Fundamentals of Cybersecurity
CIO responsibilities
1. Monitoring the reliability of cyber-security. 2. Robustness of cyber-crime protection 3. Up-time availability of network services 4. Installation of trusted backup capabilities 5. Designs for systems redundancy. 6. Capacity for recovery from extreme failures
the three characteristics of information security that make it impossible to buyoff the shelf information security solutions
1. The collection of influences to which each organisation is exposed varies with the organisation: the information technology that it uses, its personnel, the area in which it does business, its physical location - all these have an effect on information security. 2. Information security affects every structural and behavioural aspect of an organisation: a gap in a security fence can permit information to be stolen; a virally infected computer connected to an organisation's network can destroy information; a cup of coffee spilt on a computer keyboard can prevent access to information. 3. Each individual that interacts with an organisation in any way - from the potential customer browsing the website, to the managing director; from the malicious hacker, to the information security manager - will make his or her own positive or negative contribution to the information security of the organisation.
the two important characteristics of information that determine its value to an organization
1. the scarcity of the information outside the organisation 2. the shareability of the information within the organisation, or some part of it. these characteristics state that information is only valuable if it provides advantage or utility to those who have it, compared with those who don't.
internet liabilities
17,000 partially secure, poorly connected networks with practically unlimited number of unverifiable points of access The most frequently used security protocol (SSL - Secure Socket Layer authenticates destination servers but not the ending sources Networks are mostly small, with large ISPs managing less than 10% of network traffic Performance of the network depends on peering relationships between ISP (Information Service Providers), each providing network capacity and router switching capacity Delivery of packets cannot be guaranteed because network performance determined by routers that may not have sufficient capacity to handle traffic spikes. The (BGP Border Gateway Protocol are ISP instructions for forwarding packets from one network link to another. BGP is unreliable if router tables are in error. Average broad-band web-page download time to LAN can be well ober 0.5 seconds, if message "packet" traverses several "hops" (DNS) Domain Name System can be compromised, by diversion of communications Software robots (Botnets) can automatically proliferate and convey destructive software such as worms, rootkits, or parasitic malware such as Trojans for finding backdoors into computers Denial of service attacks can be launched.
Kerckhoffs' principle
A cryptosystem should be secure even if everything about it is public knowledge except the secret key. Do not rely on "security through obscurity."
Have a DRP
A disaster recovery plan will help you protect your assets. Disaster prevention can come in the form of high availability, redundancy and backup. With redundancy, whether it is active redundancy or redundancy in the form of spares ready for placement, you should have some kind of disaster recovery plan in case a threat emerges and your systems and data are at risk. To secure your assets, you will need to perhaps be able to replace them or restore them quickly. The most common form would be a 'reliable' data backup that is tested for efficiency and reliability.
stateful inspection
A newer method that doesn't examine the contents of each packet but instead compares certain key parts of the packet to a database of trusted information. Information traveling from inside the firewall to the outside is monitored for specific defining characteristics, then incoming information is compared to these characteristics. If the comparison yields a reasonable match, the information is allowed through. Otherwise it is discarded.
LUC
A public-key cryptosystem designed by P.J. Smith and based on Lucas sequences. Can be used for encryption and signatures, using integer factoring
Cramer-Shoup
A public-key cryptosystem proposed by R. Cramer and V. Shoup of IBM in 1998.
Public Key Cryptography Standards (PKCS)
A set of interoperable standards and guidelines for public-key cryptography, designed by RSA Data Security Inc.
Data Encryption Standard (DES)
A strong, standardized 56 bit cipher designed for modern computers, this was orginally designed by IBM and called Lucifer, tweaked by the NSA and published in 1975, one of these keys was brute forced in 24 hours for 100K.
authentication data
A variable-length, 32-bit aligned field containing the Integrity Check Value (ICV) for this packet (default length = 96 bits). The ICV is computed using the authentication algorithm specified by the SA, such as DES, MD5, or SHA-1. Other algorithms may also be supported.
Message Authentication Codes
Alice and Bob share a secret key. Either can sign a message The recipient can verify the signature. Often built from other primitives Similar key distribution problems to ciphers
NIDS
An NIDS should best be describes as a standalone appliances that has network intrusion detection capabilities. A NDIS can also be a software package that you install on dedicated workstation that is connected to your network or a device that has the software embedded and is also connected to your network. The NIDS then scans any traffic that is transmitted over that segment of your network; the NIDS functions in very much the same way as high-end antivirus applications and it makes use of signature or pattern file method comparing each transmitted packet for patterns that may occur within the signature file. standalone appliances that has network intrusion detection capabilities
Secure HTTP
An extension to the HTTP protocol to support sending data securely over the web. Difference from SSL: SSL is designed to establish a secure connection between two hosts. SHTTP is designed to send individual messages securely. It provides a variety of security mechanisms to HTTP clients and servers. Does not require client-side public certificates (or public keys), as it supports symmetric key only operation modes. Provides full flexibility of cryptographic algorithms, modes, and parameters.
Destruction or Alteration of Configuration Information DOS attack
An improperly configured computer may not perform well or may not operate at all. An intruder may be able to alter or destroy configuration information that prevents you from using your computer or network.
LDAP
An internet directory service which is typically used by email systems to find more information about a user.
assets
Anything of value, a useful or valuable quality or thing; an advantage or resource. Again, in the IT realm, this would be considered data, the systems that the data is contained on or the infrastructure that connects such systems. Think of the costs associated with your infrastructure, the human resources needed to run them, and the data (your company data) that those systems contain. Most top level executives today are starting to see that all three pieces of this IT paradigm make up the whole... the systems, the people who run them and the data that they contain - in the real word production environments of businesses today, to not consider all three important assets is quite foolish, and together, that sum of the parts should be considered the 'complete asset'.
domain names
Because it is hard to remember the string of numbers that make up an IP address, and because IP addresses sometimes need to change, all servers on the Internet also have human-readable names, called domain names. For example, it is easier for most of us to remember www.howstuffworks.com than it is to remember 216.27.61.137. A company might block all access to certain domain names, or allow access only to specific domain names
burn-through
By lowering the pulse repetition frequency of a radio signal, the dwell time is increased, so the return signal is stronger—at the cost of less precision
consumption of scarce resources DOS attack
Computers and networks need certain things to operate: network bandwidth, memory and disk space, CPU time, data structures, access to other computers and networks, and certain environmental resources such as power, cool air, or even water. Network connectivity: The intruder is consuming kernel data structures involved in establishing a network connection. The implication is that an intruder can execute this attack from a dial-up connection against a machine on a very fast network. (This is a good example of an asymmetric attack.) Using your own resources against you: One example is that, the intruder uses forged UDP packets to connect the echo service on one machine to the chargen service on another machine. The result is that the two services consume all available network bandwidth between them. Thus, the network connectivity for all machines on the same networks as either of the targeted machines may be affected. Bandwidth Consumption: An intruder may also be able to consume all the available bandwidth on your network by generating a large number of packets directed to your network. Typically, these packets are ICMP ECHO packets, but in principle they may be anything. Further, the intruder need not be operating from a single machine; he may be able to coordinate or co-opt several machines on different networks to achieve the same effect. Consumption of other Resources: In addition to network bandwidth, intruders may be able to consume other resources that your systems need in order to operate. For example, in many systems, a limited number of data structures are available to hold process information (process identifiers, process table entries, process slots, etc.). An intruder may be able to consume these data structures by writing a simple program or script that does nothing but repeatedly create copies of itself. Many modern operating systems have quota facilities to protect against this problem, but not all do. Further, even if the process table is not filled, the CPU may be consumed by a large number of processes and the associated time spent switching between processes. Consult your operating system vendor or operating system manuals for details on available quota facilities for your system.
risk assesment practices and related benefits
Critical Success Factors 1. Obtain senior management support and involvement 2. Designate focal points 3. Define procedures 4. Involve business and technical experts 5. Hold business units responsible 6. Limit scope of individual assessments 7. Document and maintain results Benefits 1. Assurance that the greatest risks have been identified and addressed 2. Increased understanding of risks 3. Mechanism for reaching consensus 4. Support for needed controls 5. Means for communicating results Tools 1. Tables 2. Questionnaires 3. Standard report formats 4. Software to facilitate documentation and analysis 5. Lists of threats and controls Process 1. Identify threats and likelihood of those threats materializing 2. Identify and rank critical assets and operations 3. Estimate potential damage 4. Identify cost effective mitigating controls 5. Document assessment findings
transport mode of protection for IP Sec
Encapsulates only the transport layer information (not the headers) within IP Sec protection, Can only be created between host nodes.
tunnel mode of protection for IP Sec
Encapsulates the entire IP packet within IPSec protection. Tunnels can be created between several different node types: firewall to firewall, host to firewall, host to host.
denial of service
I mentioned this before when we discussed the 3 assets and what threats could be associated with them. A DoS attack is very serious in nature and it's simple to perform. Many efforts have been made to patch systems that could either launch a DoS attack or be affected by one, but to think that top level hackers (the Elite) aren't constantly working on new ways to exploit systems is foolish. This recent rash of Virus and Malware activity this month should show you that there is no shortage of people working to exploit and topple your systems. Also, to not consider the trillions of Script Kiddies (the bottom of the Hacker barrel - the folks who use the simplified, documented and freely available tools that the Elite create) is also very un-wise. DoS attacks are nothing more than an attack against your system(s) that will result in that system not being able to do its intended job (or purpose). A very common one for Microsoft systems in the buffer overflow. This is only one exploit, there are many others... for instance; consider an Internet access router that sits on the perimeter of your network serving packets to and from. If someone on the Internet can successfully install Trojans (which is simple to do by just emailing/spamming them from somebody's open email relay) on unknowing recipients' PCs, those hacked systems could be grouped en masse and used as a single weapon against your Internet access router. If your Internet access router is not protected or hardened, its more than likely you will feel a pinch when the DoS starts... Once the PC's have been exploited with the Trojan, they can be controlled to send a flood of traffic to your router. Since the group (called a Zombie Hoard) does not know what is being done, they are effectively launching a DDoS (distributed DoS) attack against your router, hogging its CPU and input buffers so legitimate traffic cannot pass it. Simple to do, simple to stop but you have to first consider that your assets (your router and the Internet connection that feeds life into your LAN) and the people who run them (hopefully patching the devices to stop this kind of attack, or using some rate limiting downstream from your upstream ISP... this is all important to consider. Think of an old Windows 95 PC, did you know that this operating system (because of a lack of control on the ping packet size) can be 'used' to perform a ping of death that can crash unsuspecting systems? Did you know that there are freeware utilities (for Script Kiddies) that can send malformed packets to systems and crash them? Knowledge is power - knowledge is another one of your precious assets.
prevent attacks/compromise
Identify problems in the components of infrastructure and fix them before they are exploited. Develop mechanisms that make entire classes of attacks unfeasible. Perform vulnerability analysis of web applications so that vulnerabilities can be fixed. Develop mechanisms that make certain attacks impossible.
the risk of added competitor advantage
If you think your competitors don't scheme on ways to take your out you are only kidding yourself. Companies have been known to hire Hackers for just that reason. That is one of the best hypothetical examples you can draw from... your competitor would love to see nothing less than your failure and their gain.
prevention and response of DOS attacks
Implement router filters as described in Appendix A of CA-96.21.tcp_syn_flooding, referenced above. This will lessen your exposure to certain denial-of-service attacks. Additionally, it will aid in preventing users on your network from effectively launching certain denial-of-service attacks. If they are available for your system, install patches to guard against TCP SYN flooding as described in CA-96.21.tcp_syn_flooding, referenced above. This will substantially reduce your exposure to these attacks but may not eliminate the risk entirely. Disable any unused or unneeded network services. This can limit the ability of an intruder to take advantage of those services to execute a denial-of-service attack. Enable quota systems on your operating system if they are available. For example, if your operating system supports disk quotas, enable them for all accounts, especially accounts that operate network services. In addition, if your operating system supports partitions or volumes (i.e., separately mounted file systems with independent attributes) consider partitioning your file system so as to separate critical functions from other activity. Observe your system performance and establish baselines for ordinary activity. Use the baseline to gauge unusual levels of disk activity, CPU usage, or network traffic. Routinely examine your physical security with respect to your current needs. Consider servers, routers, unattended terminals, network access points, wiring closets, environmental systems such as air and power, and other components of your system. Use Tripwire or a similar tool to detect changes in configuration information or other files. Invest in and maintain "hot spares" - machines that can be placed into service quickly in the event that a similar machine is disabled. Invest in redundant and fault-tolerant network configurations. Establish and maintain regular backup schedules and policies, particularly for important configuration information. Establish and maintain appropriate password policies, especially access to highly privileged accounts such as UNIX root or Microsoft Windows NT Administrator.
storing usernames and passwords
In all password schemes the system must maintain storage of usernames and corresponding passwords to be used in the authentication process. This is still true for web applications that use the built in data store of operating systems like Windows NT. This store should be secure. By secure we mean the passwords should be stored in such a way that the application can compute and compare passwords presented to it as part of an authentication scheme, but the database should not be able to be used or read by administrative users or by an adversary who manages to compromise the system. Hashing the passwords with a simple hash algorithm like SHA-1 is a commonly used technique.
dual-homed host
In this firewall, the packet filtering router is not completely compromised. Traffic between the internet and other private hosts on the network has to flow through the bastion host.
challenges of the digital age
Intellectual property treatment (digital material is easy to copyright and distribute), semantic web (a lot of structured information that we can't see on the web, how do we gain access to this information), complex objects that can only be rendered via computer such as 3D objects, complex spreadsheets, and interactive environments, Bit Rot (preserving interpretive programs and the hardware that run them and the operating systems that run the hardware for thousands of years
the risk of legal issues
Legal damages depending on what kind of business you operate could potentially cripple you. A simple example would be to not put URL filtering inside your network. Let's pretend that the cost is the same as the solution above. Is that 30 grand worth a lawsuit when someone views pornography on another PC and 'gets offended'? Think it doesn't happen? (Can you hear my virtual laughter now?). It does, more times than you think. Again, this could have been eliminated with a simple investment, to not make the investment saves you 30 grand now, up front, but will raise your risk level against the threat I just mentioned and from that gamble, could potentially cost you way more in the long run with a $300,000 US lawsuit, for example.
