADIUS) uses a shared key for symmetric

encryption.

• Block ciphers encrypt data in fixed-size blocks. Advanced encryption standard (AES)

and Twofish encrypt data in 128-bit blocks.

• Stream ciphers encrypt data one bit or one byte at a time. They are more efficient than

block ciphers when encrypting data of an unknown size, or sent in a continuous stream.

RC4 is a commonly used stream cipher.

• Data encryption standard (DES), Triple DES (3DES), and Blowfish are block ciphers

that encrypt data in 64-bit blocks.

• AES is a popular symmetric block encryption algorithm, and it uses 128, 192, or 256 bits

for the key.

• DES is an older, symmetric block encryption algorithm. 3DES was created as an

improvement over DES and is used when hardware doesn’t support AES.

• One-time pads provide the strongest encryption when compared with other encryption

methods.


IVAN V. S Page | 42

• Asymmetric encryption uses public and private keys as matched pairs.

o If the public key encrypted information, only the matching private key can decrypt

it.

o If the private key encrypted information, only the matching public key can decrypt

it.

o Private keys are always kept private and never shared.

o Public keys are freely shared by embedding them in a certificate.

• RSA is a popular asymmetric algorithm. Many cryptographic protocols use RSA to

secure data such as email and data transmitted over the internet. RSA uses prime

numbers to generate public and private keys.

• Elliptic curve cryptography (ECC) is an encryption technology commonly used with small

wireless devices.

• Diffie-Hellman provides a method to privately share a symmetric key between two

parties. Elliptic curve diffie-hellman ephermeral (ECDHE) is a version of Diffie-Hellman

that uses ECC to re-create keys for each session.

• Steganography is the practice of hiding data within a file. You can hide messages in the

white space of a file without modifying its size. A more sophisticated method is by

modifying bits within a file. Capturing and comparing hashes of files can discover

steganography attempts.

• Transport encryption methods protect confidentiality of data sent over the network.

IPsec, TLS, and SSL are three examples.

• IPsec uses HMAC for authentication and integrity and AES of 3DES for encryption.

• TLS is the replacement for SSL. Both require certificates issued from a CA (certificate

authority).

10.3 Using cryptographic protocols • When using digital signatures with email:

o The sender’s private key encrypts (or signs).

o The sender’s public key decrypts.

• A digital signature provides authentication (verified identification) of the sender, non-

repudiation, and integrity of the message.

• When encrypting email:

o The recipient’s public key encrypts.

o The recipient’s private key decrypts.

o Many email applications to use the public key to encrypt a symmetric key, and

then use the symmetric key to encrypt the email contents.

• When encrypting web site traffic with SSL or TLS:

o The website’s public key encrypts a symmetric key.

o The website’s private key decrypts the symmetric key.

o The symmetric key encrypts data in the session.

• S/MIME and PGP secure email with encryption and digital signatures. They both use

RSA, certificates, and depend on a PKI. They can encrypt email at rest (stored on a

drive) and in transit (over the network).

• Two commonly used key stretching techniques are bcrypt and Password-Based Key

Derivation Function 2 (PBKDF2). They protect passwords against brute force and

rainbow table attacks.


IVAN V. S Page | 43

10.4 Exploring PKI concepts • A public key infrastructure (PKI) is a group of technologies used to request, create,

manage, store, distribute, and revoke digital certificates. A PKI allows two entities to

privately share symmetric keys without any prior communication.

• Most public CAs use a hierarchical centralized CA trust model, with a root CA and

intermediate CAs.

• A CA issues, manages, validates, and revokes certificates. Wildcard certificates use a *

for child domains to reduce the administrative burden of managing certificates.

• Root certificates of trusted CAs are stored on computers. If a CAs root certificate is not

in the trusted store, web users will see error indicating the certificate is not trusted or the

CA is not recognized.

• You request a certificate with a certificate signing request (CSR). You first create a

private/public key pair and include the public key in the CSR.

• CAs revoke certificates when an employee leaves, the private key is compromised, or

the CA is compromised. A CRL (certificate revocation list) identifies revoked certificates

as a list of serial numbers.

• The CA publishes the CRL, making it available to anyone. Web browsers can check

certificates they receive from a web server against a copy of the CRL to determine if a

received certificate is revoked.

• User systems return errors when a system tries to use an expired certificate.

• When users are issued new certificates, such as in a new smart card, they need to

publish the new certificate. This is typically done by publishing it to a global address list.

• A key escrow stores a copy of private keys used within a PKI. If the original private key

is lost or inaccessible, the copy is retrieved from escrow, preventing data loss.

• Recovery agents can recover data secured with a private key, or recover a private key,

depending on how the recovery agent is configured.

11. EXPLORING OPERATIONAL SECURITY

11.1 Exploring security policies • Written security policies are management controls that identify an overall security plan

for an organization and help to reduce overall risk. Other security controls enforce

security policies.

• An acceptable use policy (AUP) defines proper system usage for users. It often

specifically mentions unacceptable usage such as visiting certain web sites, and typically

includes statements informing users that the organization monitors user activities. Users

are required to read and sign an acceptable use policy when hired, and in conjunction

with refresher training.

• Mandatory vacation policies require employees to take time away from their job.

These policies help to reduce fraud and discover malicious activities by employees.

• A separation of duties policy separates individual tasks of an overall function between

different entities or different people, and helps to deter fraud. For example, a single

person shouldn’t be able to approve bills and pay them, or print checks and then sign

them.

• Job rotation policies require employees to change roles on a regular basis. Employees

might swap roles temporarily, such as for three to four weeks, or permanently. These


IVAN V. S Page | 44

policies help to prevent employees from continuing with fraudulent activities, and detect

fraud if it occurs.

• Clean desk policies require users to organize their desks and surrounding areas to

reduce the risk of possible data theft and password compromise.

• Account policies often require administrators to have two accounts to prevent privilege

escalation and other attacks. Account disablement policies ensure that inactive accounts

are disabled.

• Change management policies define the process for making changes, and provide the

accounting structure or method to document the changes. Change management helps

reduce unintended outages from changes.

• Third-party agreements typically include a non-disclosure agreement requiring all

parties to recognize who owns the data and prohibiting unauthorized sharing of data.

• A service level agreement (SLA) is an agreement between a company and a vendor

that stipulates performance expectations, such as minimum uptime and maximum

downtime levels. A memorandum of understanding (MOU) is a looser agreement than

an SLA.

• An interconnection security agreement (ISA) specifies technical and security

requirements for connections and ensures data confidentiality while data is in transit. An

ISA is often used with an MOU.

• Information classification practices help protect sensitive data by ensuring users

understand the value of data. Data labeling ensures that users know what data they are

handling and processing.

• Degaussing a disk magnetically erases all the data. Physically destroying a drive is the

most secure method of ensuring unauthorized personnel cannot access proprietary

information.

• Sanitization procedures ensure data is removed from decommissioned systems.

Specialized applications erase disk drives by writing a series of 1s and 0s multiple

times on the drive. Cluster tip wiping erases file remnants in reclaimed space.

• Storage and retention policies identify how long data is retained. They can limit a

company’s exposure to legal proceedings and reduce the amount of labor required to

respond to court orders.

• Personally identifiable information (PII) is used to personally identify an individual.

Examples include the full name, birth date, address, and medical information of a

person.

• PII requires special handling and policies for data retention. Many laws mandate the

protection of PII, and require informing individuals when an attack results in the

compromise of PII.

• A privacy policy identifies what data is collected from users on a web site. Many laws

require a privacy policy.

11.2 Responding to incidents • An incident response policy defines an incident and incident response procedures.

Organizations review and update incidents periodically and after reviewing lessons

learned after actual incidents.

• Warning banners remind users of rules regarding access when the users log on.


IVAN V. S Page | 45

• The first step in incident response is preparation. It includes creating and maintaining

an incident response policy and includes prevention steps such as implementing security

controls to prevent malware infections.

• Before taking action, personnel verify an event is an actual incident. Next, they attempt

to contain or isolate the problem. Disconnecting a computer from a network will isolate it.

• First responders are the first IT or security personnel on the scene of an incident. They

often have access to toolkits along with contact information of other security personnel.

• An incident response policy typically includes a list of personnel to notify after an

incident. A data breach typically requires notifying outside entities, especially if the data

breach compromises customer data.

• Recovery or reconstitution restores a system to its original state. Depending on the

scope of the incident, administrators might completely rebuild the system, including

applying all updates and patches.

• A review of lessons learned helps an organization prevent a reoccurrence of an

incident.

• The order of volatility for data from most volatile to least volatile is cache memory

regular RAM swap or paging file hard drive data logs stored on remote systems

archived media.

• Forensic experts capture an image of the data before analysis to preserve the original

and maintain its usability as evidence.

• Hard drive imaging creates a forensic copy and prevents the forensic capture and

analysis from modifying the original evidence. A forensic image is a bit-by-bit copy of the

data and does not modify the data during the capture.

• Hashing provides integrity for images, including images of both memory and disk drives.

Taking a hash before and after capturing a disk image certifies that the capturing

process did not modify data. Hashes can reveal evidence tampering or, at the very least,

that evident has lost integrity.

