CYSE 445 Final
What kind of malware is Ryuk? A) ransomware B) RAT C) covert channel D) spyware
A) ransomware
Based on the CIS Controls document, version 7, how many sub-controls are there for each of the 20 controls? A. A minimum of five and a maximum of 13 B. Eight per control C. Ten per control D. A minimum of eight and a maximum of 10
A) A minimum of five and a maximum of 13
POST-INCIDENT ACTIVITY
After the incident is adequately handled, the organization issues a report that details the cause and cost of the incident and the steps the organization should take to prevent future incidents.
Broken Authentication
Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently.
Identify
Assists in developing an organizational understanding of managing cybersecurity risk
Detect
Defines activities to identify the occurrence of a cybersecurity event in a timely manner
DETECTION AND ANALYSIS
Detection of security breaches is necessary to alert the organization whenever incidents occur.
According to CAPEC, to identify and mitigate relevant vulnerabilities in software, the development community only needs good software engineering and analytical practices, a solid grasp of software security features, and a powerful set of tools. True or False
False
Cross-Site Scripting
Flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. This allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
Recover
Identifies appropriate activities to maintain plans for resilience and to restore services impaired during cybersecurity incidents
Ways to protect IoT devices:
Know the governance Private networks must establish policies on usage, data retention, surveillance, and communicate those to employees/users Awareness of known and suspected vulnerabilities Good practices on configuration, limitation of attack surfaces Research and communication to ensure continuous reevaluation of risk Penetration testing, analysis of traffic and potential mitigations
Insecure Deserialization
Often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
Respond
Take action regarding a detected cybersecurity incident to minimize impact
OWASP Injection
These occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Examples of this risk can occur in SQL, NoSQL, and LDAP.
According to CAPEC, firmly grasping the attacker's perspective and approaches used to exploit software systems is necessary to enhance security throughout the software development lifecycle. True or False
True
Threat Modeling: four steps and four key questions
What is being protected? Model system What can go wrong with security? Apply model of security threats to system model to identify threats What should be done about threats? Address threats .Is this model complete and correct? Check model
For the Windows Task Manager vulnerability, what Operating Systems are affected? (Multiple answers) Windows 7 Windows 10 32-bit Windows XP Windows 10 64-bit Windows Server 2016 Windows Server 201
Windows 10 64-bit, Windows Server 2016
CIS-20 Control 6. Maintenance, Monitoring and Analysis of Audit Logs
detect
CIS-20 Control 1. Inventory and Control of Hardware Assets
identify and protect
CIS-20 Control 2. Inventory and Control of Software Assets
identify and protect
PREPARATION
involves establishing and training an incident response team, and acquiring the necessary tools and resources. During preparation, the organization also attempts to limit the number of incidents that will occur by selecting and implementing a set of controls based on the results of risk assessments.
User Education: Using Strong Passwords
oEarly attempts to get users to use strong passwords: --Assumption was that people didn't know the importance of using strong passwords --Perceived solution: tell people what a strong password was and the importance of using them, people would use them voluntarily --But people didn't use strong passwords even after being educated oNext attempt: force people to use a strong password but people wrote them down
Polish Airline LOT Attack (2015)
•Flight plans must be sent to aircraft before takeoff. •Flight plans contain data such as route, weather, etc. •DDoS attack over five hours prevented flight plan transmission. •Cancelled 10 flights and delayed 15.
Solutions that mitigate these highest risks of an ICS?
-Encrypt data -IDS -Firewall -Anitvirus on workstation -Monitor control down in the sensor and make sure the data matches the historian -2 factor authentication
In light of requirements and current design, what are the key "assets" to protect of an ICS?
-If PLC attack directly and can modify firmware of PLC and can blow up the PLC the attack -Insider threat
Code of Practice for Consumer IoT Security:
1.No default passwords 2.Implement a vulnerability disclosure policy 3.Keep software updated 4.Securely store credentials and security-sensitive data 5.Communicate securely 6.Minimize exposed attack surfaces 7.Ensure software integrity 8.Ensure that personal data is protected 9.Make systems resilient to outages 10.Monitor system telemetry data
Zero Trust Architecture (NIST 800-207): Network Connectivity Assumptions
1.The enterprise private network is not trustworthy 2.Devices on the network may not be owned or configurable by the enterprise 3.No device is inherently trusted 4.Not all enterprise resources are on enterprise-owned infrastructure 5.Remote enterprise users cannot trust the local network connection
Top Ten Secure Coding Practices
1.Validate all inputs 2.Don't ignore compiler warnings 3.Architect for security 4.Avoid unnecessary complexity 5.Deny by default 6.Use least privilege 7.Don't share data you don't have to 8.Defend in depth 9.Strive for quality 10.Use specific secure coding standards (SEI has developed standards for C, C++, Perl, Java, Android)
Please match Kohnfelder and Garg's threat names to corresponding definition Denial of Service A. Making the system temporarily unavailable or unusable, such as those attacks that could force a reboot or restart of the user's machine B. An untrusted user performing an illegal operation without the ability to be traced C. Compromising the user's private or business-critical information D. Modifying system or user data with or without detection E. Breaching the user's authentication information F. An unprivileged user gains privileged access and thereby has sufficient access to completely compromise or destroy the entire system
A. Making the system temporarily unavailable or unusable, such as those attacks that could force a reboot or restart of the user's machine
Which of the following actions were not listed as actions taken after the Sparks, Nevada, ransomware attack? A) outsourced some SOC functions B) disconnected most systems from the Internet C) identified need for incident response plan D) better backup strategy
ANS: B) disconnected most systems from the Internet
Given the information in the links, what is the estimated impact of the Windows Task Manager exploit, expressed as a percentage of all personal computers? A) Between 5-9% of all personal computers. B) At least 35% of all personal computers. C) At least 72% of all personal computers. D) It is unknown how many users are affected.