Understand what your assets are and help protect them
Look at IT as a real business asset, a strategic part of the plan, not some money vacuum that bleeds the company dry of profit. Yes, in some companies IT is a cost center, but again, unless you are reverting back to a paper society from a paperless one, you need to start to think of IT as a business ally... budget accordingly based on forecasting. If the management team is only motivated by their own bonus by cutting IT staff, monies and projects, then this is probably where you would most likely NOT want to consider cutting... not budgeting for a proper security posture is insane. I think bonus programs are a good way to reward, but when you're rewarded for saving money by increasing risk when some of that bonus money rightfully should have been re-circulated into the growth of the company is wrong. Do you think its fair that your Systems Administrator who may already be saturated with support work and studying at night to keep up with new skills, is it fair to dump something as important as securing your assets which is a separate important job all in itself on an already busy person? Would you do the same to your personal Financial Advisor? Would you call him up and say... Fred, while your working today to make me more money, could you stop what you are doing and please go food shopping for me, then stop by my house and wash my car - oh, and pick up my kids, baby-sit them tonight and then maybe clean my toilet? No, no... I think you would not. This being said, your company's data is that important too. If you do not treat is as such, then you are raising your risk level, you are more exposed to threats, and your take more chances with your assets. Isn't scary how simplified things can get with humor? Yes, I like to joke, but this is serious. Companies and their management need to start to take this more seriously so that they can reduce threat, reduce the risk of damage to the company's assets and good name and consider security as a viable solution in the company and not some suck pump of dollars out of the cost of making widgets. Widgets are more important when it's your core component for business, but when nobody can buy widgets online for a week... nuff said.
data manipulation threat
Manipulation (Data Manipulation): Data manipulation is considered a very large threat today because data is what our paperless society has come to not only depend on, but dang... can't survive without. Data manipulation is a huge threat. Consider your administrators (or worse, some help desk technician with too many rights to the system) getting upset about managements decision to not give them another raise this year because IT is considered a 'hemorrhaging ulcer' instead of a 'real business asset' - didn't think if it that way, did you? As a Security Analyst, you have to really consider this as a threat. Other threats can include, but are not limited to Man in the Middle attacks where an attacker can insert themselves 'between' two communicating parties and intercept the traffic, read it, and perhaps alter is as seen in figure 4. Other ways data can be manipulated if is you have a DNS server on your DMZ, its exploited and records are changed (manipulated) to another IP address of a mock site that your customers now go to (DNS Poisoning), or worse, a bit bucket black hole that leads nowhere sending your customers and business partners into deep thought about how 'on top of things' your company really is. What are the assets? Your systems, the data on them and the people who take care of them. Can you see the threats and how they can vary from asset to asset? Assets like your data may be held liable as legal and simple lack of control over it could cost you a lawsuit as well. Threats should not be taken lightly; taking security lightly could cost you in the long run.
infrastructure analysis
Now that you know what a risk assessment is, you need to test your systems. This article is not meant to show you 'how' to do this, its more of a guide to let you know that you should be doing this. More articles on this site can be used to show you how to protect your systems, just make sure you do this... make sure you analyze systems for weaknesses against known exploits, and hopefully you are using IDS (intrusion detection systems) to find attacks happening in real time, or possible 'new' attacks - or better known as 'Zero Day' attacks, which are not even known to the general populace yet, the IDS just flagged the activity on your network as 'strange' or 'uncommon'. This is just one way to do analysis, other ways are to do a network walkthrough, configuring and monitoring the auditing of Servers and other critical infrastructure, checking firewall (and other application) logs for uncommon activity, Sniffer analysis of traffic traversing the network (Packet capturing and analysis) are all ways to get a clue as to what your weak spots are. Using simple tools such as NMAP, or GFI LANguard N.S.S. (both freeware) and doing a scan of your edge and your internal critical systems can show you a lot. A vulnerability assessment is one of your first steps as to seeing how at risk your assets are
some internet research problems
Security at all levels, intenet Erlang formulas, smart routers/QOS debates, internationalized domain names, distributed algorithms, presence (multi-level), mobility, persistence, multihoming, multipath routing, broadcast utilization, mesh and sensor networks, virtualization (net, storage processing), authentication, identity, authorization, multi-core processor algorithms, delay and disruption tolerance, integration of applications, integrity property protection, role of layering, Governance: Law enforcement, policy development, Homologation, Facilitation of electronic commerce, privacy and confidentiality, mobile operation: Dynamic joining (from multiple locations), Dynamic routing (dealing with topologies that change, Persistent connection (reestablishing session after connection is lost) Self-organization, Performance: Latency, throughput, resilience, Route management vs. CWND flow control, Route Convergence, addressing (identification): What objects should be addressable, New bindings of IP to identifiers (new DNS).
IP Sec
Security is built into the IP layer. Provides host-to-host and firewall-to-firewall encryption and authentication. Required for IPv6 but optional for IPv4. Consists of two parts: IPsec proper (for encryption and authentication). IPsec Key management Provides two modes of protection (tunnel mode and transport mode). Also provides authentication and integrity, confidentiality, and replay protection. a suite of protocols providing a mechanism to provide data integrity, authentication, privacy, and nonrepudiation for the classic Internet Protocol (IP)
The problem of security when radio was invented
Security was a fairly coherent organization. It was all about communication, there was no computation. It was mostly concerned about confidentiality, The state level actors had a lot of resources, security was not restrained by law, the failures of security was that it was hard to detect and generally there was no way to recover it
application backdoors
Some programs have special features that allow for remote access. Others contain bugs that provide a backdoor, or hidden access, that provides some level of control of the program.
anomaly detection systems
Such systems attempt the much harder job of looking for anomalous patterns of behavior in the absence of a clear model of the attacker's modus operandi.
authentication
The process of proving one's identity. (The primary forms of host-to-host authentication on the Internet today are name-based or address-based, both of which are notoriously weak.) the process of determining if a user or entity is who he/she claims to be
protocol
The protocol is the pre-defined way that someone who wants to use a service talks with that service. The "someone" could be a person, but more often it is a computer program like a Web browser. Protocols are often text, and simply describe how the client and server will have their conversation
security budget
Think of a real security budget that fits the companies business model. To not have anything planned from year to year is very common in many organizations, and it not very wise. Again, security 'is' important. To ignore it, or deal with it as it occurs (reactive instead of proactive) raises your risk tolerance, threats are more common and realistic and you take more chances of losing or damaging your assets. Much like investing in the Stock Market or the Black Jack tables in Las Vegas, you risk when you gamble - no matter what, your risk goes up when you take chances, yes the payback can be larger with the high risk, but the loss can be just as great. You feel like rolling the dice against your Storage Area Network getting toppled? To save a ton of money up front can all be lost in one hour with a brutal attack on your systems... its time to think of a strong security posture as a solid insurance policy against your assets. Look, if Yahoo, Microsoft and the big players in the game can get knocked off the Internet by an attack that should tell you something.
specific words and phrases firewall filtering
This can be anything. The firewall will sniff (search through) each packet of information for an exact match of the text listed in the filter. For example, you could instruct the firewall to block any packet with the word "X-rated" in it. The key here is that it has to be an exact match. The "X-rated" filter would not catch "X rated" (no hyphen). But you can include as many words, phrases and variations of them as you need.
Triple CBC (Cipher Block Chaining)
This method is very similar to the standard DES CBC mode. As with Triple ECB, the effective key length is 168 bits and keys are used in the same manner, as described above, but the chaining features of CBC mode are also employed. The first 64-bit key acts as the Initialization Vector to DES. Triple ECB is then executed for a single 64-bit block of plaintext. The resulting ciphertext is then XORed with the next plaintext block to be encrypted, and the procedure is repeated. This method adds an extra layer of security to Triple DES and is therefore more secure than Triple ECB, although it is not used as widely as Triple ECB.
meteor burst/meteor scatter transmission
This relies on the billions of micrometeorites that strike the Earth's atmosphere each day, each leaving a long ionization trail that persists for about a third of a second, and providing a temporary transmission path between a "mother station" and an area that might be a hundred miles long and a few miles wide. The mother station transmits continuously, and whenever one of the "daughters" hears mother, it starts to send packets of data at high speed, to which mother replies. With the low power levels used in covert operations, it is possible to achieve an average data rate of about 50 bps, with an average latency of about 5 minutes and a range of 500-1,500 miles. With higher power levels, and in higher latitudes, average data rates can rise into the tens of kilobits per second.
threat
Threat: An expression of an intention to inflict pain, injury, evil, or punishment as well as an indication of impending danger or harm. It's also considered a possible danger or menace. In the Information Technology (IT) arena, a threat is anything that is what was mentioned but in the realm of IT. In simpler terms, a threat is anything that you feel would hurt your company's assets, especially those such as your data, or anything else contained on the computer network and its systems as well as the systems themselves.
Information Assurance Certification and Accreditation Program (DIACAP)
Title III of the E-Government Act, Federal Information Security Management Act (FISMA), requires Federal departments and agencies to develop, document, and implement an organization-wide program to provide information assurance. DIACAP ensures DoD Certification and Accreditation (C&A) is consistent with FISMA, DoDD 8500.1 and DoDI 8500.2 The DIACAP is a central component of GIG IA C&A Strategy. DIACAP satisfies the need for a dynamic C&A process for the GIG and net-centric applications.
The basic SSL and TLS message exchanges
URLs specifying the protocol https:// are directed to HTTP servers secured using SSL/TLS. The client will automatically try to make a TCP connection to the server at port 443. The client initiates the secure connection by sending a ClientHello message containing a Session identifier, highest SSL version number supported by the client, and lists of supported crypto and compression schemes (in preference order). The server examines the Session ID and if it is still in the server's cache, it will attempt to re-establish a previous session with this client. If the Session ID is not recognized, the server will continue with the handshake to establish a secure session by responding with a ServerHello message. The ServerHello repeats the Session ID, indicates the SSL version to use for this connection (which will be the highest SSL version supported by the server and client), and specifies which encryption method and compression method to be used for this connection. There are a number of other optional messages that the server might send, including: Certificate, which carries the server's X.509 public key certificate (and, generally, the server's public key). This message will always be sent unless the client and server have already agreed upon some form of anonymous key exchange. (This message is normally sent.) ServerKeyExchange, which will carry a premaster secret when the server's Certificate message does not contain enough data for this purpose; used in some key exchange schemes. CertificateRequest, used to request the client's certificate in those scenarios where client authentication is performed. ServerHelloDone, indicating that the server has completed its portion of the key exchange handshake. The client now responds with a series of mandatory and optional messages: Certificate, contains the client's public key certificate when it has been requested by the server. ClientKeyExchange, which usually carries the secret key to be used with the secret key crypto scheme. CertificateVerify, used to provide explicit verification of a client's certificate if the server is authenticating the client. TLS includes the change cipher spec protocol to indicate changes in the encryption method. This protocol contains a single message, ChangeCipherSpec, which is encrypted and compressed using the current (rather than the new) encryption and compression schemes. The ChangeCipherSpec message is sent by both client and server to notify the other station that all following information will employ the newly negotiated cipher spec and keys. The Finished message is sent after a ChangeCipherSpec message to confirm that the key exchange and authentication processes were successful. At this point, both client and server can exchange application data using the session encryption and compression schemes.
the intuition behind waler
Users usually browse a web application consistently with the intentions of the developer,follow provided links, fill out provided forms, the "standard functionality of a web application is usually well-tested, the intended program specification can be approximated when the "standard" functionality of a web application is exercised with "normal" input. Application code has "clues" about the intended constraints, the application's code can be used to refine dynamically derived specifications.
the risk of losing credibility
Well, depending on what kind of company you own, manage, or run, its important to factor in that other companies you do business with and your own clientele will lose 'faith' in your ability to do business if you cannot maintain your network uptime and access to critical resources, you face the public's intolerance to wait for services and complete embarrassment (can hurt publicly traded companies) if your not running at 100%. Think of this example, your website where you do 'e-commerce' is not up and running from a DoS attack that could have been thwarted with a small investment of 20 thousand dollars, one time cost with a reoccurring cost of about 5-10 thousand a year for training, updates or whatever else is needed for this example. How much would you lose for a half a days lost business? Can you calculate the cost of a lost customer for good? This is what you need to do for your risk assessment, but not to lose the point - its just plan embarrassing. If I was in the position of executive level management, my first question to my next echelon of supervision and management would be - why were we not protected against this? How did we lose credibility? Well - see my top ten list above for the answer to that one.
recon threat
When an attacker 'probes' your network or systems (knocking on your door) to see if you are there, and if possible, to map your network and systems for a future malicious attack. Looking for vulnerabilities is common, this can be done from scanning systems for open ports, using commands such as ping and traceroute (tracert in Windows) to map a path through the network or what hosts make up a subnet on your edge and DMZ, doing ping sweeps for mapping purposes or just simple eavesdropping if you can start a Man in the Middle attack or somehow get a Sniffer on the network to analyze with. A solid way to do a recon attack would be to find a Linux system on a DMZ, try to gain Root access... get in and launch Tethereal or Tcpdump to gather information crossing the wire after your make the Linux systems NIC promiscuous. This is a simple example, but hopefully this drives home how bad a Recon attack is and what kind of 'Threat' it creates. Figure 2 shows you the use of a commonly used tool that can show vulnerability assessments. It's freely available on the web and can be used by attackers rattling your door, checking to see what you have left opened.
browser limitations
When reading the following sections on the possible means of providing authentication mechanisms, it should be firmly in the mind of the reader that ALL data sent to clients over public links should be considered "tainted" and all input should be rigorously checked. SSL will not solve problems of authentication nor will it protect data once it has reached the client. Consider all input hostile until proven otherwise and code accordingly.