• A chain of custody provides assurance that personnel controlled and handled evidence

properly after collecting it. It may start with a tag attached to the physical item, followed

by a chain-of-custody form that documents everyone who handled it and when they

handled it.

11.3 Raising security awareness • Security awareness and training programs reinforce user compliance with security

policies and help reduce risks posed by users.

• Information security awareness programs help educate users about emerging threats

such as techniques attackers are currently using, acceptable use policies, and policies

related to social networking sites.

• Role-based training ensures that personnel receive the training they need. For

example, executives need training on whaling attacks.

• Social media sites allow people to share comments with a wide group of people.

• Improper use of social networking sites can result in inadvertent information disclosure.

• Attackers gather information from these sites to launch attacks against users, such as

cognitive password attacks to change users’ passwords. Training reduces these risks.

• Banner ad malware (aka malvertisements) look like ads but include malicious code.

Organizations sometimes block access to some web sites to block banner ad malware.


IVAN V. S Page | 46

• Data breaches on social media sites can expose user passwords. If users do not have

different passwords, or use the same credentials to access other web applications, a

data breach on a social media site can impact much more than just that site.

• P2P software is a source of data leakage. Organizations often block P2P software to

prevent data leakage and to prevent P2P traffic from consuming network bandwidth.

• Metrics can validate the success of a training program.

SECTION 2

I. ENTERPRISE SECURITY ARCHITECTURE:

1. Overview of InfoSec Program Management Cost/Benefit Analysis

• Understand CBA before you do design; *the goal of security is just to support the business, you only need enough security for that – think of the $$.

• Quantitative review

o AV*EF = SLE o SLE*ARO = ALE o ALE (before) – ALE (after – cost of the control = ROI

• Other costs associated with security

1. Overview of InfoSec Program

Management

2. Security Models

3. Evaluation Criteria

4. Technical Project

Management

5. Architecture & Design: Intro

6. Architecture & Design:

Hardware

7. Architecture & Design: CPU

Modes & Protection Rings

8. Architecture & Design: Integrity

Models

9. Architecture & Design:

Evaluation Criteria

10. Architecture & Design: Assurance

11. Architecture & Design: Review


IVAN V. S Page | 47

o Performance o Ease of use o Backwards compatibility o User acceptance

Security Architecture

• Trusted Computing

o Operating systems are often designed upon a ringed architecture to isolate protection layers (layers of trust):

o o Ring 0 = TCB (trusted computer base)

▪ *Microsoft Word = program / application If I open Word it is loaded into memory and becomes a process then every individual instruction within Word is a thread

Architecture Vulnerabilities

• Covert channels: hidden means of communication

o Storage: data laced somewhere unexpected o Timing: communication through modulation of resources

• Maintenance hooks: allow easy access for programmers to access code. Must be

removed.

• TOC/TOU (time of check / time of use): a type of race condition that creates a

variation between when a file is verified and when it is used. Attacks on the timing of a system.

• A system must be designed to fail in such a way that it’s resources are secure o Secure state model o Fail secure o Maintenance secure

2. Security Models • GOAL: build a product to be secure

• Mathematical instructions to create secure systems

• Primarily to enforce confidentiality or integrity

• Conceptual basis for system design and control implementation Security Models

• State machine models

• **The Bell-LaPadula Model

• **The Biba Model

• The Clark-Wilson model


IVAN V. S Page | 48

• The Brewer & Nash model

• The information flow model

• The non-interference model

• The Lattice model State Machine Models (Secure State Model)

• *a system must be secure in all states of operation, or it is not secure – the basis of all security models

• The state of a system is its snapshot at any one moment. The state machine model describes subjects, objects, and sequences in a system. The focus of this model is to capture the system’s state and ensure its security.

• When an object accepts input, the value of the state variable is modified. For a subject to access this object or modify the object value, the subject should have appropriate access rights.

• State transitions refer to activities that alter a systems state. *Bell & LaPadula

• Developed by David Elliot Bell & Len LaPadula

• This model focuses on data confidentiality and access to classified information.

• A formal model developed for the DoD multilevel security policy

• This formal model divides entities in an information system into subjects and objects

• Model is built on the concept of a state machine with different allowable states (i.e. secure state)

• 3 RULES:

o Simple security property – “no read up” ▪ A subject cannot read data from a security level higher than subject’s

security level o *_Security Property (pronounced Star Security Property) – “no write down”

▪ A subject cannot write data to a security level lower than the subject’s security level.

o Strong *(star) Property – “no read/write up or down” ▪ A subject with read/write privilege can perform read/write functions only

at the subject’s security levels. o TIP: simple always talks about “read”, *(star) always talks about “write”

Biba Integrity Model

• Biba is concerned with integrity o Developed by Kenneth J. Biba in 1977 based on a set of access control rules

designed to ensure data integrity. o No subject can depend on an object of lesser integrity o Based on a hierarchical lattice of integrity levels o Authorized users must perform correct and safe procedures to protect data

integrity o RULES:

▪ Simple integrity axiom – “no read down” – a subject cannot read data from an object of lower integrity level.

▪ *(star)integrity axiom – “no write up” – a subject cannot write data to an object at a higher integrity level.

▪ Invocation property – a subject cannot invoke (call upon) subjects at a higher integrity level.

Clark-Wilson Model

• SIMPLE: Clark-Wilson basically says: keep users out of your stuff or they will break it


IVAN V. S Page | 49

o give the users a front-end application that has access to the database instead of direct access

• Clark Wilson enforces well-formed transactions using the access triple: o User (TP) transformation procedure CDI (constrained data item)

• Deals with all three integrity goals

• Separation of duties o Prevents unauthorized users from making modifications o Prevents authorized users from making improper modifications o Maintain internal and external consistency – reinforces separation of duties

Brewer-Nash Model – aka Chinese Wall

• Developed to combat conflict of interest in databases housing competitor information

• Publish in 1989 to ensure fair competition

• Defines a wall and a set of rules to ensure that no subject accesses objects on the other side of the wall

• Way of separating competitor’s data within the same integrated database Information flow model

• Hold data in distinct compartments

• Data is compartmentalized based on classification and the need to know

• Model seeks to eliminate covert channels

• Model ensures that information always flows from a low security level to a higher security level and from a high integrity level to a low integrity level

• Whatever component directly affects the flow of information must dominate all components involved with the flow of information

Lattice Model

• Model consists of a set of objects constrained between the least upper bound and the greatest lower bound values.

• The least upper bound Is the value that defines the least level of object access rights granted to a subject

• The greatest lower bound is value that defines the maximum level of object access rights granted to a subject

• The goal of this model is to protect the confidentiality of an object an and only allow access by an authorized subject.

Non-interference model

• TIP: think “what happens in Vegas stays in Vegas”

• Model ensures that actions at a higher security level does not interfere with the actions at a lower security level.

• The goal of this model is to protect the state of an entity at the lower security level by actions at the higher security level so that data does not pass through covert or timing channels.

3. Evaluation Criteria • TCSEC

o Trusted Computer System Evaluation Criteria (orange book) ▪ Trust vs. assurance ▪ D minimal protection ▪ C1, C2 discretionary protection ▪ B1, B2, B3 mandatory protection ▪ A1 verified protection

o ITSEC [introduced by Europe]


IVAN V. S Page | 50

▪ Function vs. assurance

• Common criteria (ISO 15408) o best of TCSEC & ITSEC o protection profile o Target of evaluation o Security target o Security packages o EAL rating

• CMMI (Capabilities Maturity Model Integrated) o Evaluating software development o TIP: MNEUMONIC: I Really Don’t Mind Oranges -- IRDMO o Level 1: initiating: chaotic, heroic efforts needed from staff o Level 2: repeatable: beginning of project management awareness, processes

are put in place o Level 3: defined: well defined processes put in place with organizational

support o Level 4: managed: product and processes focused on quantitative

understanding of quality o Level 5: optimized: continuous process improvement o *most orgs are content with being level 3

• IDEAL Model (Initiate, Diagnose, Establish, Action, Leverage) Certification & Accreditation

• NIACAP o National information assurance certification and accreditation o Certification: technical evaluation of the security components of a system in a

environment o NIACAP is designed to ensure that all National Security Systems meet the

requirements for Certification & Accreditation o The main document is the system Security Authorization Agreement (SSAA).

This document gets updated throughout the NIACAP process.

• DIACAP o DoD information assurance certification and accreditation o Certification/accreditation process for all DoD-owned and/or controlled

information systems o Baseline DoD information assurance controls o Main document is a DIACAP Scorecard, POA&M (plan of Action and

Milestones)

• RMF o Risk Management Framework: should be replacing both NIACAP & DIACAP

as the standard framework o System Security Plan (SSP) o Statement of Records Notice (SORN) o Minimum Security Baseline (MSB) o POA&M (Plan of Action & Milestones)


IVAN V. S Page | 51

o

4. Technical Project Management • Project is defined as a temporary endeavor with the goal of producing a unique

product service or result. • Project management is the application of skills, knowledge, tools and techniques to

meet the goals of the project • The project management lifecycle consists of the following:

o Initiating: getting the project authorized and approved and collection of information at a high level

o Planning: providing direction for the projects and determining baselines o Execution: doing the work of the project – producing deliverables and

collecting “actuals” – data that describes what has happened o Monitoring and Controlling: baselines vs. actuals (variance analysis);

tracking o Closing: ringing the project to an orderly formalized end

• Key documents in Project Management o Project charter o PM plan o Scope statement o Work breakdown structure o Scope, schedule, and cost baselines o Stakeholder register o Risk register o Quality baseline o Schedule o Budget o Resource assignments


IVAN V. S Page | 52

o Gantt and PERT charts o Numerous others

• For information security program management, be familiar with: o Evaluation criteria o Cost/benefit analysis o Security architecture o Certification & accreditation o Technical project management

5. Architecture & Design: Intro • An information system’s architecture must satisfy the defined business and security

requirements.