Single Sign-On Across Multiple DNS Domains
With outsourcing, hosting and ASP models becoming more prevalent, facilitating a single sign-on experience to users is becoming more desirable. The Microsoft Passport and Project Liberty schemes will be discussed in future revisions of this document. Many web applications have relied on SSL as providing sufficient authentication for two servers to communicate and exchange trusted user information to provide a single sign on experience. On the face of it this would appear sensible. SSL provides both authentication and protection of the data in transit. However, poorly implemented schemes are often susceptible to man in the middle attacks. A common scenario is as follows: The common problem here is that the designers typically rely on the fact that SSL will protect the payload in transit and assumes that it will not be modified. He of course forgets about the malicious user. If the token consists of a simple username then the attacker can intercept the HTTP 302 redirect in a Man-in-the-Middle attack, modify the username and send the new request. To do secure single sign-on the token must be protected outside of SSL. This would typically be done by using symmetric algorithms and with a pre-exchanged key and including a time-stamp in the token to prevent replay attacks.
Create a Policy that is Enforced by your Company
Yes, it's true - management needs to really get involved with this and back what the policy states. If there is a business use policy in effect (in your security policy), and it states that there will be penalties involved with not following guidelines, if those penalties are not backed and enforced (by management and Human Resources), then the policy's meaning falls apart and anarchy ensues. A lot of work goes into this stuff; to not back it is criminal to the ones who created it and foolish in many cases because it can really help you and the organization keep itself more stable. It also means that the management team should not be hypocritical and install an Instant Messaging utility when others could be fired for it and use the power of their office to justify its use... when a worm based program enters 'your' system and infects the whole network that was otherwise secure, you will be the one to blame, you only. Backing a policy is important to the organization as a whole and it starts with the upper management team and Human Resources - working 'with' the IT department and the Security Analyst. Create a policy, advertise it, back it and enforce it when needed. Do not be the breaker of the policy as well... its there for safety not control and that's what needs to get across to everyone else as well.
SQL injection
a code injection technique, used to attack data-driven applications, in which nefarious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).[1] SQL injection must exploit a security vulnerability in an application's software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database. SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.
big bounty program
a deal offered by many websites and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to exploits and vulnerabilities. These programs allow the developers to discover and resolve bugs before the general public is aware of them, preventing incidents of widespread abuse
IPS
a device or an application that analyzes whole packets, both header and payload, looking for known events. When an unknown event is detected, the packet is rejected.
anonymous remailer
a device that accepts encrypted email, decrypts it, and sends it on to a destination contained within the outer encrypted envelope
smurf attack
a distributed denial-of-service attack in which large numbers of Internet Control Message Protocol (ICMP) packets with the intended victim's spoofed source IP are broadcast to a computer network using an IP broadcast address. Most devices on a network will, by default, respond to this by sending a reply to the source IP address. If the number of machines on the network that receive and respond to these packets is very large, the victim's computer will be flooded with traffic. This can slow down the victim's computer to the point where it becomes impossible to work on DDOS packets are aimed at other networks, where they provoke multiple echoes all aimed at the victim. To go into further detail, some background description of the Internet is in order
bump key
a key for bumping locks
signuature
a known characteristic of a particular attack
application layer
a layer containing HTTP, LDAP, and POP3
network layer
a layer containing SSL and TCP/IP
friendship tree
a list of friend relationships with a particular suspect
macro virus
a macro that copies itself into uninfected word processing documents on the victim's hard disk, and waits to be propagated as users share documents
worm
a malicious program that replicates
virus
a malicious program that replicates by attaching itself to other programs
Discretionary Access Control (DAC)
a means of restricting access to information based on the identity of users and/or membership in certain groups, has the drawback of the administrators not being able to centrally manage these permissions on files/information stored on the web server often exhibits one or more of the following attributes. Data Owners can transfer ownership of information to other users Data Owners can determine the type of access given to other users (read, write, copy, etc.) Repetitive authorization failures to access the same resource or object generates an alarm and/or restricts the user's access Special add-on or plug-in software required to apply to an HTTP client to prevent indiscriminant copying by users ("cutting and pasting" of information) Users who do not have access to information should not be able to determine its characteristics (file size, file name, directory path, etc.) Access to information is determined based on authorizations to access control lists based on user identifier and group membership.
TPM
a microcontroller that stores keys, passwords, and digital certificates. It is affixed to the motherboard. Silicon ensures that the information stored is made secure from external software attack and physical theft. Security processes, such as digital signature and key exchange are protected Critical applications such as secure email, secure web access, and local protection of data are assured.
Advanced Encryption Standard (AES)
a modern heir to DES, which was designed by academics in a public competition, supports 128 bit and larger keys.
next-generation firewall
a part of the third generation of firewall technology, combining a traditional firewall with other network device filtering functionalities, such as an application firewall using in-line deep packet inspection (DPI), an intrusion prevention system (IPS). Other techniques might also be employed, such as TLS/SSL encrypted traffic inspection, website filtering, QoS/bandwidth management, antivirus inspection and third-party identity management integration (i.e. LDAP, RADIUS, Active Directory)
checksummer
a piece of software that keeps a list of all the authorized executables on the system, together with checksums of the original versions of these files
top pin/driver pin
a pin that
vulnerability analysis
a practical process of comparing the information collected with known vulnerabilities
intranet
a private computer network that uses internet protocols, network connectivity, and possibly the public telecommunication system to securely share part of an organization's information or operations with its employees it uses the same concepts and technologies as the internet (clients and servers), running on the TCP IP suite. HTTP, FTP, and SMTP very commonly used. Access to information is typically through browsers. and is platform independent and has no need to install special software on clients. Intranets help employees to quickly locate information and applications relevant to their roles and responsibilities. Standard interface, allowing access from anywhere. Can serve as a powerful tool for communication within an organization both vertically and horizontally. Also permits information to be published
extranet
a private network that uses internet protocols, network connectivity, and possibly the public communication system to securely share part of an organization's information or operations with suppliers, partners, customers, or other businesses. Can be viewed as part of a company's intranet that is extended to users outside the company. It is a private internet over the internet. It is used to designate private parts of a website. Only registered users can navigate. It requires security and privacy. Firewall server management. Issuance and use of digital certificates or similar means of authentication. Encryption of messages. Use of virtual private networks that tunnel through the public network. Advantages: Can improve organization productivity, Allows information to be viewed at times convenient for external users. Cuts down on meeting times. Information can be updated instantly. Authorized users have immediate access to latest information. Can improve relationships with customers.
firewall
a program or hardware device that filters the information coming through the Internet connection into your private network or computer system. If an incoming packet of information is flagged by the filters, it is not allowed through, The most widely sold solution to the problems of Internet security
trojan horses
a program that does something malicious (such as capturing passwords) when run by an unsuspecting user
guard band
a receiver on a frequency adjacent to the one in use, and to blank the signal when this receiver shows a jamming signal
Photuris
a scheme for establishing short-lived session-keys between two authenticated parties without passing the session-keys across the Internet. IKE typically creates keys that may have very long lifetimes
demilitarized zone
a screened subnet, which contains a number of application servers or proxies to filter mail and other services may then be connected to the internal network via a further filter that does network address translation. Within the organization, there may be further boundary control devices, including pumps to separate departments, or networks operating at different clearance levels to ensure that classified information doesn't escape either outward or downward
manual key management
a security administrator or other individual manually configures each system with the key and SA management data necessary for secure communication with other systems
tunnel mode SA
a security association applied to an IP tunnel. In this mode, there is an "outer" IP header that specifies the IPsec destination and an "inner" IP header that specifies the destination for the IP packet. This mode of operation is supported by both hosts and security gateways.
transport mode SA
a security association between two hosts. Transport mode provides the authentication and/or encryption service to the higher layer protocol. This mode of operation is only supported by IPsec hosts.
Nmap
a security scanner, originally written by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich),[2] used to discover hosts and services on a computer network, thus building a "map" of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host(s) and then analyzes the responses.
lag sequence
a sequence generated by a stream cipher or random number generator, which determines whether an outgoing radio frequency pulse is delayed or not
security association
a simplex (one-way or unidirectional) logical connection between two communicating IP endpoints that provides security services to the traffic carried by it using either AH or ESP procedures. uniquely identified by a 3-tuple composed of: Security Parameter Index (SPI), a 32-bit identifier of the connection IP Destination Address security protocol (AH or ESP) identifier The endpoint of an SA can be an IP host or IP security gateway (e.g., a proxy server, VPN server, etc.). Providing security to the more typical scenario of two-way (bi-directional) communication between two endpoints requires the establishment of two SAs (one in each direction).
advanced encryption standard
a standard that was chosen to be very secure in international contest, it was a Belgian designed algorithm, also CNSS 15, sprint 2003 was approved for protection of classified information
bastion host
a system identified by the firewall administrator as a critical point in the network's security: It executes a secure version of its OS and is trusted, it consists of services which are essential, Requires additional authentication before access is allowed.
stealth virus
a virus that watches out for operating system calls of the kind used by the checksummer and hides itself whenever a check is being done
rogue access point
a wireless access point that has been installed on a secure network without explicit authorization from a local network administrator, whether added by a well-meaning employee or by a malicious attacker
Domain Name System (DNS)
a worldwide distributed service in which higher-level name servers point to local name servers for particular domains
role-based access control
access decisions are based on the roles that individual users have as part of an organization. Users take on assigned roles (such as doctor, nurse, teller, manager). The process of defining roles should be based on a thorough analysis of how an organization operates and should include input from a wide spectrum of users in an organization access decisions are based on an individual's roles and responsibilities within the organization or user base. The process of defining roles is usually based on analyzing the fundamental goals and structure of an organization and is usually linked to the security policy. For instance, in a medical organization, the different roles of users may include those such as doctor, nurse, attendant, nurse, patients, etc. Obviously, these members require different levels of access in order to perform their functions, but also the types of web transactions and their allowed context vary greatly depending on the security policy and any relevant regulations (HIPAA, Gramm-Leach-Bliley, etc.). An RBAC access control framework should provide web application security administrators with the ability to determine who can perform what actions, when, from where, in what order, and in some cases under what relational circumstances. http://csrc.nist.gov/rbac/ provides some great resources for RBAC implementation. The following aspects exhibit RBAC attributes to an access control model. Roles are assigned based on organizational structure with emphasis on the organizational security policy Roles are assigned by the administrator based on relative relationships within the organization or user base. For instance, a manager would have certain authorized transactions over his employees. An administrator would have certain authorized transactions over his specific realm of duties (backup, account creation, etc.) Each role is designated a profile that includes all authorized commands, transactions, and allowable information access. Roles are granted permissions based on the principle of least privilege. Roles are determined with a separation of duties in mind so that a developer Role should not overlap a QA tester Role. Roles are activated statically and dynamically as appropriate to certain relational triggers (help desk queue, security alert, initiation of a new project, etc.) Roles can be only be transferred or delegated using strict sign-offs and procedures. Roles are managed centrally by a security administrator or project leader.
application-level gateway
also called a proxy server, acts as a relay of application-level traffic. It is service specific. Advantages: Higher security than packet filters, only need to scrutinize a few allowable applications, easy to audit and log all incoming traffic, Disadvantages: Additional processing overhead on each connection (gateway as a splice point).
FISMA
an act which imposes processes that must be followed by information systems used by US government You must follow Federal Information Processing Standards (FIPS) issued by NIST (National Institute of Standards & Technology)
waler
an approach to the automated detection of application logic vulnerabilities, extendable to detect different types of logic flaws, two level analysis for better precision, based on combination of dynamic analysis and model checking over symbolic input, dynamic analysis techniques are used to extract an approximation of a program specification, model-checking is used to filter erroneous specifications and to detect vulnerabilities, implemented for servlet based web applications.
denial of service attack
an explicit attempt by attackers to prevent legitimate users of a service from using that service Examples include attempts to "flood" a network, thereby preventing legitimate network traffic attempts to disrupt connections between two machines, thereby preventing access to a service attempts to prevent a particular individual from accessing a service attempts to disrupt service to a specific system or person The three basic types consumption of scarce, limited, or non-renewable resources, destruction or alteration of configuration information, physical destruction or alteration of network components DDoS attacks involve breaking into hundreds or thousands of machines all over the Internet. Then the attacker installs DDoS software on them, allowing them to control all these burgled machines to launch coordinated attacks on victim sites. These attacks typically exhaust bandwidth, router processing capacity, or network stack resources, breaking network connectivity to the victims.
master key attacks
attacks using a forged master key which is a key that opens a bunch of different locks
the main objectives of SSL
authenticate the client and server to each other, ensure data integrity and privacy (privacy is required for both the protocol data and also the application data).
RSA Encryption
based on the hardness of factoring products of large primes. Problems: Ciphertext is a fixed size, computation is still relatively expensive, why do you trust the ciphertext has not been modified, not semantically secure. where anyone can send a secret message to someone but only the person it is sent to can retrieve it. The first, and still most common, PKC implementation, named for the three MIT mathematicians who developed it — Ronald Rivest, Adi Shamir, and Leonard Adleman. RSA today is used in hundreds of software products and can be used for key exchange, digital signatures, or encryption of small blocks of data. RSA uses a variable size encryption block and a variable size key. The key-pair is derived from a very large number, n, that is the product of two prime numbers chosen according to special rules; these primes may be 100 or more digits in length each, yielding an n with roughly twice as many digits as the prime factors. The public key information includes n and a derivative of one of the factors of n; an attacker cannot determine the prime factors of n (and, therefore, the private key) from this information alone and that is what makes the RSA algorithm so secure. (Some descriptions of PKC erroneously state that RSA's safety is due to the difficulty in factoring large prime numbers. In fact, large prime numbers, like small prime numbers, only have two factors!) The ability for computers to factor large numbers, and therefore attack schemes such as RSA, is rapidly improving and systems today can find the prime factors of numbers with more than 200 digits. Nevertheless, if a large number is created from two prime factors that are roughly the same size, there is no known factorization algorithm that will solve the problem in a reasonable amount of time; a 2005 test to factor a 200-digit number took 1.5 years and over 50 years of compute time (see the Wikipedia article on integer factorization.) Regardless, one presumed protection of RSA is that users can easily increase the key size to always stay ahead of the computer processing curve. As an aside, the patent for RSA expired in September 2000 which does not appear to have affected RSA's popularity one way or the other.
inverse gain jamming/inverse gain amplitude modulation
based on the observation that the directionality of the attacker's antenna is usually not perfect; in addition to the main beam, it has sidelobes through which energy is also transmitted and received, albeit much less efficiently. The sidelobe response can be mapped by observing the transmitted signal, and a jamming signal can be generated so that the net emission is the inverse of the antenna's directional response. The effect, as far as the attacker's radar is concerned, is that the signal seems to come from everywhere; instead of a "blip" on the radar screen you see a circle centered on your own antenna
a common rule of thumb involving firewalls
block everything, then begin to select what types of traffic you will allow. You can also restrict traffic that travels through the firewall so that only certain types of information, such as e-mail, can get through
qualitative approach to risk assessment
can be taken by defining risk in more subjective and general terms such as high, medium, and low. In this regard, qualitative assessments depend more on the expertise, experience, and judgment of those conducting the assessment
problems with nets and servers
capacity limitations for peak loads, congestion in access to data sources, excessive delays for global access, expensive to scale capacity for growth, problem not in bandwidth, but mostly in switching, depends on reliability and capacity of ISP peers to forward data to the destination, conflicting economic interests among peers can inhibit growth and performance
Replay prevention
causes retransmitted packets to be dropped.
detect attacks
characterize certain high-level properties of attacks. Identify previously unseen malicious activity, build models of web applications that allow you to analyze how web applications should behave. This will help to identify variations that could be associated with compromise.
wepawet
characterizes the behavior of the browser as it visits web pages, monitors events that occur during each visit, characterizes properties of these events with features, uses statistical models to determine if feature values are normal or anomalous, in the detection phase, flags as suspicious pages that result in anomalous behavior. looks at exploit preparation, exploit attempt, redirections and cloaking, and obfuscations
Setganography
covered writing, concerned with hiding the existence of a message - often in plain sight
Internet Security Association and Key Management Protocol (ISAKMP)
defines procedures and packet formats to establish, negotiate, modify and delete security associations, and provides the framework for exchanging information about authentication and key management (RFC 2407/RFC 2408). ISAKMP's security association and key management is totally separate from key exchange.
role hierarchy
defines roles that have unique attributes and that may contain other roles; that is, one role may implicitly include the operations that are associated with another role.
OAKLEY Key Determination Protocol
describes a scheme by which two authenticated parties can exchange key information. OAKLEY uses the Diffie-Hellman key exchange algorithm
Secure Sockets Layer Protocol
developed by Netscape Communications to provide application-independent secure communication over the Internet for protocols such as the Hypertext Transfer Protocol (HTTP). SSL employs RSA and X.509 certificates during an initial handshake used to authenticate the server (client authentication is optional). The client and server then agree upon an encryption scheme. SSL v2.0 (1995), the first version publicly released, supported RC2 and RC4 with 40-bit keys. SSL v3.0 (1996) added support for DES, RC4 with a 128-bit key, and 3DES with a 168-bit key, all along with either MD5 or SHA-1 message hashes; this protocol is described in RFC 6101.
tachographs
devices which record a 24-hour history of the vehicle's speed on a circular waxed paper chart
basic principles of security
encrypt your entire network data repository, even if it seems trivial. Password protect all sensitive information and do not allow network users to browse unsecured intranet sites as sensitive information can be gathered in this way.
Secure Shell
encrypts sensitive data before transmission across networks, allows port forwarding (tunneling over SSH), and has support for a lot of proxies and firewalls. In version 1, the server uses two keys, the long-term key binds the connection to the server and is a 1024 bit RSA, short term key which is changed every hour, makes later recovery impossible, and is regenerated as a background task, and is a 768 bit RSA. There are multiple authentication mechanisms, such as straight passwords, and RSA based authentication, where the client decrypts a challenge from the server, and returns the hash to the server. There are also plug-in authentication mechanisms such as biometrics and smart cards.
mandatory access control
ensures that the enforcement of organizational security policy does not rely on voluntary web application user compliance. MAC secures information by assigning sensitivity labels on information and comparing this to the level of sensitivity a user is operating at. In general, MAC access control mechanisms are more secure than DAC yet have trade offs in performance and convenience to users. MAC mechanisms assign a security level to all information, assign a security clearance to each user, and ensure that all users only have access to that data for which they have a clearance. MAC is usually appropriate for extremely secure systems including multilevel secure military applications or mission critical data applications. A MAC access control model often exhibits one or more of the following attributes. Only administrators, not data owners, make changes to a resource's security label. All data is assigned security level that reflects its relative sensitivity, confidentiality, and protection value. All users can read from a lower classification than the one they are granted (A "secret" user can read an unclassified document). All users can write to a higher classification (A "secret" user can post information to a Top Secret resource). All users are given read/write access to objects only of the same classification (a "secret" user can only read/write to a secret document). Access is authorized or restricted to objects based on the time of day depending on the labeling on the resource and the user's credentials (driven by policy). Access is authorized or restricted to objects based on the security characteristics of the HTTP client (e.g. SSL bit length, version information, originating IP address or domain, etc.)
qualitative risk assessment
essentially not concerned with a monetary value but with scenarios of potential risks and ranking their potential to do harm
smurfing
exploits the Internet Control Message Protocol (ICMP), which enables users to send an echo packet to a remote host to check whether it's alive
analyze the artifacts
extract the actions performed and understand their relationships. We also need to identify characteristics of malicious behavior, develop techniques to analyze the behavior of web malware and binaries
single-homed host
firewall consists of two systems: A packet filtering router and a bastion host. Configuration for the packet filtering router. Only packets from and to the bastion host are allowed to pass through the router. The bastion host performs authentication and proxy functions. It has greater security than single configurations because of two reasons: Implements both packet level and application-level filtering (allowing for flexibility in defining security policy). An intruder must generally penetrate two separate systems.
circuit gateways
firewalls which reassemble and examine all the packets in each TCP circuit.
esp header
follows mandatory IPv4/IPv6 header fields and precedes higher layer protocol (e.g., TCP, UDP) information
least user privelage
giving a user no more access to a system than is necessary to perform his/her job. requires identifying the user's job functions, determining the minimum set of privileges required to perform that function, and restricting the user to a domain with those privileges and nothing more. In less precisely controlled systems, this is often difficult or costly to achieve.
defense in depth
having multiple layers of security
anti-radiation missiles
home in on the sources of hostile signals.
single loss expectancy
hoow much you are expected to lose from a single asset per occurence
what about authentication
how do we know alice is alice? How do we know a message originated from Alice? How do we know Alice's message was not altered in transit?
drive by download
how malware can infect your computer simply by visiting a website that is running malicious code (Stage 1: entry point). Most of the time, these are legitimate websites that have been compromised to redirect you to another site controlled by the hackers (Stage 2: distribution). Today's cybercriminals use sophisticated malware packaged in an "exploit kit" that can find a vulnerability in your software among thousands of possibilities. When your browser is redirected to the site hosting an exploit kit, it probes your operating system, web browser and other software (such as your PDF reader or video player) to find a security vulnerability that it can attack (Stage 3: exploit). Remember — if you are not applying security updates to your operating system and software, you are unprotected against these exploits. Once the exploit kit has identified a vulnerability, that is where Stage 4: infection begins. In the infection phase of an attack, the exploit kit downloads what is known as a "payload," which is the malware that installs itself on your computer. Finally, in Stage 5: execution, the malware does what it was designed to do, which is mainly to make money for its masters.
asset value
how much an asset is worth
annualized loss expectancy
how much money you are expected to lose on a single asset per year on average
expossure factor
how often an incident occurs
annualized rate of occurence
how often an incident occurs per year involving a particular asset
plaintext
initial unencrypted data
burst communications/time-hop
involve compressing the data and transmitting it in short bursts at times unpredictable by the enemy
Allow time for training and education
not only for the IT group, but also the larger grouping of end users of your systems under your management... the end-user community. The more people know how to handle a threat, the less risk to threats you will see, the more protection for your assets you will create. Simple example would be to allow the IT department time to train on security and then pass that training on to the rest of the organization where applicable. This strengthens your whole team, your business, your security... in most importantly, your assets. Knowledge is power.
signals collection
not restricted to agreements with phone companies for access to the content of phone calls and the communications data. It also involves a wide range of specialized facilities ranging from expensive fixed installations, which copy international satellite links, through temporary tactical arrangements
cookies
often used to authenticate the user's browser as part of session management mechanisms
types of firewalls
packet filters, application-level gateways, circuit-level gateways.
P0f
passive TCP/IP stack fingerprinting tool. p0f can attempt to identify the system running on machines that send network traffic to the box it is running on, or to a machine that shares a medium with the machine it is running on. p0f can also assist in analysing other aspects of the remote system.
firewalls are effective to
protect local systems. Protect network-based security threats, provide secured and controlled access to the internet, provide restricted and controlled access from the internet to local servers.
HTTP
protocol for communication between a web browser and a web server.
IP Authentication Header
provides a mechanism for data integrity and data origin authentication for IP packets using HMAC with MD5 (RFC 2403), HMAC with SHA-1 (RFC 2404), or HMAC with RIPEMD (RFC 2857). See also RFC 4305. follows mandatory IPv4/IPv6 header fields and precedes higher layer protocol (e.g., TCP, UDP) information
SSL Record Protocol
provides basic security services to higher level protocols, ensures data security and integrity and encryption, also used to encapsulate data sent by other higher level SSL protocols. It takes an application message to be sent, fragments the application, encapsulates it with appropriate headers and creates an object called a record, and encrypts the record and forwards it to TCP
IP encapsulating security payload
provides message integrity and privacy mechanisms in addition to authentication. As in AH, ESP uses HMAC with MD5, SHA-1, or RIPEMD authentication (RFC 2403/RFC 2404/RFC 2857); privacy is provided using DES-CBC encryption (RFC 2405), NULL encryption (RFC 2410), other CBC-mode algorithms (RFC 2451), or AES (RFC 3686). See also RFC 4305 and RFC 4308.
electronic intelligence
recognizing hostile radars and other non-communicating sources of electromagnetic energy.
referer header
referer [sic] header is sent with a client request to show where the client obtained the URI. On the face of it, this may appear to be a convenient way to determine that a user has followed a path through an application or been referred from a trusted domain. However, the referer is implemented by the user's browser and is therefore chosen by the user. Referers can be changed at will and therefore should never be used for authentication purposes.