• Security should be built into an information system by deign

• When designing system architecture, security and business requirements need to be carefully balanced.

• Tradeoffs are involved in reaching a balance between security and business requirements.

• The requirements of an information system are driven by the security policy of the organization that will use the system.

• To incorporate the abstract goals of a security policy into an information system’s architecture, you will need to use security models.

• A security model lays out the framework and mathematical models that act as security-related specifications for a system architecture

• The system architecture, in turn, is the overall design of the components – such as hardware, operating systems, applications, and networks – of an information system. This design should meet the specifications provided by the security model.

Architecture Components

• Enterprise architecture that is a representation of the mode of operation of an enterprise. This mode of operation needs to be derived systematically.

• Network architecture that describes how various entities in a network communicate with each other. It also defines if a system is an open system or a closed system.

• Platform architecture that describes how a system optimally uses system resources, such as storage devices, input/output (I/O) devices, memory management, CPU states, operating system, and various utilities.

• Protection mechanisms refer to the mechanisms needed to protect the system and ensure that all the objects in the system are separated.

• Security models refer to methods to integrate security into a system’s architecture. Some common security models are Bell-LaPadula, Biba, and Clark-Wilson

*Security architecture is part of the overall architecture of an information system. It directs how the components included in the system architecture should be organized to ensure that security requirements are met. The security architecture of an information system should include:

• A description of the locations in the overall architecture where security measures should be placed

• A description of how various components of the architecture should interact to ensure security

• The security specifications to be followed when designing and developing the system.


IVAN V. S Page | 53

6. Architecture & Design: Hardware Computer Architecture

• It comprises all the parts in a computer system that are necessary for it to function. Such parts include the operating system, memory chips, logic circuits, storage devices, I/O devices, security components, buses, and networking components.

• The Central Processing Unit (CPU) – processes the instructions provided by the

various application/programs. To do this the CPU needs to access such instructions from their memory locations.

• The CPU can access the memory locations in its cache, along with memory locations in the random access memory (RAM). These types of memory are called primary memory.

• The major components: o The arithmetic logic unit (ALU) – the brain of the CPU o Control unit (coordinates instruction execution in and out of RAM) o Registers that act as temporary memory locations and store the memory

addresses of the instructions and data that needs processing by the CPU. (waiting room for CPU, information waiting to be processed)

• Program: an application

• Process: a program loaded into memory

• Thread: each individual instruction within a process

• Multiprogramming: no true isolation, enables multitasking (more than 2 programs at

the same time)

• Multiprocessing: more than one CPU (multiple units of code running at the same

time)

• Multithreading: in the past multiple CPUs were needed. Today multi-core processors

provide this.

• Operating System Architecture

• Process Activity

• Memory Management

• Memory Types: RAM, ROM, etc.

• Virtual Memory

• CPU Modes & Protection Rings

7. Architecture & Design: CPU Modes & Protection Rings • Protection Rings provide a security mechanism for an operating system by creating

boundaries between the various processes operating on a system and ensures that processes do not affect each other or harm critical system components.

• Ring 0 – operating system kernel (supervisor/privilege mode)

• Ring 1 – remaining parts of the operating system (OS)

• Ring 2 – operating system and I/O drivers and OS utilities

• Ring 3 – applications (programs) and user activity


IVAN V. S Page | 54

• • *outer layer cannot access inner layer without an interface; inner layer can access

everything outer.

• Protection mechanisms o TIP: think of processes as kids and how then want attention, how do you

effectively divide that attention with the right resources. o Domain o Layering & data hiding o Virtual machines

▪ A virtual machine is a simulated real machine environment created to simultaneously run multiple applications on a computer.

o Additional storage devices o Input / output device management

System Architecture

• Defined subset of subjects and objects

• Trusted Computing Base (TCB)

• Security perimeter o It delineates the trusted and the untrusted components within a computer

system.

• Reference Monitor (the law)

o This reference monitor is an abstract machine concept that mediates all access between subjects and objects.

• Security Kernel (the police that enforce the law)

o The security kernel enforces the reference monitor concept: ▪ Must facilitate isolation of processes ▪ Must be invoked at every access attempt ▪ Must be small enough to be tested and verified in comprehensive

manner

• Security policy – a set of rules on how resources are managed within a computer system

Security Models

• The function of a security model is to: o Map the abstract goals of a security policies to an information system. o Specify mathematical formulae and data structures for implementing security

policy goals.


IVAN V. S Page | 55

• While a security policy states goals without specifying how to accomplish them, a security model specifies a framework to implement these goals.

• An organization can use different types of security models. However, it is very important for security personnel to understand the different security models to protect the organization’s resources.

• For example; the security model that a military organization uses is quite different from that of a commercial entity, due to the variations in the types of data.

• Security model can be formal when it is based on pure mathematical implementation of security policies and assure high security. For example, in military systems, air controller systems, etc.

• Security Model is informal when it merely describes how to express and execute security policies.

8. Architecture & Design: Integrity Models *models are used to architect secure systems Bell-LaPadula Model

Biba Model

Clark-Wilson Model


IVAN V. S Page | 56

8. Architecture & Design: Evaluation Criteria Why Evaluate?

• To carefully examine the security-related components of a system

• Trust vs. assurance

• The orange book (TCSEC) – old o Designed to just address confidentiality of a system o Based on Bell-LaPadula model o Uses a hierarchically ordered series of evaluation classes (the lower the

number, the less secure) ▪ A1 – verified protection ▪ B1, B2, B3 – mandatory protection ▪ C1, C2 – discretionary protection ▪ D – minimal security

• The orange book & the rainbow series

• ITSEC (information technology security evaluation criteria)

• Common criteria

• RMF (risk management framework) – becoming the modern standard

9. Architecture & Design: Assurance • Trust tells us function of the system.

• Assurance tells us the reliability of the process.

• Evaluation criteria are used to determine trust (function) and assurance.


IVAN V. S Page | 57

Common Criteria (CC)

• ISO (15408) Standard created in 1993 for global security evaluation

• Made up from TCSEC, ITSEC, and the Canadian version

• Components:

• Protection Profile – a set of security requirements and objectives for the system

• A protection profile consists of: o Descriptive elements – contains the name of the profile and the description of

the security problem to be solved. o Rationale – justifies the profile and provides a detailed description of the real-

world problems that need to be solved. o Functional requirement – establishes a protection boundary that the product

must provide o Development assurance requirements – identify the requirements for the

various phases of the product o Evaluation assurance requirements – establish the type and intensity of the

evaluation

• Common criteria ratings (EAL) o EAL (evaluation assurance level) 1-7

▪ 1 – functionally tested ▪ 2 – structurally tested ▪ 3 – methodically tested and checked ▪ 4 – methodically designed, tested, and reviewed ▪ 5 – semi formally designed and tested ▪ 6 – semi formally verified designed and tested ▪ 7 – formally verified designed and tested

o Overview: ▪ Client produces a protection profile that’s their list of requirements ▪ Vendors provide a target of evaluation, which is a system to meet those

requirements as well as a security target that details how the requirements and protection will be met.

▪ The vendor may include other evaluation packages ▪ Then submitted for 3rd party audit; the auditor identifies both trust

(functionality) and assurance and assigns an EAL rating

• Ideally, we look towards certification & accreditation before putting a system in place

• Once a product passes certification, it goes through accreditation – if approved my management, then the product is chosen / implemented.

10. Architecture & Design: Review • For system architecture & design, understand the core concepts of:

o Elements of system architecture o Protection mechanisms o Security kernel and reference models o Security models o Evaluation criteria

• All of this ensures the secure design of a system.


IVAN V. S Page | 58

II. RISK MANAGEMENT FRAMEWORK:

1. Introduction Governance vs. Management

• Governance:

o Are we doing the right things? o Are we doing things right? o Are we getting things done well? o Are we maximizing the benefits?

• Management: planning, building, running and monitoring per the directions

established and in compliance to governance. Definitions

• Asset: any item of value to the organization

• Vulnerability:

o Internal weakness o External lack of protection

• Threat: a negative risk event that threatens an objective

• Risk: the likelihood of a threat compromising an asset

• Risk management: activities implemented to direct and control an enterprise in

relation to risk

• Probability: the likelihood of an event

• Impact: how much will the output be affected?

• Secondary risk: created when one risk response created another risk event

• Residual risk: after a risk response is applied, residual risk is what remains

• Remember, our goal is not to eliminate all risks, but to effectively address them IT Risk

• IT security is based on risk management approach

• Risk = Probability * Impact

• Identify and valuate assets, identify and valuate threats, find a cost-effective solution

• Continue to monitor risks and review periodically or in the event of a risk change o Control risk: controls are chosen to mitigate risk, but if incorrect controls are

chosen, configured incorrectly, or if it does not work properly, the control will fail.

o Project Risk: much work within IT is managed as a project. Identifying risks early and often increase the chance of a project being successful.

o Change risk: few environments are static. As technology or the environment changes, new risks appear.

IT Risk Management:

5. Risk Monitoring & Reporting

4. Risk Response

3. Risk Assesment

2. Risk Identification

1. Introduction


IVAN V. S Page | 59

• Implements a risk strategy as defined by governance and is indicative of the culture, appetite and tolerance. It will consider the technology and budget (cost/benefit analysis) and addresses compliance with corporate policy.

• A cyclical process of Risk Identification, Risk Assessment, Risk Mitigation, and Ongoing Monitoring

• Failure to perform anyone of these elements will leave an organization vulnerable Sources of IT Risk:

• Insider threats

• Outsider threats

• Hardware failures

• Resource failure

• Vendors

• Changing environment

• Many others Benefits of Risk Management:

• Better oversight of organizational assets

• Minimizing loss

• Identification of threats, vulnerabilities, and risks

• Prioritization of risk responses

• Legal and regulatory compliance

• Increased likelihood of project success

• Increased confidence of customers and shareholders

• Better incident management

• Better ability to meet business objectives The Relationship of Business Continuity & Risk Management

• Risk management is usually a precursor to Business continuity

• Risk deals more closely with high to medium likelihood events

• Business continuity tends to deal with events that have a lower likelihood, but have

a high impact

• Business continuity is a “safety net” under risk management IS Audit

• IS audit providing the assurance to management of the effectiveness of the IS

controls in place, IT Risk management and compliance

• Part of due diligence

• Methodical and structured review to validate compliance Gap Analysis

• Determine desired position

o Business objectives o Laws and regulations

• Determining current position

o Internal audits

• Close the Gap

o Prioritize based on business and risk

2. Risk Identification • Identify relevant standards and frameworks and practices

• Apply risk identification techniques

• Distinguish between threats and vulnerabilities


IVAN V. S Page | 60

• Identify relevant stakeholders

• Discuss risk scenario development tools and techniques

• Key risk management concepts

• Risk registers

• Risk awareness Risk Management Frameworks:

• COBIT 5 for RISK

• COSO (Committee for Sponsoring Organizations of the Treadway Commission

• ISO Standards 27005

• NIST SP 800-30 Guide for Conducting Risk Assessments

• NIST SP 800-39 Managing Information Security Risks PLAN-DO-CHECK-ACT Model:

Capability Maturity Model Integration

• Carnegie-Mellon Software Engineering Institute (SEI)

• A process improvement maturity model for development of products and services ISO 27005 Information Security Risk Management

• Risk context, assessment, identification, analysis, evaluation, treatment, acceptance, communication & consultation, monitoring and review

• Risk Context

o Set the criteria for information security management (criticality, scope, boundaries)

o Determine company’s philosophy toward risk o Look at regulatory and legislative drivers o Look at existing frameworks in place (ISO 9000, Six sigma, CMMI) o Establish an appropriate cross-functional group to the risk assessment

• Risk Assessment

o Identify assets o Valuate assets o The valuation of your assets will drive the amount you will spend to protect

them. Use the expertise of your management staff or outsource this skill for accurate estimates.

• Risk Identification

o Look at your assets in terms of: vulnerabilities, threats, existing controls and their effectiveness, impact

• Risk Analysis

o Probability, Impact, Qualitative Analysis, Quantitative analysis

Plan: Establish

ISMS

Do: Implement & Operate

ISMS

Check: Monitor & Review ISMS

Act: Maintain & Improve

ISMS


IVAN V. S Page | 61

• Risk Evaluation o Comparing probability and impact of risks to risk criteria o Prioritizing risk elements o Identifying risk triggers

• Risk Treatment o Risk modification: reduce the probability and/or the impact of a risk o Risk retention: sometimes with research it is determined that it is cheaper to

pay the costs over time, than transfer a risk. EX: Insurance deductibles o Risk avoidance: don’t attempt the action as the risk is too high o Risk sharing or transference: Insurance or SLAs o Risk acceptance: when the cost of the countermeasure is greater than the

potential for loss, it may be smart to accept the risk. A Risk Management Program Should be…

• Comprehensive and complete

• Auditable

• Justifiable

• Legal

• Monitored

• Enforced

• Up to date

• Managed Methods to Identify Risks

• Investment risk: will the investment in IT services and controls pay off?

• Access or security risk: unauthorized access to system resources?

• Disclosure risk: breach in confidentiality

• Integrity risk: modification of data

• Relevance risk: not getting the right information to the right people at the right time

• Availability: timely access to resources

• Infrastructure risk: is the current environment capable of meeting the business

objectives and goals for the organization

• Project risk: will IT projects meet their goals

• *Utilize a risk register IT Strategy of the Business

• Drives the IT Risk Strategy

• Buy-in from and active support from senior management

• Alignment with Business Goals & Objectives necessary to prioritize risk responses to those areas with least tolerance for loss.

• Risk management centrally managed as an enterprise wide position (Chief Risk Officer)

The Role of InfoSec within an Organization

• Priority is to support the mission of the organization

• Require judgement based on risk tolerance of organization, cost and benefit

• Role of the security professional is that of a risk advisor, not a decision maker Best Practices (To Protect C-I-A)

• Separation of Duties (SOD)

• Mandatory vacations

• Job rotation

• Least privilege

• Need to know


IVAN V. S Page | 62

• Dual control Knowledge Transfer

• Awareness, Training, Education

• Usually, the weakest link in any organizational security policy are the people within the organization

• Loss is not always caused by malicious behavior

• The ultimate goal of knowledge transfer is to modify employee behavior Explaining How and Why

• Security Awareness Training:

o Employees cannot and will not follow the directives and procedures, if they do not know about them

o Employees will often find another mans of performing an action when their desired activity is blocked. Help them understand why we do what we do.

o Employees must know expectations and ramifications, if not met o Employee recognition award program o Part of due care (action); (due diligence is research) o Administrative control

• Overriding benefits: o Modifies employee behavior and improves attitudes towards information

security o Increases the ability to hold employees accountable for their actions o Raises collective security awareness level of the organization

• Implementation o Avoid one-size-fits-all training o All users should go through basic security awareness training o Technicians/administrators should attend more technically focused o Managers should attend IT risk training

3. Risk Assessment • Risk assessment is the process used to identify and valuate a risk event.

Risk Identification vs Risk Assessment

• Identification has a focus on determining and documenting the types of risks that can

affect an organization. We enumerate risks in identification

• Assessment is a means of evaluating the risk and its potential affect. Usually, we look

to learn a risk value from assessment NIST 800-100 Risk Assessment:

1. System characterization o What is the use for them system? o What classification of data does the system hold? o What impact would result if the system became compromised?

2. Threat identification 3. Vulnerability identification 4. Control analysis

o Probability: how likely an event is to occur o Impact: how much damage will be done o Risk Value:

• Qualitative Analysis:

o Subjective o Opinion based


IVAN V. S Page | 63

o SME’s are often queried using the Delphi method o Used to identify and start to prioritize risks o This MUST come before Quantitative Analysis o Probability and impact matrix is often used

• Quantitative Analysis:

o Objective, fact-based o Requires more skill and expertise o Business decisions should be made on quantitative analysis o Is the basis for cost/benefit decisions?

• Quantitative analysis Formulas & Definitions: o (AV) Asset Value: dollar figure that represents what the

asset is worth to the organization o (EF) Exposure Factor: the percentage of loss that is

expected to result in the manifestation of a risk event. o (SLE) Single Loss Expectancy: dollar figure that

represents the cost of a single occurrence of a threat instance

o (AR) Annual Rate of Occurrence: how often the threat is expected to materialize

o (ALE) Annual Loss Expectancy: cost per year because of the threat

o (TCO) total cost of ownership: the total cost of implementing a safeguard. Often in addition to initial costs, there are ongoing maintenance fees as well.

o (ROI) Return on Investment: amount of money saved by implementation of a safeguard. Sometimes referred to as the value of the safeguard/control.

o SLE = AV * EF o ALE = SLE * ARO o TCO = Initial cost of control + yearly fees o Return on Investment:

▪ ALE (before implementing control) ▪ - ALE (after implementing control) ▪ - cost of control ▪ = ROI (Value of Control)

5. Control Recommendations o Cost/benefit analysis o How much security is enough? (JUST ENOUGH) o What helps us make these decisions?