Confidentiality
refers to limiting information access and disclosure to authorized users, Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.
password quality
refers to the entropy of a password and is clearly essential to ensure the security of the users' accounts
integrity
refers to the trustworthiness of information resources and Assuring the receiver that the received message has not been altered in any way from the original, Guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity.
the problems with the internet
security for a completely diverse community w/ coalition forces, buyers and sellers, and many people, many companies, many countries. Who is being secured?, What is being secured? Whose interests are being served?, it is now mostly about computation; communication is subsumed, Everything is interactive. We are mostly concerned with violations of integrity and authenticity that may lead to violations of confidentiality or just plain damage. Mostly small actors such as script kiddies, industrial espionage, terrorists who don't have vast intercept networks, many players are not trying to protect themselves against state intelligence agencies, Failures of security such as being hard not to notice, and recovery often expensive but typically possible. Manifestations: Automated (scripted) and semi-automated break-ins such as viruses and worms, spyware, phishing, and machines illegitimately imitating people, The response: Censorware such as firewalls and virus scanners, intrusion detection, automated network management, and forsenics. You have to design your security system with legal standards in mind and collect evidence.
honey trap
something enticing left to attract attention
replication mechanism
something that allows a virus to copy itself
passphrase
something that protects the private key in PGP
follower jamming
something where the jammer cannot anticipate when the next pulse will arrive, and so has to follow it can only make false targets that appear to be further away.
encryption
something which renders the contents of a message unintelligible to anyone not possessing some secret information
leading-edge tracker
something which responds only to the first return pulse of a rader
data encryption standard
something which was intended for all US government information that need protection but was not covered under existing laws and therefore entitled to protection under those laws.
mebroot
spreads via drive-by downloads delivered by exploit sites, installs a sophisticated root kit, provides a generic infrastructure to deploy malware
modern cryptographic era practices
standardization of cryptographic primitives, invention of public key cryptography, formalization of security definitions, growth of computing and the internet, liberalization of cryptographic restrictions
spoofing
substituting bogus alarm equipment, or using a computer that mimics it
security education
teach users, developers, and administrators, teach a hacking class and the inner workings of attacks, hold live security competitions,
snitchware
technology that collects and forwards information about an online subscriber without their authorization
ciphertext
text that is usually decrypted into usable plaintext
access
the ability to do something with a computer resource (e.g., use, change, or view).
authorization
the act of checking to see if a user has the proper permission to access a particular file or perform a particular action, assuming that user has successfully authenticated himself
Sun's Network File System (NFS)
the de facto standard for Unix file sharing
what the internet was designed to do
the internet wasn't designed with any particular purpose in mind. This meant that what the internet could do wasn't limited very much. The internet also wasn't designed to be binding on any particular geographical location at the time of its creation.
pharming
the manipulation of DNS records
jamming margin
the maximum tolerable ratio of jamming power to signal power, is essentially the process gain modulo implementation and other losses (strictly speaking, process gain divided by the minimum bit energy-to noise density ratio).
information
the meanings and interpretations that people place upon facts, or data
information assurance
the methods for managing the risks of information assets
bottom pin/key pin
the pin in the lock that makes direct contact with the key
ghosting
the practice of swapping vehicles halfway throughout the working day
entity authentication
the process of determining if an entity is who it claims to be.
user authentication
the process of determining that a user is who he/she claims to be.
enumeration
the process of obtaining information directly from the target systems, applications, and networks
conical scan
the radar beam would be tracked in a circle around the target's position, and the amplitude of the returns could drive positioning servos (and weapon controls) directly
reconnaissance
the search for any available information on the target to assist in planning or executing the test
application relay
the third type of firewall, which acts as a proxy for one or more services, such as mail, telnet, and Web. It's at this level that you can enforce rules such as stripping out macros from incoming Word documents, and removing active content from Web pages. These can provide very comprehensive protection against a wide range of threats. The downside is that application relays can turn out to be serious bottlenecks. They can also get in the way of users who want to run the latest applications.
codes
things which replace a piece of plaintext with a specified code word. Codes are essentially a substitution cipher, but can replace strings of symbols rather than just individual symbols.
internal threats
threats originating from within the network. Examples include malicious employees, employees that are not malicious but make mistakes, such as mistakes made from deployments and implementations, etc.
the usual goal with a self-protection jammer
to deny range and bearing information to attackers
goal of penetration testing
to gain awareness and a detailed understanding of the state of the security environment
partial band jamming
to jam enough of the band to introduce an unacceptable error rate in the signal.
time difference of arrival
to locate a suspect signal rapidly, accurately, and automatically by comparing the phase of the signals received at two sites.
one of the ways in which you get your staff to accept dual controls and integrate them into their work culture
to show the staff that these controls protect them and the assets
cryptography
transformation of message under the control of a secret key, it is now the best settled part of information security
how to elminiate DDOS attacks
use ingress filtering, develop techniques for rapidly tracking these attacks to their source, and notifying the people who need to secure their broken servers, or the providers who need to put blocks in place to shut down an attack at its many sources
ICMP (Internet Control Message Protocol)
used by a router to exchange the information with other routers
UDP (User Datagram Protocol)
used for information that requires no response, such as streaming audio and video
proxy server
used to access Web pages by the other computers. When another computer requests a Web page, it is retrieved by the proxy server and then sent to the requesting computer. The net effect of this action is that the remote computer hosting the Web page never comes into direct contact with anything on your home network, other than the proxy server. can also make your Internet access work more efficiently. If you access a page on a Web site, it is cached (stored) on the proxy server. This means that the next time you go back to that page, it normally doesn't have to load again from the Web site. Instead it loads instantaneously from the proxy server.
TCP (Transmission Control Protocol)
used to break apart and rebuild information that travels over the Internet
Simple Network Management Protocol (SNMP)
used to collect system information from a remote computer
FTP (File Transfer Protocol)
used to download and upload files
Telnet
used to perform commands on a remote computer
SMTP (Simple Mail Transfer Protocol
used to send text-based information (e-mail)
Dynamic SOD
user may not have certain roles activated together in a session.
Static SOD
user may not have certain roles together in their user-role assignment
SSL
uses TCP to provide reliable end-to-end secure service and in general can be used for secure data transfer for any network service running over TCP/IP
authentication and integrity
verifies the origin of data, assures that the data sent is the data received, assures that the network headers have not changed since the data was sent.
application-logic vulnerabilities
vulnerabilities that are there because the application is doing something particular
access control
way of controlling access to web resources, including restrictions based on things like the time of day, the IP address of the HTTP client browser, the domain of the HTTP client browser, the type of encryption the HTTP client can support, number of times the user has authenticated that day, the possession of any number of types of hardware/software tokens, or any other derived variables that can be extracted or calculated easily.
direct sequence spread spectrum
we multiply the information-bearing sequence by a much higher-rate pseudorandom sequence, usually generated by some kind of stream cipher
the data will come to us
we will have sensor networks everywhere and smart grids such as tracking of different variables and hybrid and plug-in vehicles,
problems with classical crypto
weak: These systems can be cracked with modern computers Informal: There weren't publicly available security definitions or proofs of security Closed: Cryptographic knowledge and technology was primarily only available to military or intelligence agencies Key distribution: The number of keys in the system grows quadratically with the number of parties
payload
what a virus does to your system.
code division multiple access
what the commercial world calls DSSS
imprinting
when a newborn baby animal recognizes as its mother the first moving object that makes a sound.
overrun problem
when bad guys overrun good guys by taking control of their devices and still pretend to be good guys
sniffing/eavesdropping
when information remains intact, but its privacy is compromised. For example. someone could learn your credit card number, record a sensitive conversation, or intercept classified information.
reverse social engineering
when the hacker creates a persona that appears to be in a position of authority so that employees will ask him for information, rather than the other way around
chirp
when the underlying modulation scheme of DSSS is FM rather than AM
man in the middle attack
where an attacker can insert themselves 'between' two communicating parties and intercept the traffic, read it, and perhaps alter it
interference cancellation
where the idea is to communicate in a band you are jamming and whose jamming waveform is known to your own radios, so they can cancel it out or hop around it
repeater jamming
where the jammer follows a hopper as closely as it can
swept-frequency jamming
where the jammer sweeps repeatedly through the target frequency band
the four phases of negotiation
1. Client sends to server: SSL version, random (used to protect key exchange, session ID, CipherSuite 2. Server sends back: SSL version, random (a different number is generated, session ID, Cipher Suite
sequence number
A 32-bit field containing a sequence number for each datagram; initially set to 0 at the establishment of an SA. AH uses sequence numbers as an anti-replay mechanism, to prevent a "person-in-the-middle" attack. If anti-replay is enabled (the default), the transmitted Sequence Number is never allowed to cycle back to 0; therefore, the sequence number must be reset to 0 by establishing a new SA prior to the transmission of the 232nd packet.
Elliptic Curve Cryptography (ECC)
A PKC algorithm based upon elliptic curves. ECC can offer levels of security with small keys comparable to RSA and other PKC methods. It was designed for devices with limited compute power and/or memory, such as smartcards and PDAs. More detail about ECC can be found below in Section 5.8. Other references include the Elliptic Curve Cryptography page and the Online ECC Tutorial page, both from Certicom. See also RFC 6090 for a review of fundamental ECC algorithms and The Elliptic Curve Digital Signature Algorithm (ECDSA) for details about the use of ECC for digital signatures.
non-repudiation
A mechanism to prove that the sender really sent this message.
Key Exchange Algorithm (KEA).
A variation on Diffie-Hellman; proposed as the key exchange method for the NIST/NSA Capstone project.
a significant difference in the scope of ESP and AH
AH authenticates the entire packet transmitted on the network whereas ESP only covers a portion of the packet transmitted on the network (the higher layer data in transport mode and the entire original packet in tunnel mode). The reason for this is straight-forward; in AH, the authentication data for the transmission fits neatly into an additional header whereas ESP creates an entirely new packet which is the one encrypted and/or authenticated
Diffie Hellman algorithm
After the RSA algorithm was published, Diffie and Hellman came up with their own algorithm. D-H is used for secret-key key exchange only, and not for authentication or digital signatures.
the world's response to the phenomenon of the first world war:
Automation of cryptography, key management, central facility
the state of public key encryption today
Currently uses the advanced encryption standard, which was chosen to be very secure in an international contest, and was a belgian designed algorithm adopted as a US standard: FIPS 197. CNSS 15 sprint 2003 was approved for protection of classified information. Cryptography has been standardized. AES has been adopted, which supports 128, 192, 256 bit keys. Elliptic key cryptography (second generation public key cryptography): Keys about twice the length of conventional keys, faster as a result, NSA has indicated it is switching in the next five years. Hash functions SHA 256, 384 512 (Field still open). Public key cryptography has made the use of cryptography in much more diverse communities possible. Cyrptography alone cannot protect us from threats.
types of cyber threats
DOS, malicious software, password crackers, spoofing/masquerading, sniffers, back door/trap door, emanation detection, unauthorized targeted data mining, dumpster diving, eavesdropping and tapping, social engineering, phishing, theft
Homeland Security Presiential Directive HSPD - 12
Defines the Federal standard for secure and reliable forms of identification Executive departments and agencies shall have a program to ensure that identification meets the standard Executive departments and agencies shall identify information systems that are important for security.
ElGamal
Designed by Taher Elgamal, a PKC system similar to Diffie-Hellman and used for key exchange
Torpig's HTML injection
Domains of interest stored in file, when a domain of interest is visited,
IP Addresses
Each machine on the Internet is assigned a unique address called an IP address. IP addresses are 32-bit numbers, normally expressed as four "octets" in a "dotted decimal number." A typical IP address looks like this: 216.27.61.137. For example, if a certain IP address outside the company is reading too many files from a server, the firewall can block all traffic to or from that IP address
Triple DES (3DES)
Effectively a 112 bit cipher, still in use
Problems with IPSec
Excessively complex and difficult to use, Routers need to be made IPSec aware
Transport Layer Security
Extension of SSL, aim is to provide security and data integrity features at the transport layer between two web applications, supported by most web servers and browsers today.
predict behavior
Extract information that can be used to foresee the future
current problems with public key cryptography
Giving out lots and lots of public keys, sign once, verify often, high speed, low power, and improved hash functions
some SSL based services
HTTPS: Port number 443 LDAP: Port number 646 SMTP: Port number 465 POP3: Port number 995
range gate pull-off
Here, the jammer transmits a number of fake pulses that are stronger than the real ones, thus capturing the receiver, and then moving them out of phase so that the target is no longer in the receiver's range gate
some of the attacks that can be made on packet filtering firewalls
IP address spoofing, tiny fragment attacks, and source routing attacks
build a response plan and emergency response team
If you do not have this, then you probably do not have a security policy either, which is not good. Other articles on this site cover this in more detail, just remember, you need a security policy and one of the sections in that policy should state what you are going to do when a threat against your assets does emerge. Hopefully you have a guided step by step plan, and also some help in pulling it off. When a threat against your assets emerges, firefighting will become your only option if you are not properly prepared.
firewall configurations
In addition to the use of simple configuration of a single system, more complex configurations are possible. Three common configurations are in popular use. Single homed host, dual homed host, Screened subnet.
summary of first lecture for module 1
Information Assurance is now the primary requirement for designing of government networks The virulence of attacks is rising faster than the capabilities of defenses Information Assurance will have to migrate from defending desktops, laptops and PDAs to protecting the network Information Assurance offers attractive career opportunities.
the risk of loss of money and profit
It can't really be put more easily than that. If you ignore the initial investment, you gamble. When you gamble, sometimes you win, sometimes you lose. It's in my opinion that companies are structured to not be a gamble, especially when people are investing in it because they have faith in the viability of the company. If they knew that internal resources where playing games with the security of the data that they invest in, would they continue to do so?
operating system bugs
Like applications, some operating systems have backdoors. Others provide remote access with insufficient security controls or have bugs that an experienced hacker can take advantage of.
screened subnet firewall configuration
Most secure configuration of the three. Two packet filtering routers are used, creation of an isolated subnetwork. There are three levels of defense to thwart intruders. The outside router advertises only the existence of the screened subnet to the internet. The internal network is invisible to the internet. The inside router advertises only the existence of the screened subnet to the internal network. The systems on the inside network cannot construct direct routes to the internet.