6. Documentation Results Documentation

• Risk register

• Probability and Impact matrix (temperature matrix)

• EMV (expected monetary value) analysis

• Decision tree analysis

• Ishakawa / fishbone (cause & effect) diagram

• Delphi technique Information Security Controls

• Understand the categories of controls

• Control administration


IVAN V. S Page | 64

• Identity management controls

• Cryptographic controls

• Network access controls

• Testing controls o Vulnerability assessment o Penetration testing

• Best approach is a layered defense! Control categories

• Preventive (gate, fence)

• Deterrent (lighting, signs)

• Corrective (quarantine)

• Detective (audit logs)

• Directive (employee handbooks)

• Compensating

• Recovery (data backups, RAID)

• *Controls can present a considerable risk if they are not configured properly or if they fail


IVAN V. S Page | 65

ISO and NIST Control Categories

Layered Defense (defense in depth)

• Policies

• Firewalls

• IDS/ IPS

• Router / Switch

• Application

• Middleware

• Operating system

• Other hardware Enterprise Risks: Hardware

• Outdated

• Poorly maintained

• Misconfigured hardware

• No configuration management

• Poor asset control

• Physically accessible

• Unauthorized hardware Enterprise Risks: Hardware

• Logic flaws

• Unpatched systems

• Disclosure of sensitive information

• Improper access control

• Loss of source code

• Lack of bounds checking

• Lack of input validation Enterprise Risk: Databases

• Code injection

• Scripting

• Aggregation

• Inference

• Entity, semantic, and referential integrity


IVAN V. S Page | 66

Enterprise Risks: Utilities

• Power o Spikes o Surge o Sag o Brownout o Fault o Blackout

• HVAC (heating, ventilation, air-conditioning)

• Humidity

• EMI (electromagnetic interference)

• RFI (radio frequency interference) Enterprise Risks: Network Components

• Cable

• Hubs

• Switches

• Routers

• Firewalls

• Proxies

• Network services

• Wireless communication Enterprise Risk: Users

• Internal theft

• Fraud

• Salami attacks

• Data diddling

• Falsification of timesheets

• Compromise of sensitive information

• Disgruntled employees

4. Risk Response / Mitigation • Risk Response: to determine risk strategies and evaluate their effectiveness to

manage risk to a level in alignment with business objectives

• Risk response strategies:

o Reduce (risk avoidance) o Transfer o Accept

• Risk reduction through: o Policies o Technology

• When risk management fails…business continuity saves the day!

• *Risk management should always be dependent on cost/benefit analysis SP800-100 Risk Mitigation:


IVAN V. S Page | 67

Risk Reduction

• Lesson the probability and/or impact of a risk event

• Sometimes referred to as risk mitigation

• A very frequent response to risk

• Remember, we don’t usually think about risk elimination, usually we strive to reduce risk to acceptable levels

• *The ultimate risk reduction is risk avoidance Risk Transference

• Sharing the potential for loss with someone else o Insurance o Service level agreements o Contract modification

• *Transference doesn’t lessen the probability or impact of the risk. It simply decreases your share of the loss.

Risk Acceptance

• When the cost of the countermeasure is greater than the potential for loss, one may choose to accept the risk

• True risk acceptance requires due diligence and proof that this is a good decision, to be less likely to be liable for damages

Risk Mitigation Through Policies

• Separation of Duties: prevents any one person from becoming too powerful within an

organization. This policy also provides singleness of focus. For instance, a network admin who is concerned with providing users access to resources should never be the security admin. This policy also helps to prevent collusion as there are many individuals with discrete capabilities. Separation of duties is a preventative control.

• Dual Control: requiring more than one user to perform a task. M of N control, and split

knowledge are types of dual control.


IVAN V. S Page | 68

• Mandatory Vacation: prevents an operator from having exclusive use of a system. Periodically that individual is forced to take a vacation and relegate control of the system to someone else. This policy is a detective control.

• Job rotation: similar in purpose to mandatory vacations, but with the added benefit of

cross-training employees.

• Least privilege: allowing users to have only the required access to do their jobs.

• Need to know: in addition to clearance, users must also have “need to know” to

access classified data

• Strong configuration management/change control policies are important to

promote network and system stability.

• Acceptable Use Policies: alert users as to how company resources are to be utilized

• Data classification policy: provides guidance on requirements for the classification

of materials and other guidelines related to baseline security

• Data Privacy: details how sensitive information is to be protected

• Computer ownership: addresses who owns company issued

computers/laptops/devices, etc.

• Data ownership: addresses who owns the data that the company works with. For

instance, is a patient the owner of his healthcare record, or is it the hospital? Risk Mitigation through Technology

• Access Control

o IAAA o Centralized vs Decentralized

• Network devices

o Firewalls o IDS/IPS o Audit logs o Honeypots/honeynets

• Cryptography Access Control

• Access is the data flow between a subject and an object. o Subject Is active – a person, process, or program, o Object is passive – a resource (file, printer, etc.) o Access control should support the CIA triad and regulate what a subject can do

with an object

• IAAA of access control: o Identification: make a claim (user ID etc.)

▪ public information (usually we aren’t concerned with protecting identities)

▪ identification must be unique for accountability ▪ standard naming schemes should be used ▪ identifier should not indicate extra information about user (like job

position)

• User ID, Account #, RFID, IP or MAC address o Authentication: provide support (proof) for your claim

▪ Proving your identity:

• Type 1: something you know o Passwords/passphrases/cognitive password

• Type 2: something you have o Token, card, certificate, cookies, cryptographic key

• Type 3: something you are


IVAN V. S Page | 69

o Biometrics o Authorization: what rights and permissions you have

▪ Utilize principle of least privilege and need to know o Auditing: accountability – matching actions to subject

▪ internal audit of control objectives, controls, processes and procedures of its ISMS:

• conform to the requirements of this international standard and relevant legislation or regulations

• conform to the identified information security requirements

• are effectively implemented and maintained

• perform as expected ▪ management review ▪ general

• defining review policy

• schedule at least once a year or as risks change ▪ inputs

• audits

• other stakeholder feedback ▪ outputs

• improvement plans

• other remediation ▪ Gap analysis

• Determine desired position

• Business objectives

• Laws and regulations ▪ Determining current position

• Internal audits ▪ Close the gap

• Prioritize based on business and risk Network Devices: Firewalls

• Firewalls enforce network policy

• Usually firewalls are put on the perimeter of a network and allow or deny traffic based on company or network policy

• Must have IP forwarding turned off*

• Firewalls are often used to create a DMZ.

• Generally, are dual/multi homed* (have multiple interfaces)

• Types of firewalls:


IVAN V. S Page | 70

o Packet filtering ▪ Uses access control lists (ACLs), which are rules that a firewall applies

to each packet it receives ▪ Not stateful, just looks at the network and transport layer packets (IP

addresses, ports, and “flags”)

• Does not look in the application, cannot block viruses, etc.

• Generally, does not support anything advanced or custom o Stateful

▪ Router keeps track of connections in a table. It knows which conversations are active, who is involved etc.

▪ It allows return traffic to come back where a packet filter would have a specific rule to define returned traffic

▪ More complex, and can launch DoS against by trying to fill up all the entries in the state tables/use up memory.

▪ If rebooted, can disrupt conversation that had been occurring ▪ Context dependent access control*

o Proxy ▪ Two types or proxies

• Circuit level

• Application ▪ both types of proxies hide the internal hosts/addressing from the

outside world o Dynamic packet filtering

• Firewalls can be used to create a DMZ

o A DMZ (demilitarized zone) is a buffer zone between an unprotected network and a protected network that allows for the monitoring and regulation of traffic between the two.

▪ Internet accessible servers (bastion hosts) are placed in a DMZ between the internet and internal network

• NAT/PAT

o a proxy that works without special software and is transparent to the end users.

o Remaps IP addresses, allowing you to use private addresses internally and map them to public IP addresses

o NAT (network address translation) allows a one-to-one mapping of IP addresses

o PAT port address translation) allows multiple private addresses to share one public address

Cryptography

• Plain text + initialization vector + algorithm + key = CIPHERTEXT

• Plain text Is unencrypted text

• Initialization vector (IV) adds randomness to the beginning of the process

• Algorithm is the collection of math functions that can be performed

• Key: instruction set on how to use the algorithm

• Symmetric cryptography

o Symmetric = same o In symmetric cryptography, the same key is used to both encrypt and decrypt o Very fast means of encrypting/decrypting with good strength for privacy o Proffered means of protecting privacy data o Also, can be called “Private Key” “Secret Key” or “Shared Key”


IVAN V. S Page | 71

• Drawbacks to symmetric cryptography o Out of band key exchange o Not scalable o No authenticity, integrity, or non-repudiation

• Asymmetric cryptography

o Every user has a key pair ▪ Public key is made available to anyone who requests it ▪ Private key is only available to that user and must not be disclosed or

shared o The keys are mathematically related so that anything is encrypted with one key

can only be decrypted by the other

• Hybrid cryptography in SSL/TLS

o Client initiates a secure connection o Server responds by sending its public key to the client o The client then generates a symmetric session key o Client encrypts uses the server’s public key to encrypt the session key o Client sends the session key (encrypted with the server’s public key) to the

server o Server uses its private key to decrypt the session o Now that a symmetric session key has been distributed, both parties have a

secure channel in which to communicate. Integrity

• Data gets modified

• Accidentally through corruption

• Intentionally through malicious alteration

• Hash: only good for accidentally modification

• MAC: provides reasonable authenticity and integrity not strong enough to be non-

repudiation (because it uses a symmetric key)

• Digital signatures: can detect both malicious and accidental modification, but

requires an overhead. Provides true non-repudiation. Hashing

• Digital representation of the contents of the file, aka message digest

• If the file changes, the hash will change

• One way math

• When two different documents produce the same hash, it is called a collision

• A birthday attack is an attempt to cause collisions. It is based on the idea that it is easier to find two hashes that happen to match than to produce a specific hash.