Designated Approving Authority (DAA)
Official with the authority to formally assume responsibility for operating a system at an acceptable level of risk.
packet filtering
Packets (small chunks of data) are analyzed against a set of filters. Packets that make it through the filters are sent to the requesting system and all others are discarded.
the risk of loss of IT staff
People get fed up eventually and move on to more serious companies, it's just a fact of life. To not look at your staff as an asset is dangerous, very dangerous.
viruses
Probably the most well-known threat is computer viruses. A virus is a small program that can copy itself to other computers. This way it can spread quickly from one system to the next. Viruses range from harmless messages to erasing all of your data.
Core RBAC
RBAC with no hierarchy
hierarchical RBAC
RBAC with role hierarchy
HTTPS
SHTTP and HTTPS are not the same. HTTPS is an alternative to SHTTP. HTTP runs on top of SSL or TSL for secured transactions
SMTP session hijacking
SMTP is the most common method of sending e-mail over the Internet. By gaining access to a list of e-mail addresses, a person can send unsolicited junk e-mail (spam) to thousands of users. This is done quite often by redirecting the e-mail through the SMTP server of an unsuspecting host, making the actual sender of the spam difficult to trace.
FISMA requirements
Security controls must be incorporated into systems Systems must meet the security requirements of NIST 800-53 Security controls must contain the management, operational, and technical safeguards or countermeasures The controls must be documented in this security plan.
CNC & exploit servers are vulnerable to take down.
So bots periodically generate new domain names for C&C expoit servers.
the reasons for poor performance of intrusion detection systems
The Internet is a very "noisy" environment, not just at the level of content but also at the packet level. A large amount of random crud arrives at any substantial site, and enough of it can be interpreted as hostile to generate a significant false alarm rate. A survey by Bellovin [89] reports that many bad packets result from software bugs; others are the fault of out-of-date or corrupt DNS data; and some are local packets that escaped, travelled the world, and returned. There are too few attacks. If there are ten real attacks per million sessions—which is almost certainly an overestimate—then even if the system has a false alarm rate as low as 0.1%, the ratio of false to real alarms will be 100. I talked about similar problems with burglar alarms in Chapter 10; it's also a well known issue for medics running screening programs for diseases such as HIV where the test error exceeds the organism's prevalence in the population. In general, where the signal is so far below the noise, an alarm system is likely to so fatigue the guards that even the genuine alarms get missed. Many network attacks are-specific to particular versions of software, so most of them concern vulnerabilities in old versions. Thus, a general misuse detection tool must have a large, and constantly changing, library of attack signatures. In many cases, commercial organizations appear to buy intrusion detection systems simply to tick a "due diligence" box. This is done to satisfy insurers or consultants. Encrypted traffic, such as SSL-encrypted Web sessions, can't easily be subjected to content analysis or filtered for malicious code. It's theoretically possible to stop the encryption at your firewall, or install a monitoring device with which your users share their confidentiality keys. However, in practice, this can be an absolute tar-pit. The issues raised in the context of firewalls largely apply to intrusion detection, too. You can filter at the packet layer, which is fast but can be defeated by packet fragmentation; you can reconstruct each session, which takes more computation and so is not really suitable for network backbones; or you can examine application data, which is more expensive still, and needs to be constantly updated to cope with the arrival of new applications. master keying allows much greater convenience not just to the building occupants but also to the burglar an entry control system should be managed like any other computer system purchase, with very careful attention to maintenance costs, standards, extensibility, and total cost of ownership A common mistake when designing alarm systems is to be captivated by the latest sensor technology you have to look carefully at the circumstances, and decide whether the bigger problem is with detection, with delay or with response. False alarms — whether induced deliberately or not — are the bane of the industry. They provide a direct denial-of-service attack on the alarm response force sites with a serious physical protection requirement typically have several concentric perimeters The more usual attack on communications is to go for the link between the alarm controller and the security company which provides or organizes the response force. the natural human willingness to accept someone at his or her word leaves many of us vulnerable to attack The most prevalent type of social engineering attack is conducted by phone. A hacker will call up and imitate someone in a position of authority or relevance and gradually pull information out of the user. Help desks are particularly prone to this type of attack. Hackers are able to pretend they are calling from inside the corporation by playing tricks on the PBX or the company operator, so caller-ID is not always the best defense hackers can gain useful information through dumpster diving and online social engineering. Never give your passwords in clear text if at all mail attachments sent from someone of authenticity can carry viruses, worms and Trojan horses To social engineer, never ask for too much information at a time, but to ask for a little from each person in order to maintain the appearance of a comfortable relationship Some common roles that may be played in impersonation attacks include: a repairman, IT support, a manager, a trusted third party (for example, the President's executive assistant who is calling to say that the President okayed her requesting certain information), or a fellow employee. In a huge company, this is not that hard to do. There is no way to know everyone - IDs can be faked. Most of these roles fall under the category of someone with authority, which leads us to ingratiation. Most employees want to impress the boss, so they will bend over backwards to provide required information to anyone in power. Conformity is a group-based behavior, but can be used occasionally in the individual setting by convincing the user that everyone else has been giving the hacker the same information now requested When in doubt, the best way to obtain information in a social engineering attack is just to be friendly. The idea here is that the average user wants to believe the colleague on the phone and wants to help, so the hacker really only needs to be basically believable. the three parts of reverse social engineering attacks are sabotage, advertising, and assisting IPv6 was implemented because the internet was beginning to run out of IP addresses It is starting that you can get digital signatures to verify the binding of a domain name and IP address electricity consuming devices will be increasingly on the net because it is easier to make them cooperate when they are facing a power max out Once you release a system like the internet to the general public, you have to deal with the dishonesty of some of the general public. One of the hardest problems in designing a system like the internet is how to figure out that a configuration is wrong. In general, anything that allows data to be written to disk can be used to execute a denial-of-service attack if there are no bounds on the amount of data that can be written.
Digital Signature Algorithm
The algorithm specified in NIST's Digital Signature Standard (DSS), provides digital signature capability for the authentication of messages
process gain
The ratio of the input signal's bandwidth to that of the transmitted signal
DNS names
There are many times when applications need to authenticate other hosts or applications. IP addresses or DNS names may appear like a convenient way to do this. However the inherent insecurities of DNS mean that this should be used as a cursory check only, and as a last resort.
reserved
This 16-bit field is reserved for future use and always filled with zeros.
bumping
This technique enables many locks to be opened quickly and without damage by unskilled people using tools that are now readily available. Its main target is the pin-tumbler lock originally patented by Linus Yale in 1860
Triple ECB (Electronic Code Book)
This variant of Triple DES works exactly the same way as the ECB mode of DES. Triple ECB is the type of encryption used by Private Encryptor. This is the most commonly used mode of operation.
spam
Typically harmless but always annoying, spam is the electronic equivalent of junk mail. Spam can be dangerous though. Quite often it contains links to Web sites. Be careful of clicking on these because you may accidentally accept a cookie that provides a backdoor to your computer.
Top 10 secure coding practices
Validate input. Validate input from all untrusted data sources. Proper input validation can eliminate the vast majority of software vulnerabilities. Be suspicious of most external data sources, including command line arguments, network interfaces, environmental variables, and user controlled files [Seacord 05]. Heed compiler warnings. Compile code using the highest warning level available for your compiler and eliminate warnings by modifying the code [C MSC00-A, C++ MSC00-A]. Use static and dynamic analysis tools to detect and eliminate additional security flaws. Architect and design for security policies. Create a software architecture and design your software to implement and enforce security policies. For example, if your system requires different privileges at different times, consider dividing the system into distinct intercommunicating subsystems, each with an appropriate privilege set. Keep it simple. Keep the design as simple and small as possible [Saltzer 74, Saltzer 75]. Complex designs increase the likelihood that errors will be made in their implementation, configuration, and use. Additionally, the effort required to achieve an appropriate level of assurance increases dramatically as security mechanisms become more complex. Default deny. Base access decisions on permission rather than exclusion. This means that, by default, access is denied and the protection scheme identifies conditions under which access is permitted [Saltzer 74, Saltzer 75]. Adhere to the principle of least privilege. Every process should execute with the the least set of privileges necessary to complete the job. Any elevated permission should be held for a minimum time. This approach reduces the opportunities an attacker has to execute arbitrary code with elevated privileges [Saltzer 74, Saltzer 75]. Sanitize data sent to other systems. Sanitize all data passed to complex subsystems [C STR02-A] such as command shells, relational databases, and commercial off-the-shelf (COTS) components. Attackers may be able to invoke unused functionality in these components through the use of SQL, command, or other injection attacks. This is not necessarily an input validation problem because the complex subsystem being invoked does not understand the context in which the call is made. Because the calling process understands the context, it is responsible for sanitizing the data before invoking the subsystem. Practice defense in depth. Manage risk with multiple defensive strategies, so that if one layer of defense turns out to be inadequate, another layer of defense can prevent a security flaw from becoming an exploitable vulnerability and/or limit the consequences of a successful exploit. For example, combining secure programming techniques with secure runtime environments should reduce the likelihood that vulnerabilities remaining in the code at deployment time can be exploited in the operational environment [Seacord 05]. Use effective quality assurance techniques. Good quality assurance techniques can be effective in identifying and eliminating vulnerabilities. Fuzz testing, penetration testing, and source code audits should all be incorporated as part of an effective quality assurance program. Independent security reviews can lead to more secure systems. External reviewers bring an independent perspective; for example, in identifying and correcting invalid assumptions [Seacord 05]. Adopt a secure coding standard. Develop and/or apply a secure coding standard for your target development language and platform. Bonus Secure Coding Practices Define security requirements. Identify and document security requirements early in the development life cycle and make sure that subsequent development artifacts are evaluated for compliance with those requirements. When security requirements are not defined, the security of the resulting system cannot be effectively evaluated. Model threats. Use threat modeling to anticipate the threats to which the software will be subjected. Threat modeling involves identifying key assets, decomposing the application, identifying and categorizing the threats to each asset or component, rating the threats based on a risk ranking, and then developing threat mitigation strategies that are implemented in designs, code, and test cases [Swiderski 04].
remote login
When someone is able to connect to your computer and control it in some form. This can range from being able to view or access your files to actually running programs on your computer.
risk assessments
You have to know what your tolerance to risk is, once you do know, it's critical that you see how at risk you really are to certain threats. This is done with a risk assessment, which is a big name for 'checking the security of your systems and then seeing how at risk you are to known threats.
group
a collection of users
HMAC
a keyed-hashing message authentication code described in FIPS 198 and RFC 2104. HMAC uses a shared secret key between two parties rather than public key methods for message authentication. The generic HMAC procedure can be used with just about any hash algorithm, although IPsec specifies support for at least MD5 and SHA-1 because of their widespread use. both parties share a secret key. The secret key will be employed with the hash algorithm in a way that provides mutual authentication without transmitting the key on the line. IPsec key management procedures will be used to manage key exchange between the two parties.
shear line
a straight line in a lock that allows the key to be turned
IPsec
a suite of protocols providing a mechanism to provide data integrity, authentication, privacy, and nonrepudiation for the classic Internet Protocol (IP) can provide either message authentication and/or encryption. The latter requires more processing than the former, but will probably end up being the preferred usage for applications such as VPNs and secure electronic commerce.
asymmetric attack
an attack that can be executed with limited resources against a large, sophisticated site
Synchronous Stream Ciphers
ciphers that generate the keystream in a fashion independent of the message stream but by using the same keystream generation function at sender and receiver.
confidentiality
encrypts data to protect against eavesdropping. Can hide data source when encryption is used over a tunnel
clocked
had indicated mileage reduced
HTTP (Hyper Text Transfer Protocol)
used for Web pages
public key signatures
Alice generates a key pair. Alice publishes her verifying key. Alice signs a message. Bob verifies a signature with her verifying key. Is a public key signature scheme possible? How do we distribute verification keys? RSA is a fixed size. How do we sign big messages?
next header
An 8-bit field that identifies the type of the next payload after the Authentication Header.
what to look at when designing an intranet
Analysis of the organization flow. Identify various cross-sections of employees and their access privelages. Enforce authentication mechanisms
redirect bombs
Hackers can use ICMP to change (redirect) the path information takes by sending it to a different router. This is one of the ways that a denial of service attack is set up.
source routing
In most cases, the path a packet travels over the Internet (or any other network) is determined by the routers along that path. But the source providing the packet can arbitrarily specify the route that the packet should travel. Hackers sometimes take advantage of this to make information appear to come from a trusted source or even from inside the network! Most firewall products disable source routing by default.
Implications of Smart Attackers
Viruses are sufficiently smart to learn about defenses and reconfigure attacks accordingly. Static defenses will not work anymore Vulnerability is in software and almost none in hardware Networks must have the capability to actively intercept and neutralize the attackers Protection must move from devices (clients) and servers to the network.
what dominates thinking today about cryptography
You can put all of the ingenuity into developing the public key and make the private key very cheap.
operation
a unit of control that can be referenced by an individual role, subject to regulatory constraints within the RBAC framework
misuse detection systems
detection systems which use a model of the likely behavior of an intruder
Torpig
distributed via Mebroot, steals sensitive information and uses HTTP injection for phishing, uses domain flux to locate C&C server
frequency hoppers
do exactly as their name suggests: they hop rapidly from one frequency to another, with the sequence of frequencies determined by a pseudorandom sequence known to the authorized principals.
steps to keep from being used in DDOS attacks
ensure that packets are being filtered at the point where you connect to the internet, secure your machines, block IP directed broadcast packets (Packets directed at the broadcast address from outside the net) at the border
technical safeguards
these are like a bailout procedure when something inevitably goes wrong with the computer system.
chaff
thin strips of conducting foil cut to a half the wavelength of the target signal, then dispersed to provide a false return
velocity gates
things that restrict attention to targets whose radial speed with respect to the antenna is within certain limits.
the two different types of security failure
those that cause an error, and those that don't
epidemic threshold
when the rate of replication of a virus exceeds that of its removal
POP3
A protocol using which email systems retrieve mails from the mail server
McEliece
A public-key cryptosystem based on algebraic coding theory
payload length
An 8-bit field that indicates the length of AH in 32-bit words (4-byte blocks), minus "2". [The rationale for this is somewhat counter intuitive but technically important. All IPv6 extension headers encode the header extension length (Hdr Ext Len) field by first subtracting 1 from the header length, which is measured in 64-bit words. Since AH was originally developed for IPv6, it is an IPv6 extension header. Since its length is measured in 32-bit words, however, the Payload Length is calculated by subtracting 2 (32 bit words) to maintain consistency with IPv6 coding rules.] In the default case, the three 32-bit word fixed portion of the AH is followed by a 96-bit authentication value, so the Payload Length field value would be 4.
email bombs
An e-mail bomb is usually a personal attack. Someone sends you the same e-mail hundreds or thousands of times until your e-mail system cannot accept any more messages.
Internet Advantage
Any properly configured computer can act as a host for a personal web-page Any of several hundred million other computers can view that personal web page Any of several hundred million other computers can connect to another computer capable of delivering an information processing service.
Port
Any server machine makes its services available to the Internet using numbered ports, one for each service that is available on the server (see How Web Servers Work for details). For example, if a server machine is running a Web (HTTP) server and an FTP server, the Web server would typically be available on port 80, and the FTP server would be available on port 21. A company might block port 21 access on all machines but one inside the company.
SSL Record Header
Consists of content type, major and minor version numbers, and compressed length
the priorities of electronic warfare
Denial of service, which includes jamming, mimicry and physical attack. 2. Deception, which may be targeted at automated systems or at people. 3. Exploitation, which includes not just eavesdropping but obtaining any operationally valuable information from the enemy's use of his electronic systems.
privacy/confidentiality
Ensuring that no one can read the message except the intended receiver.
detecting attacks against web clients
High interaction honeyclients visit webpages and recored modifications to the underlying system, unexpected changes are attributed to attacks. Defenders need to know in advance the components that will be targeted by attacks. Configuration can be complex and incomplete. Some of the vulnerable components are incompatible with one another, limited explanatory power.
HIDS
Host intrusion detection systems are installed locally on host machines making it a very versatile system compared to NIDS. HIDS can be installed on many different types of machines namely servers, workstations and notebook computers. Doing so gives you the edge that NIDS does not have especially if you have a segment that you NDIS can not reach beyond. Traffic transmitted to the host is analyzed and passed onto the host if there are not potentially malicious packets within the data transmission. HIDS are more focused on the local machines changing aspect compared to the NIDS. NIDS focus more greatly on the network those specific hosts themselves. HIDS is also more platform specific and caters strongly in the windows market of the computing world however there are products available that function in the UNIX and other OS topology environments
the risk of the loss of customer satisfaction
I don't know how you feel personally, but I get really annoyed when I pay top dollar for a service that is not reliable. For instance, when I pay for a telecom bill (T1, top dollar) and the thing won't stay up most of the time. Well, I may just take my business elsewhere because I as a customer am not happy with the level of service. Think of the same thing with your own services you provide... something as simple as not taking your Network Administrators request for a clustered database server seriously because the upfront costs are 'in your mind' astronomical, but when the thing goes down, puts all your workers on immediate coffee break because they cant access data, and your customers on hold because they can process their credit cards online when they were trying to buy 'your' goods. Still think that that clustered solution costs too much? Remember... you raise risk, encourages more threats, loss of assets. It's a gamble, really.
IP Address Spoofing
IP address spoofing is also possible in certain circumstances and the designer may wish to consider the appropriateness. In general use gethostbyaddr() as opposed to gethostbyname(). For stronger authentication you may consider using X.509 certificates or implementing SSL.
all risk assessments generally include the following elements
Identifying threats that could harm and, thus, adversely affect critical operations and assets. Threats include such things as intruders, criminals, disgruntled employees, terrorists, and natural disasters. Estimating the likelihood that such threats will materialize based on historical information and judgment of knowledgeable individuals. Identifying and ranking the value, sensitivity, and criticality of the operations and assets that could be affected should a threat materialize in order to determine which operations and assets are the most important. Estimating, for the most critical and sensitive assets and operations, the potential losses or damage that could occur if a threat materializes, including recovery costs. Identifying cost-effective actions to mitigate or reduce the risk. These actions can include implementing new organizational policies and procedures as well as technical or physical controls. Documenting the results and developing an action plan
intrusion detection system
Intrusion Detection System (IDS) is an essential tool that compliments any security suite such as a firewall and a good antivirus. These tools are ineffective if used separately as each one is tailored to fight off attackers in specific focused areas. It is good practice to build a security suite with well recognized reliable technologies that have been tried and tested, ensuring that the IDS application chosen suits your organizations needs closely like a well tailored piece of clothing. An IDS system is used to make security professional aware of packets entering and leaving the monitored network. IDS are often used to sniff out network packets giving you a good understanding of what is really happening on the network. There are two mainstream options when implementing IDS Host based IDS and Network based IDS. Some IDS have the capability of distinguishing different types of network traffic on the same port number and it can show you if the request is an HTTP request on port 80 or if the user is using the preferred instant messaging system over port 80. IDS have the ability to drop malicious packets that may cause your network harm, the systems used to detect bad things that are happening, a system that monitors the logs and draws the attention of authority to suspicious occurrences
Hire a Security Professional
It should be considered. That should be part of your risk assessment and your action plan based on what you find. Think of it like this, if you find too much at risk, calculate a days lost profits against the hiring of a dedicated resource and generally you will always find that the resource was cheaper in the long run. Remember our last example? The down website for a week? Of course, its human nature to love the risk of gambling, but when working for a public company, what is it you are gambling with? Stockowner's money... for a private company, you are gambling with the profits of the company for the owners and potentially yourself. If you are a very large organization, you should consider a dedicated resource or staff augmentation. I personally don't like staff augmentation because security is very sensitive, the person knows 'too' much about your network and how it runs, all the ways in and out. I like knowing that that person works for me; I get to toss back a beer with that person, know that person a little bit better, and learn their motivations. Not 'someone' who works for a company or me - part time. Not to say that this is not a trustworthy individual, I have met many that are, but this is just personal preference. Many times management teams want to save a nickel and go this route. It's a decent solution, but not the best. That person does not have to be on staff permanently (it can be a consultant who comes in and does analysis work on your network once a month if even that minimal), but again - it's still a little risky. The worse thing you can do is to ignore it completely this will get you in a lot of trouble once a true threat emerges, especially if it's serious enough. Do not ignore security ... you lock your front door when you leave your house?
Get executive buy-in
Once you have your analysis done, you need to hand it in. (Hopefully in an official report). You really need upper managements support on taking this seriously. If something needs to be done (whether it be to get new systems, upgrade... whatever), you will most likely need some type of budget to do so. Even though many companies 'talk the talk', they are not 'walking the walk' when it comes to building a secure infrastructure. If you do not have support for this, you will need to achieve it. Having upper management (and Human Resources) blessing will help enforcement of all new policies put in place, help get monies needed to deploy a security network/system's infrastructure and so on. This is critical to protecting your assets... make management aware that the assets are at risk by threats. (Starting to get a clear view between the balancing of Assets/Threat?)
Forms Based Authentication
Rather than relying on authentication at the protocol level, web based applications can use code embedded in the web pages themselves. Specifically, developers have previously used HTML FORMs to request the authentication credentials (this is supported by the TYPE=PASSWORD input element). This allows a designer to present the request for credentials (Username and Password) as a normal part of the application and with all the HTML capabilities for internationalization and accessibility. While dealt with in more detail in a later section it is essential that authentication forms are submitted using a POST request. GET requests show up in the user's browser history and therefore the username and password may be visible to other users of the same browser. Of course schemes using forms-based authentication need to implement their own protection against the classic protocol attacks described here and build suitable secure storage of the encrypted password repository. A common scheme with Web applications is to prefill form fields for users whenever possible. A user returning to an application may wish to confirm his profile information, for example. Most applications will prefill a form with the current information and then simply require the user to alter the data where it is inaccurate. Password fields, however, should never be prefilled for a user. The best approach is to have a blank password field asking the user to confirm his current password and then two password fields to enter and confirm a new password. Most often, the ability to change a password should be on a page separate from that for changing other profile information. This approach offers two advantages. Users may carelessly leave a prefilled form on their screen allowing someone with physical access to see the password by viewing the source of the page. Also, should the application allow (through some other security failure) another user to see a page with a prefilled password for an account other than his own, a "View Source" would again reveal the password in plain text. Security in depth means protecting a page as best you can, assuming other protections will fail. Note: Forms based authentication requires the system designers to create an authentication protocol taking into account the same problems that HTTP Digest authentication was created to deal with. Specifically, the designer should remember that forms submitted using GET or POST will send the username and password in effective clear-text, unless SSL is used.
protocols required to establish the SSL connection
SSL Handshake Protocol, SSL Change Cipher Spec Protocol, SSL Alert Protocol
contents of ESP packet
Security Parameters Index: An arbitrary 32-bit value that, in combination with the destination IP address and security protocol, uniquely identifies the Security Association for this datagram. The value 0 is reserved for local, implementation-specific uses and values between 1-255 are reserved by the Internet Assigned Numbers Authority (IANA) for future use. Sequence Number: A 32-bit field containing a sequence number for each datagram; initially set to 0 at the establishment of an SA. AH uses sequence numbers as an anti-replay mechanism, to prevent a "person-in-the-middle" attack. If anti-replay is enabled (the default), the transmitted Sequence Number is never allowed to cycle back to 0; therefore, the sequence number must be reset to 0 by establishing a new SA prior to the transmission of the 232nd packet. Payload Data: A variable-length field containing data as described by the Next Header field. The contents of this field could be encrypted higher layer data or an encrypted IP packet. Padding: Between 0 and 255 octets of padding may be added to the ESP packet. There are several applications that might use the padding field. First, the encryption algorithm that is used may require that the plaintext be a multiple of some number of bytes, such as the block size of a block cipher; in this case, the Padding field is used to fill the plaintext to the size required by the algorithm. Second, padding may be required to ensure that the ESP packet and resulting ciphertext terminate on a 4-byte boundary. Third, padding may be used to conceal the actual length of the payload. Unless another value is specified by the encryption algorithm, the Padding octets take on the value 1, 2, 3, ... starting with the first Padding octet. This scheme is used because, in addition to being simple to implement, it provides some protection against certain forms of "cut and paste" attacks. Pad Length: An 8-bit field indicating the number of bytes in the Padding field; contains a value between 0-255 Next Header: An 8-bit field that identifies the type of data in the Payload Data field, such as an IPv6 extension header or a higher layer protocol identifier Authentication Data: A variable-length, 32-bit aligned field containing the Integrity Check Value (ICV) for this packet (default length = 96 bits). The ICV is computed using the authentication algorithm specified by the SA, such as DES, MD5, or SHA-1. Other algorithms may also be supported.
virtual private network
The idea here is that a number of branches of a company, or a number of companies that trade with each other, arrange for traffic between their sites to be encrypted at their firewalls. This way the Internet can link up their local networks, but without their traffic being exposed to eavesdropping.
Physical Destruction or Alteration of Network Components DOS Attack
The primary concern with this type of attack is physical security. You should guard against unauthorized access to computers, routers, network wiring closets, network backbone segments, power and cooling stations, and any other critical components of your network.
macros
To simplify complicated procedures, many applications allow you to create a script of commands that the application can run. This script is known as a macro. Hackers have taken advantage of this to create their own macros that, depending on the application, can destroy your data or crash your computer.