Digital Signature

• Message is hashed

• Hash is encrypted by sender’s private key

• SHA-1 is generally used for that hash

• RSA is the asymmetric encryption algorithm that encrypts the hash with the sender’s private key

Certificates

• X.509 v.4 standard

• Provides authenticity of a server’s public key

• Necessary to avoid MITM attacks with server’s using SSL or TLS

• Digitally signed by Certificate Authority (CA)


IVAN V. S Page | 72

PKI (Public Key Infrastructure)

• Certificate Authority (CA)

• Registration Authority (RA)

• Certificate Repository

• Certificate Revocation List Business Continuity and Disaster Recovery Planning

• Business Continuity Planning: focusing on sustaining operations and protecting the

viability of the business following a disaster, until normal business conditions can be restored. The BCP is an “umbrella” term that includes many other plan including the DRP. Long term focused.

• Disaster Recovery Planning: goal is to minimize the effects of a disaster and to take

the necessary steps to ensure that the resources, personnel and business processes can resume operations in a timely manner. Deals with the immediate aftermath of the disaster, and if often IT focused. Short term focused.

• Mitigate risks o Reduce negative effects:

▪ Life Safety is the NUMBER 1 PRIORITY ▪ Reputation: the second most important asset of an organization.

Though specific systems are certainly essential, don’t forget to focus on the big picture – protect the company as a whole

Business Continuity Planning

• Disaster recovery and continuity planning deal with uncertainty and chance o Must identify all possible threats and estimate possible damage o Develop viable alternatives

• Threat types:

o Man-Made: strikes, riots, fires, terrorism, hackers, vandals o Natural: tornado, flood, earthquake o Technical: power outage, device failure, loss of a T1 line

• Categories of disruptions

o Non-disaster (incident) ▪ Disruption of service ▪ Device malfunction

o Emergency/crisis ▪ Urgency, immediate event where there is the potential for loss of life or

property o Disaster

▪ Entire facility unusable for a day or longer o Catastrophe

▪ Destroys facility o A company should understand and be prepared for each category

• *ANYONE CAN DECLARE AN EMERGENCY, ONLY THE BCP COORDINATOR

CAN DECLARE A DISASTER

• ISO 27031 – framework for business continuity planning Business Continuity Plan: Sub Plans

• BRP (Business Recovery Plan)

o Purpose: provide procedures for recovering business operations immediately following a disaster


IVAN V. S Page | 73

o Scope: addresses business processes; not IT-focused; IT addressed based only on its support for business process

• COOP (Continuity of Operations Plan)

o Purpose: provide procedures capabilities to sustain an organization’s essential, strategic functions at an alternate site for up to 30 days.

o Scope: addresses the subset of an organization’s missions that are deemed most critical; usually written at headquarters level; not IT-focused

• Continuity of Support Plan/IT Contingency Plan o Purpose: provide procedures and capabilities for recovering a major

application or general support system o Scope: same as IT contingency plan; addresses IT system disruptions; not

business process focused

• Crisis Communication Plan o Purpose: provides procedures for disseminating status reports to personnel

and the public o Scope: addresses communications with personnel and the public; not IT

focused

• Cyber Incident Response Plan o Purpose: provides strategies to detect, respond to, and limit consequences

of malicious cyber intent o Scope: focuses on information security responses to incidents affecting

systems and/or networks

• DRP (Disaster Recovery Plan) o Purpose: provide detailed procedures to facilitate recovery of capabilities at

an alternate site o Scope: often IT-focused; limited to major disruptions with long-term effects

• OEP (Occupant Emergency Plan) o Purpose: provide coordinated procedures for minimizing loss of life or injury

and protecting property damage in response to a physical threat o Scope: focuses on personnel and property to the specific facility; not

business process or IT system functionality based. May also be referred to as Crisis or Incident Management plans. However, the OEP concept should be recognizable as the “initial response to the emergency event”

Roles & Responsibilities in the BCP

• Senior Executive Management o Consistent support and final approval of plans o Setting the business continuity policy o Prioritizing critical business functions o Allocating sufficient resources and personnel o Providing oversight for and approving the BCP o Directing and reviewing test results o Ensuring maintenance of a current plan

• Senior Functional Management o Develop and document maintenance and testing strategy o Identify and prioritize mission-critical systems o Monitor progress of plan development and execution o Ensure periodic tests o Create the various teams necessary to execute the plans

• BCP Steering Committee o Conduct the BIA (business impact analysis)


IVAN V. S Page | 74

▪ The BIA is all about identifying and prioritizing all business processes based on critically

o Coordinate with department representatives o Develop analysis group

▪ Plan must be developed by those who will carry out ▪ Representatives from critical departments

• BCP Teams o Rescue: responsible for dealing with the immediacy of disaster – employee

evacuation, “crashing” the server room, etc. o Recovery: responsible for getting the alternate facility up and running and

restoring the most critical services first o Salvage: responsible for the return of operations to the original or permanent

facility (reconstitution) [least critical services]

• Developing the Teams o Management should appoint members o Each member must understand the goals of the plan and be familiar with the

department they are responsible for o Agreed upon prior to the event:

▪ Who will talk to the media, customers, share holders ▪ Who will setup alternative communication methods ▪ Who will setup the offsite facility ▪ Established agreements with off-site facilities should be in place ▪ Who will work on the primary facility

7 Phases of BCP 1. Project initiation

• Obtain senior management’s support

• Secure funding and resource allocation

• Name BCP coordinate/project manager

• Develop project charter

• Determine scope of the plan

• Select member of the BCP team 2. Business impact analysis

• Initiated by BCP committee

• Identifies and prioritizes all business processes

• Addresses the impact on the organization in the event of loss of a specific services or process

i. Quantitative: loss of revenue, loss of capital, loss due to liabilities, penalties and fines, etc.

ii. Qualitative: loss of service quality, competitive advantage, market share, reputation, etc.

• Establish key metrics for use in determining appropriate counter measures and recovery strategy

• IMPORTANCE (relevance) vs. CRITICALITY (downtime) i. the auditing department is certainly important, though not usually

critical. *THE BIA FOCUSES ON CRITICALITY

• Key metrics to establish:

i. Service level objectives ii. RPO (Recovery Point Objective) iii. MTD (Maximum Tolerable Downtime)

1. RTO (Recovery Time Objective)


IVAN V. S Page | 75

2. WRT (Work Recovery Time) iv. MTBF (Mean Time Between Failures) v. MTTR (Mean Time to Repair) vi. MOR (Minimum Operating Requirements)

3. Recovery strategy 4. Plan design and development 5. Implementation 6. Testing 7. Maintenance

Elements of the Plan: Business Impact Analysis

• Management should establish recovery priorities for business processes that identify: o Essential personnel

▪ Succession plans ▪ MOAs/MOUs (memorandums of agreement/understanding)

o Technologies o Facilities o Communications systems o Vital records and data

• Results of the BIA contain:

o Identified ALL business processes and assets, not just those considered critical.

o Impact company can handle dealing with each risk o Outage time that would be critical vs those which would not be critical o Preventive controls o Document and present to management for approval o Results are used to create the recovery plans

• Identify recovery strategies

o When preventative controls don’t work, recovery strategies are necessary ▪ Facility recovery

• Subscription services

• Hot, warm, cold sites

• Reciprocal agreements

• Offsite facilities should be no less than 15 miles away for low to medium environments. Critical operations should have an office facility 50-200 miles away

• Reciprocal agreements: o How long will the facility be available to the company in

need? o How much assistance will the staff supply in the means

of integrating the two environments and ongoing support?

o How quickly can the company in need move into the facility?

o What are the issues pertaining to interoperability? o How many of the resources will be available to the

company in need? o How will differences and conflicts be addressed? o How long does change control and configuration

management take place? ▪ Hardware and software recovery


IVAN V. S Page | 76

• Technology recovery is dependent upon good configuration management documentation

• Hardware May include o PC’s/Servers o Network equipment o Supplies o Voice and data communications equipment o SLA’s can play an essential role in hardware recovery

▪ Personnel recovery

• Identify essential personnel – entire staff is not always necessary to move into recovery operations

• How to handle personnel if the offsite facility is a great distance away

• Eliminate single points of failure in staffing and ensure backups are properly trained

• Don’t forget payroll!

• ▪ Data recovery

• Data recovery options are driven by metrics established in the BIA (the MTD, RPO, etc.)