SSL Handshake Protocol
Used to initiate a session between server and client, within the application data, algorithms and keys used for encryption can be negotiated, process of mutual authentication, process of negotiation divided into four phases
SSL Alert Protocol
Used to send session messages associated with data exchange and functioning of the protocol. Each message consists of two bytes. First byte is either 1 (Warning) or 2 (Fatal). If fatal, the SSL session is terminated. Second byte contains one of the defined error codes.
steps to prevent a DDOS attack
You can make yourself harder to target by distributing your website over multiple server farms, with multiple points of contact to the Internet. However, this gets expensive very fast discuss with your Internet connectivity provider what they would be able to do to help you in the face of such an attack the only real defense against DDoS today is to not be sufficiently newsworthy to attract the attention of an attacker
resurrecting duckling security policy model
a "newborn" vehicle unit, just removed from the shrink wrap, will recognize as its owner the first gearbox sensor that sends it a secret key
block cipher
a cipher where the scheme encrypts one block of data at a time using the same key on each block.
repeater
a coherent thing, that is, with the right waveform, that retransmits the radar signal with a systematic change in delay and/or frequency
thread
a collection of tasks that must be performed in a specific order to achieve a specific attack goal
transponder
a noncoherent thing where you retransmit the radar signal with a systematic change in delay and/or frequency
choke
a packet filter
bitting
a pin position in a lock
design goals
all traffic from inside to outside must pass through the firewalll. Only authorized traffic will be allowed to pass, which is defined by local security policy. The firewall itself is immune to penetration. Use of trusted system with secure operating system.
how public key cryptography works
anyone can encrypt a message, but only one person can decrypt a message
packet filtering firewall
applies a set of rules to each incoming IP packet and then forwards or discards the packet. Typically based on IP address or port numbers. Filter packets going in both directions, the packet filter is typically set up as a list of rules based on matches to fields in the IP or TCP header. Two default policies (discard or forward). Advantages: Simplicity, transparency to users, high speed, Disadvantages: Difficulty of setting up packet filter rules, lack of authentication.
risk management cycle
assess risk and determine needs, implement policies and controls, promote awareness, monitor and evaluate, repeat
Self-synchronizing stream ciphers
ciphers which calculate each bit in the keystream as a function of the previous n bits in the keystream
stream ciphers
ciphers which operate on a single bit at a time and implement some form of feedback mechanism so that the key is constantly changing
range gate
circuitry that focuses on targets within a certain range of distances from the antenna
communications intelligence
collects enemy communications, including both message content and traffic data about which units are communicating
message digests
compress input to fixed length strings without involving keys, no keys involved, One-wayness: It is hard to find an input that hashes to a pre-specified value. Collision resistance: Finding any two inputs having the same hash value is difficult: Fixed length public key signature schemes can sign digests instead of the actual message. However, key distribution is still a problem here. You can use certificates to verify public keys. PKI is a graph of relationships between key, such as certificate authorities and a "web of trust" social graph. You can revoke keys using expiration dates and certificate revocation lists.
SSL Change Cipher Spec protocol
consists of a single message that carries the value 1. Purpose of this message is to cause the pending session state to be established as a fixed state. Define the set of protocols to be used, must be sent client to server and vice versa.
impersonation
creating some sort of character and playing out the role
change of the threats
crypto alone cannot protect us from the current threats any more than Citibank's vaults can protect it from credit card fraud.
secret key cryptography
cryptography which uses a single key for both encryption and decryption
public key cryptography
cryptography which uses one key for encryption and another for decryption
partial time jamming
emitting pulses that cover most of the spectrum that needs to be jammed
assymetric cryptography
employs two keys that are mathematically related although knowledge of one key does not allow someone to easily determine the other key. One key is used to encrypt the plaintext and the other key is used to decrypt the ciphertext. The important point here is that it does not matter which key is applied first, but that both keys are required for the process to work
the state of things to come
ever increasing automation; human intervention in the affairs of machines decreasing, its harder to know where your computations are, and as computers come to do more human-like things, the security measures will come to look more and more like the security measures of human institutions. In the future your computer will frequently be going outside of itself for specialized computations, without consulting you, and as time goes on, that will become the majority of any real computation. In the future, security measure will look a lot more like human security measures than the ones we have seen in the past.
radio direction finding
finding out where a radio signal is coming from
hash functions
functions which use mathematical transformations to irreversibly "encrypt" information.
quantitative risk assessment
generally estimates the monetary cost of risk and risk reduction techniques based on (1) the likelihood that a damaging event will occur, (2) the costs of potential losses, and (3) the costs of mitigating actions that could be taken.
noise jamming/barrage jamming
generating a lot of noise in the range of frequencies used by the target radar
forward secrecy
if all the keys were known at some point, nonetheless people won't be able to read the future communications.
DNS cache poining
if an attacker can give DNS incorrect information about the whereabouts of your company's Web page, the page can be redirected to another site—regardless of anything you do, or don't do, at your end
proxy service
information from the Internet is retrieved by the firewall and then sent to the requesting system and vice versa.
noteworthy points
if you build an intrusion detection system based on data-mining techniques, you are at serious risk of discriminating In general, we must expect that an opponent will always get past the threshold if he or she is patient enough, and either does the attack very slowly or does a large number of small attacks Unless the operational aspects of security are embedded in the firm's culture, they won't work well, and this applies to physical security as much as to the computer variety. It's also vital to get unified operational security across the physical, business and information domains An important design consideration is the level of skill, equipment and motivation that the attacker might have location matters in deflecting crime, make asset as inconspicuous as possible areas that are out of sight are more vulnerable problems should be fixed while they are still small a common failing is to focus on rare but 'exciting' threats at the expense of mundane ones The basic idea is to assess how long a barrier will resist an attacker who has certain resources — typically hand tools or power tools. So barriers can't be seen in isolation. You have to evaluate them in the context of assumptions about the threats, and about the intrusion detection and response on which you can rely Security architecture is not "markitecture", where a cornucopia of security products are tossed together and called a "solution", but a carefully considered set of features, controls, safer processes, and default security posture. When starting a new application or re-factoring an existing application, you should consider each functional feature, and consider: Is the process surrounding this feature as safe as possible? In other words, is this a flawed process? If I were evil, how would I abuse this feature? Is the feature required to be on by default? If so, are there limits or options that could help reduce the risk from this feature? Security architecture starts on the day the business requirements are modeled, and never finishes until the last copy of your application is decommissioned Every feature that is added to an application adds a certain amount of risk to the overall application. The aim for secure development is to reduce the overall risk by reducing the attack surface area. There are many ways to deliver an "out of the box" experience for users. However, by default, the experience should be secure, and it should be up to the user to reduce their security - if they are allowed. The principle of least privilege recommends that accounts have the least amount of privilege required to perform their business processes The principle of defense in depth suggests that where one control would be reasonable, more controls that approach risks in different fashions are better Applications regularly fail to process transactions for many reasons. How they fail can determine if an application is secure or not. Many organizations utilize the processing capabilities of third party partners, who more than likely have differing security policies and posture than you. It is unlikely that you can influence or control any external third party, whether they are home users or major suppliers or partners. Therefore, implicit trust of externally run systems is not warranted. All external systems should be treated in a similar fashion. A key fraud control is separation of duties. In general, administrators should not be users of the application. Security through obscurity is a weak security control, and nearly always fails when it is the only control. This is not to say that keeping secrets is a bad idea, it simply means that the security of key systems should not be reliant upon keeping details hidden. Attack surface area and simplicity go hand in hand. Certain software engineering fads prefer overly complex approaches to what would otherwise be relatively straightforward and simple code. Developers should avoid the use of double negatives and complex architectures when a simpler approach would be faster and simpler. Once a security issue has been identified, it is important to develop a test for it, and to understand the root cause of the issue. When design patterns are used, it is likely that the security issue is widespread amongst all code bases, so developing the right fix without introducing regressions is essential. The goal of electronic warfare is to control the electromagnetic spectrum. It is generally considered to consist of: Electronic attack, such as jamming enemy communications or radar, and disrupting enemy equipment using high-power microwaves. Electronic protection, which ranges from designing systems resistant to jamming, through hardening equipment to resist high-power microwave attack, to the destruction of enemy jammers using anti-radiation missiles. Electronic support which supplies the necessary intelligence and threat recognition to allow effective attack and protection. It allows commanders to search for, identify and locate sources of intentional and unintentional electromagnetic energy Deception is central to electronic attack. The goal is to mislead the enemy by manipulating his perceptions in order to degrade the accuracy of his intelligence and target acquisition. Its effective use depends on clarity about who (or what) is to be deceived, about what and how long, and—where the targets of deception are human—the exploitation of pride, greed, laziness, and other vices. Deception can be extremely cost-effective and is also relevant to commercial systems Attack also generally requires a combination of techniques, even where the objective is not analysis or direction finding but simply denial of service the most difficult and expensive part of the whole operation is traffic selection, not collection [490]. Thus, contrary to naïve expectations, cryptography can make communications more vulnerable rather than less (if used incompetently, as it usually is). If you just encipher all the traffic you consider to be important, you have thereby marked it for collection by the enemy. On the other hand, if everyone encrypted all their traffic, then hiding traffic could be much easier (hence the push by signals intelligence agencies to prevent the widespread use of cryptography, even if it's freely available to individuals). although some systems have been broken by pure cryptanalysis, this is fairly rare. Most production attacks have involved theft of key material access to content is often not the desired result. In tactical situations, the goal is often to detect and destroy nodes, or to jam the traffic. Jamming can involve not just noise insertion but active deception Encryption alone cannot protect against interception, RDF, jamming, and the destruction of links or nodes. For this, different technologies are needed. The obvious solutions are: Dedicated lines or optical fibers. Highly directional transmission links, such as optical links using infrared lasers or microwave links using highly directional antennas and extremely high frequencies, 20 GHz and up. Low-probability-of-intercept (LPI), low-probability-of-position-fix (LPPF), and antijam radio techniques. Although hoppers can give a large jamming margin, they give little protection against an opponent who merely wants to detect their existence. A signal analysis receiver that sweeps across the frequency band of interest will often intercept them. (Depending on the relevant bandwidths, sweep rate, and dwell time, it might intercept a hopping signal several times). It should also be noted that jamming isn't restricted to one side. As well as being used by the radar's opponent, the radar itself can also send suitable spurious signals from an auxiliary antenna to mask the real signal or simply to overload the defenses Zero risk is not practical There are several ways to mitigate risk Don't spend a million bucks to protect a dime
next threats
large-scale, targeted attacks, deep attacks such as core infrastructure rootkits, data driven attacks, and super fluxing infrastructure (ability to morph in a very dynamic way in response to reverse engineering/takedown attempts.
traffic analysis
looking at the number of messages by source and destination
Doppler radar
measures the velocity of the target by the change in frequency in the return signal
cloud collaboration goals
multiple data centers, dynamic capacity sharing, data sharing, video and audio conferencing with data sharing, inter-cloud interactions: How to refer to other clouds, How to refer to data in other clouds, How to make data references persistent, How to protect clouds from various forms of attacks, how to establish an access control regime, What semantics can we rely on with inter-cloud data exchange, what notion of "object" would be useful for inter-cloud exchange
privelage
object/access mode pair
Address Resolution Protocol (ARP)
ocal networks mostly use Ethernet, in which devices have unique Ethernet addresses, which are mapped to IP addresses using this protocol
immunized files
patching in enough of a virus into a file to fool the virus into thinking that the file was already infected.
whitelist
people or sites that are not suspects
Information assurance practitioners
people who seek to protect the confidentiality, integrity, and availability of data and their delivery systems, whether the data are in storage, processing, or transit, and whether threatened by malice or accident
scanners
programs that searched through the early part of each executable file's execution path for a string of bytes known to be from an identified virus.
stealth
reducing the radar cross-section (RCS) of a vehicle so that it can be detected only at Security Engineering: A Guide to Building Dependable Distributed Systems 334 very much shorter range. This means, for example, that the enemy has to place his air defense radars closer together, so he has to buy a lot more of them. Stealth includes a wide range of techniques, and a proper discussion is well beyond the scope of this book. Some people think of it as "extremely expensive black paint," but there's more to it than that. Because an aircraft's RCS is typically a function of its aspect, it may have a fly-by-wire system that continually exhibits an aspect with a low RCS to identified hostile emitters
availability
refers to the availability of information resources, ensuring timely and reliable access to and use of information.
what to look at when designing an extranet
security is the major concern, combination of firewalls, authentication, VPNs etc. must be used.
circuit-level gateway
stand-alone system, or specialized function performed by an application-level gateway. Does not permit end-to-end TCP connection; rather the gateway sets up two TCP connections: The gateway typically relays TCP connections from one connection to the other without examining the contents, The security function consists of determining which contents will be allowed. Typical use is a situation in which the system administrator trusts the internal users. An example is the socks package
The Internet Key Exchange (IKE) algorithm
the default automated key management protocol for IPsec
IP (Internet Protocol)
the main delivery system for information over the Internet
information security management
the process by which the value of each of an organisation's information assets is assessed and, if appropriate, protected on an ongoing basis
clutter
the returns reflected to radar from the ground.
external threats
threats origination from outside your network, the direct opposite of internal threats. External threats can come from Hackers on the Internet, your business competition (yes they do!), your enemies (whether you think you have any or not) and so on.
encryption policy
unclassified data on mobile computing devices and removable storage media shall be encrypted Encryption is achieved by means of the trusted platform module (TPM) It is a microcontroller that can organize and store secured information. TPM offers facilities for secure generation of cryptographic keys.
understand the threat
understand the infrastructure used for distribution and control, understand the agents and their roles, sinkhole the evil distributing network so that you can understand what is going on from an inside perspective, hijack command and control systems so that you can see what kind of information is going back and forth and what kind of information is delivered.
RF fingerprinting technology
was declassified in the mid-1990s for use in identifying cloned cellular telephones, where its makers claim a 95% success rate. It is the direct descendant of the World War II technique of recognizing a wireless operator by his fist—the way he sent Morse code
cover jamming
where the radar jamming pulse is long enough to cover the maximum jitter period
DMZ (demilitarized zone
zone that is outside a firewall