• Backups

• Database shadowing o Disk-shadowing o Updating one or more copies of data at the same time o Data saved to two media types for redundancy

• Electronic vaulting o Batch process of moving data o Transfer bulk backup information

• Remote journaling o Moves the journal or transaction log to a remote

location, not the actual files

• Plan and design development

o Now that all the research and planning has been done, this phase is where the actual plan is written

o Should address: ▪ Responsibility ▪ Authority ▪ Priorities ▪ Testing

• Implementation

o Plan is often created for an enterprise with individual functional managers responsible for plans specific to their departments

o Copies of plan should be kept in multiple locations o Both electronic and paper copies should be kept o Plan should be distributed to those with a need to know. Most employees will

only see a small portion of the plan o Three phases following a disruption:

▪ Notification/activation

• Notifying personnel, performing a damage assessment ▪ Recovery phase – failover


IVAN V. S Page | 77

• Actions taken by recovery teams and personnel to restore IT operations at an alternate site or using contingency capabilities – performed by recovery team

▪ Reconstitution – failback

• Outlines actions taken to return the system to normal operating conditions – performed by salvage team

• Testing

o Should happen once per year, or as the result of a major change (VERY TESTABLE)

o The purpose of testing is to improve the response (never to find fault or blame) o The type of testing is based upon criticality of the organization, resources

available and risk tolerance o Testing happens before implementation of a plan. The goal is to ensure the

accuracy and the effectiveness of the plan. Have a 3rd party auditor monitor how the plans are carried out.

o Types of tests: ▪ Checklist test

• Copies of plan distributed to different departments

• Functional managers review ▪ Structured walk-through (table top) test

• Representatives from each department go over the plan ▪ Simulation test

• Going through a disaster scenario

• Continues up to the actual relocation to an offsite facility ▪ Parallel test

• Systems moved to alternate site, and processing takes place there

▪ Full-interruption test

• Original site shut down

• All of processing moved to offsite facility o Post incident review; after a test or disaster has taken place:

▪ Focus on what happened ▪ What should have happened ▪ What should happen next ▪ Not whose fault it was; this is not productive!

• Maintenance

o Change management: ▪ Technical – hardware/software ▪ People, Environment, Laws

o Large plans can take a lot of work to maintain o Does not have a direct line to profitability o Keeping plan in date

▪ Make it a part of business meetings and decisions ▪ Centralize responsibility for updates ▪ Part of job description ▪ Personnel evaluations ▪ Report regularly ▪ Audits ▪ As plans get revised, original copies should be retrieved and destroyed


IVAN V. S Page | 78

5. Risk Monitoring & Reporting Intrusion Detection Systems

• Software is used to monitor a network segment or an individual computer

• Used to detect attacks and other malicious activity

• Dynamic in nature

• The two main types: o Network-based o Host-based systems (TCP Wrappers)

• Type of IDS: o Network-based ISD

▪ Monitors traffic on a network segment ▪ Computer or network appliance with NIC in promiscuous mode ▪ Sensors communicate with a central management console

o Host-based IDS ▪ Small agent programs that reside on individual computer ▪ Detects suspicious activity on one system, not a network segment

o IDS components: ▪ Sensors ▪ Analysis engine ▪ Management console

• Senor placement: o In front of firewalls to discover attacks being launched o Behind firewalls to find out about intruders who have gotten through o On the internal network to detect internal attacks o A good place to put sensors is in the DMZ

• Analysis engine methods: o Pattern matching

▪ Rule-based intrusion detection ▪ Signature-based intrusion detection ▪ Knowledge-based intrusion detection

o Profile comparison ▪ Statistical-based intrusion detection ▪ Anomaly-based intrusion detection ▪ Behavior-based intrusion detection

• Types of IDS o Signature based – most common

▪ IDS has a database of signatures, which are patterns of previously identified attacks. Cannot identify new attacks. Database needs continual updates.

o Behavior-based ▪ Compares audit files, logs, and network behavior, and develops and

maintains profiles of normal behavior. Better defense against new attacks. Creates many false positives.

o Today, we should be using a combination of both,

• IDS response options o Passive:

▪ Page or e-email admins; log events o Active:

▪ Send reset packets to the attacker’s connections ▪ Change a firewall or router ACL to block an IP address or range


IVAN V. S Page | 79

▪ Reconfigure router or firewall to block protocol being used for attack

• IDS Issues o May not be able to process all packets on large networks

▪ Missed packets may contain actual attacks ▪ IDS vendors are moving more and more to hardware-based systems

o Cannot analyze encrypted data o Switch-based networks make it harder to pick up all packets o A lot of false alarms o Not an answer to all prayers

▪ Firewalls, anti-virus software, policies, and other security controls are important

• Utilize for continuous monitoring: o IDS/IPS monitoring o Vulnerability assessments o Penetration testing

III. ACCESS CONTROL & IDENTITY MANAGEMENT:

1. Defining Identity & Access Management • Authentication and Identity Management

o Identification: making a claim o Authentication allows users to support the claim of their identity o Identity and access management

▪ Services/policies/procedures for managing a digital identity/provisioning o Security controls (including management) are audited annually under

Sarbanes-Oxley (SOX)

1. Defining Identity & Access

Management

2. Core Security Requirements

3. Access Control Models

4. Authentication TYPE I

5. Authentication TYPE II

6. Authentication TYPE III

7. Access Control Methods

8. Review


IVAN V. S Page | 80

Credential Management

• Exploits o MITM & traffic hijacking o Unauthorized access o Privilege escalation

• Solutions o Certificates o Single sign on

2. Core Security Requirements Authenticity (example requirements)

• Users must provide authentication information at login, but shall not have to provide this information for subsequent access to intranet resources

• For access to financially sensitive information, subjects shall be required to authenticate via a smart card and a PIN

• Internal and External users should be able to access the software

• Mutual authentication will be supported through the use of certificates Authorization

• Confirms that an authenticated entity has the privileges and permissions necessary

• CRUS operations - (Create, Read, Update, Delete)

• Access control models: o DAB: discretionary access control o MAC: mandatory access control o RBAC: role based access control o RuBAC: rule based access control (typically on firewalls)

• Example requirements: o Access to highly sensitive information will be restricted to users with Secret or

Top Secret clearance o Unauthenticated users will only have read permission to public access pages o Only those with administrative credentials will be able to modify files

Accountability

• Tracing an action to a subject – also known as auditing

• Must include the following: o Identity of subject o The action o Object on which the action was performed o Timestamp

• Examples requirements: o All failed logon attempts will be logged with timestamp and source IP address o Audit logs should not overwrite previous events. They should append to

previous entry and alert admin when space becomes limited o Audit logs must be retained for one year

3. Access Control Models DAC

• Discretionary Access Control o Security of an object is at the owner’s discretion o Access is granted through an ACL (access control list) o Commonly implemented in commercial products and all client based systems


IVAN V. S Page | 81

o Identity based o Almost all client, and many servers based systems use DAC for its ease of use

and sharing capabilities MAC

• Mandatory Access Control o Data owners cannot grant access o OS makes the decision based on a security label system o Subject’s label must dominate the object’s label o Users and data are given a clearance level (confidential, secret, top secret,

etc.) o Rules for access are configured by the security officer and enforced by the OS o MAC systems are for very secure environments and rely on labels

RBAC

• Role Based Access Control o Based on role of user within the organization, good for preventing authorization

creep. o RBAC is sometimes referred to as Non-Discretionary Access Control because

the owner of an object does not control access. Each role as a set of rights and permissions which cannot be changed (without security admin’s involvement.)

4. Authentication TYPE I Proving your identity

• Type 1: something you know

• Type 2: something you have

• Type 3: something you are Type 1:

• Passwords/passphrases/cognitive password/PINs

• Best practices o No less than 8 characters o Change on a regular basis o Enforce password history o Consider brute force and dictionary attacks o Ease of cracking cognitive passwords o Graphic image o Enable clipping levels and respond accordingly

5. Authentication TYPE II Something you have

• Token devices

• Smart card

• Memory card

• Hardware key

• Cryptographic key

• Certificate

• Cookies Token devices: one time password generators

• One time password reduces vulnerability associated with sniffing passwords

• Simple device to implements


IVAN V. S Page | 82

• Can be costly

• Users can lose or damage

• Two types: synchronous/asynchronous Synchronous token devices

• Rely upon synchronizing with authentication server

• Frequently time based, but could be event based

• If damaged, or battery files, must be-resynchronized

• Authentication server knows what “password’ to expect based on time or event Asynchronous token devices

• Aka challenge response

• User logs in

• Authentication returns a challenge to the user

• User types challenge string into token device and presses enter

• Token devices returns a reply

• Only that specific users token device could respond with the expected reply

• More complex than synchronous

• May provide better protection against sniffing Memory cards

• Holds information, does not process

• A memory card holds authentication info, usually you’ll want to pair this with a PIN

• A credit card or ATM card is a type of memory, so is a key/swipe card

• Usually insecure, easily copied* Smart card (191)

• More secure than memory cards

• Can process information

• Includes a microprocessor

• Often integrated with PKI

• Two types: o Contact o Contactless

• ATTACKS o There are attacks against smart cards o Fault generation – manipulative environmental controls and measure errors to

reverse engineer logic o Side channel attacks – measure the cards while they work

▪ Differential power analysis – measure power emissions ▪ Electromagnetic analysis – example frequencies emitted

o Micro probing – using needles to vibrations to remove the outer protection on the cards circuits. Then tap into ROMS if possible or “die” ROMS to read data.

6. Authentication TYPE III Something you are

• Biometrics o Static: should not significantly change over time. Bound to a user’s

physiological traits: fingerprint, hand geometry, iris, retina, etc. o Dynamic: based on behavioral traits

▪ Voice, gait, signature, keyboard cadence, etc.


IVAN V. S Page | 83

▪ Even though these can be modified temporarily, they are very difficult to modify for any significant length of time

Biometric concerns

• Accuracy o Type I error: false rejection – a legitimate user is barred from access. Is

caused when a system identities too much information. This causes excessive overhead.

o Type II error: false acceptance – an imposter is allowed access. This is a security threat and comes when a system doesn’t evaluate enough information

o As FRR goes down, FAR goes up and vice versa o The level at which the two meet is called the CER (crossover errors rate). The

lower the number, the more accurate the system o Iris scans are the most accurate

o • User acceptance

• Many users feel biometrics are intrusive o Retina scans can reveal health care information

• Time for enrollment and verification can make user’s resistant

• Cost/benefit analysis

• No way to revoke biometrics

• Cost

• Biometric systems can be very costly and require unwieldy technology

• Though costs are coming down for means like fingerprint recognition, other technologies remain prohibitive

*The best authentication is the combination of 2 or more than one type, multifactor*

7. Access Control Methods Rule based access control

• Uses specific rules that indicate what can and cannot transpire between subject and object.

• Also, called non-discretionary

• “if x then y” logic

• Before a subject can access an object, it must meet a set of predefined rules


IVAN V. S Page | 84

o Ex. If a user has proper clearance, and it’s between 9am – 5pm then allow access (context based access control)

• However, it does NOT have to deal specifically with identify/authorization o Ex. May only accept email attachments 5Mb or less

• Is considered “compulsory control” because the rules are strictly enforced and not modified by users.

• Routers and firewalls use rule based access control Constrained user interfaces

• Restrict user access by not allowing them to see certain data or have certain functionality

• Views – only allow access to certain data (canned interfaces)

• Restricted shell – like a real shell but only with certain commands (like Cisco’s non-enable mode)

• Menu – similar but more “GUI”

• Physically constrained interface – show only certain keys on a keypad/touch screen. Like an ATM. (a modern type of menu) Difference is you are physically constrained from accessing them.

o

Content & context dependent access controls

• Content o Access is determined by the type of data. o Ex. Email filters that look for specific things like “confidential”, “SSN”, images. o Web proxy servers may be content based

• Context o System reviews a situation then makes a decision on access o a firewall is a great example of this, if session is established, then allow traffic

to proceed o in a web proxy, allow access to certain body imagery if previous web sessions

are referencing medical data otherwise deny access.

8. Identify & Access Management Review • IAAA (identification, authentication, authorization, accounting)

o Identification


IVAN V. S Page | 85

o Authentication ▪ Type I (something you know) ▪ Type II (something you have) ▪ Type III (biometrics)

o Single sign on (Kerberos)

• Access control models

• Access control methods

• Access control administration (RADIUS)

• Data emanation

IV. ASSET SECURITY FRAMEWORK

1. Roles & Responsibilities

• Senior/Executive Management o CEO: Chief Decision-Maker o CFO: Responsible for budgeting and finance o CIO: Ensures technology supports company’s objectives o ISO: Risk Analysis and Mitigation

• Steering Committee: Defines risk, objectives and approaches

• Auditors: evaluates business processes

• Data owner: classifies data

• Data custodian: day to day maintenance of data

• Network administrator: ensures availability of network resources

• Security administrator: responsible for all security-related tasks, focusing on Confidentiality

and Integrity. Responsibilities of the ISO:

• Responsible for providing C-I-A for all information assets

• Communication of Risks to senior management

• Recommend best practices to influence policies, standards, procedures, guidelines

• Establish security measurements

• Ensure compliance with government and industry regulations

• Maintain awareness of emerging threats

2. Data Classification

• Development of sensitivity labels for data and the assignment of those labels for configuring baseline security based on value of data

• Cost: value of the data

4. Configuration Management

3. States of Data

2. Data Classification

1. Roles & Responsibilities


IVAN V. S Page | 86

• Classify: criteria for classification

• Controls: determining the baseline security configuration for each

• Data owner determines the classification of data

• Data custodian maintains the data Considerations for Asset Valuation

• What makes up the value of an asset?

• Value to the organization

• Loss if compromised

• Legislative drivers

• Liabilities

• Value to competitors

• Acquisition costs • And many others

Sensitivity vs. Criticality • Sensitivity describes the amount of damage that would be done should the

information be disclosed • Criticality describes the time sensitivity of the data. This is usually driven by the

understanding of how much revenue a specific asset generates, and without that asset, there will be lost revenue.

3. States of Data

• At rest: File system encryptions, EFS (encrypted file system [Windows]), TPM (trusted platform module, allows whole drive encryption)

• In Process: Use proper controls

• In Transit: Use secure transit protocols; IPSec, SSL/TLS

4. Configuration Management

• System hardening & baselining o Removing necessary services o Installing the latest service packs and patches o Renaming default accounts o Changing default setting o Enabling security configurations like auditing, firewalls, updates, etc. o *Don’t forget physical security!

• Config Mgmt.: o Defined by ISC2 as “a process of identifying and documenting hardware

components, software and the associated setting.” o The goal is to move beyond the original design to a hardened, operationally sound

configuration o Identifying, controlling, accounting for and auditing changes made to the baseline

TCB o These changes come about as we perform system hardening tasks to secure a

system o Will control changes and test documentation through the operational life cycle of a

system o Implemented hand in hand with change control


IVAN V. S Page | 87

o ESSENTIAL to disaster recovery

• Configuration mgmt. documentation: o Make o Model o MAC address o Serial number o Operating system/firmware version o Location o BIOS or other passwords o Permanent IP if applicable o Organizational department label

• Change Management: o Directive, administrative control that should be incorporated into organizational

policy. o The formal review of all proposed changes – NO “on-the-fly” changes!

V. CRYPTOGRAPHY FRAMEWORK:

6. Historical Uses of Cryptography • Caesar Cipher

o Simple substitution o Shift characters 3 spaces o A=D, B=E, C=F, etc. o Substitution Ciphers are subject to pattern analysis

• Scytale Cipher

o Spartans used this cipher to communicate messages to generals in the field o Wrapped tape around a rod o Diameter of the rod is the pre-agreed upon secret (key)

• Vignere Cipher

o First polygraphic cipher o Key word is agreed upon ahead of time o First letter of the key is matched up against first letter of the message, and so

on

• Cryptography in warfare

o Enigma machine/purple machine

PKI Diagram

6. Hybrid Cryptography

5. Asymmetric Cryptography

4. Symmetric Cryptogrpahy

3. Definitions and Terms

2. Security Services Provided by Cryptography

1. Historical Uses of Cryptography


IVAN V. S Page | 88

o Used by the Germans/Japanese in WWII o Breaking the cryptography of these devices is credited with reducing the length

of the war.

• Vernam cipher

o One Time Pad o Only mathematically unbreakable form of cryptography

▪ Key must be used only once ▪ Pad must be at least as long as the message ▪ Kay pad is statistically unpredictable ▪ Key pad must be delivered and stored securely

7. Security Services Provided by Cryptography

• Privacy: prevents unauthorized disclosure of information

• Authenticity: verifies the claimed identity

• Integrity: detects modification or corruption

• Non-repudiation: combines authenticity and integrity. A sender can’t dispute having

sent a message, nor its contents.

8. Definitions & Terms • Conceptual crypto formula:

o Plain text + Initialization Vector + Algorithm (aka Cipher) + Key = Cipher Text Initialization Vector (Adding randomness to the start)

• Here are some random numbers: 7 5 2 3 4 9 4 o If we start at track 0 and +7 +5 -2 +3 +4 +9 -4 o We still don’t have randomness. Vary the starting point and that will make the

process more random.

• Very similar to a “seed” or a “salt” Algorithm

• Collection of all math functions that can be performed

• Desirable qualities of algorithm o Confusion: the strength of the math drives the complexity of the substitution o Diffusion: allows for the use of the plain text in the ciphertext o Avalanche o Permutations o Open – Kirchhoff’s principle

Key

• Desirable qualities of a key o Long o Random o Secret

Breakdown:


IVAN V. S Page | 89

9. Symmetric Cryptography 1. Symmetric = same 2. In symmetric cryptography, the same key is used to both encrypt and decrypt 3. Very fast means of encrypting/decrypting with good strength for privacy 4. Proffered means of protecting privacy data 5. Also, can be called “Private Key” “Secret Key” or “Shared Key” 6. Drawbacks to symmetric cryptography

o Out of band key exchange o Not scalable o No authenticity, integrity, or non-repudiation

10. Asymmetric Cryptography 1. Every user has a key pair

o Public key is made available to anyone who requests it


IVAN V. S Page | 90

o Private key is only available to that user and must not be disclosed or shared

2. The keys are mathematically related so that anything is encrypted with one key can only be decrypted by the other

11. Hybrid Cryptography 1. Client initiates a secure connection 2. Server responds by sending its public key to the client 3. The client then generates a symmetric session key 4. Client encrypts uses the server’s public key to encrypt the session key 5. Client sends the session key (encrypted with the server’s public key) to the server 6. Server uses its private key to decrypt the session 7. Now that a symmetric session key has been distributed, both parties have a

secure channel in which to communicate.


IVAN V. S Page | 91

cybersecurity network defense & enterprise … · cybersecurity network defense &...

Documents