B) At least 35% of all personal computers.
Based on the CIS Controls document, version 7, which control has the sub-control "Enable DNS Query Logging"? A. Maintenance, Monitoring and Analysis of Audit Logs B. Malware Defenses C. Procedures and Tools D. Boundary Defense
B) Malware Defenses
When is a Windows Task Manager patch available, according to the articles? A) Expected before August 31st B) September 11th C) Has been available since August 28th D) There is no patch possible
B) September 11th
Which of the following is a distinguishing characteristic of the Conficker worm? A) targeted MacOS B) generated pseudo-random URLS to coordinate attacks C) used primarily for espionage D) targeted PLCs
B) generated pseudo-random URLS to coordinate attacks
According to CAPEC, what is the typical severity of HTTP Response Splitting? A. CAPEC does not provide a severity B. High C. Low D. Medium
B. High
Please match Kohnfelder and Garg's threat names to corresponding definition Repudiability A. Making the system temporarily unavailable or unusable, such as those attacks that could force a reboot or restart of the user's machine B. An untrusted user performing an illegal operation without the ability to be traced C. Compromising the user's private or business-critical information D. Modifying system or user data with or without detection E. Breaching the user's authentication information F. An unprivileged user gains privileged access and thereby has sufficient access to completely compromise or destroy the entire system
B. An untrusted user performing an illegal operation without the ability to be traced
Based on the CIS Controls document, version 7, which control has the most sub-controls? A. Inventory and Control of Hardware Assets B. Application Software Security C. Account Monitoring and Control D. Email and Web Browser Protections
C) Account Monitoring and Control
What do both Linux benchmark documents recommend specifically for wireless network interfaces? A. Only enable them if a wired network interface is also active B. Enable them in case they are needed later C. Disable or deactivate them if not in use D. Configure a short, common password for quick access in case of emergency
C) Disable or deactivate them if not in use
According to the articles, what is the practical solution to the Windows Task Manager exploit? A) Remove the scheduler process from affected systems. B) Upgrade to the latest patch set immediately. C) There is no practical solution. D) Remove privileges to Scheduler from all non-privileged users.
C) There is no practical solution.
How was the Sparks, Nevada, ransomware attack discovered? A) network sniffing of exfiltrated data B) the FBI contacted the affected organization C) employee discovered encrypted file on shared drive
C) employee discovered encrypted file on shared drive
Which of the following is not listed in the slides as a defense against RATs? A) patching B) activity monitoring C) good backups D) file baselining E) firewalls
C) good backups
According to the 2016 Bot Traffic Report, what is the most common type of bad bot? A) scrapers B) hacker tools C) impersonators D) spammers
C) impersonators
What capability does the Pegasus malware provide? A) iPhone user lockout B) botnet control C) remote access to iPhone content D) hard drive encryption
C) remote access to iPhone content
Please match Kohnfelder and Garg's threat names to corresponding definition Information disclosure A. Making the system temporarily unavailable or unusable, such as those attacks that could force a reboot or restart of the user's machine B. An untrusted user performing an illegal operation without the ability to be traced C. Compromising the user's private or business-critical information D. Modifying system or user data with or without detection E. Breaching the user's authentication information F. An unprivileged user gains privileged access and thereby has sufficient access to completely compromise or destroy the entire system
C. Compromising the user's private or business-critical information
Using components with known vulnerabilities
Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
How did the Mirai botnet compromise IoT devices? A) Format string attack B) SQL injection C) buffer overflow D) default passwords
D) default passwords
Which of the following is not a capability of the Luminosity RAT listed in the slides? A) steals usernames and passwords B) logs keystrokes C) accesses mics and cameras D) encrypts hard drives
D) encrypts hard drives
Which of the following is not listed in the slides as a defense against bots? A) patch B) monitor traffic C) blacklist known bad sites D) good backups
D) good backups
Which of the following is not a mechanism of attack according to the CAPEC Mechanism of Attack hierarchy of attack patterns? A. Engage in Deceptive Interactions, such as spoofing B. Abuse Existing Functionality, such as flooding C. Inject Unexpected Items, such as code injection D. Reverse Engineering in the Physical Security Domain of Attack
D. Reverse Engineering in the Physical Security Domain of Attack
Please match Kohnfelder and Garg's threat names to corresponding definition Tampering with data A. Making the system temporarily unavailable or unusable, such as those attacks that could force a reboot or restart of the user's machine B. An untrusted user performing an illegal operation without the ability to be traced C. Compromising the user's private or business-critical information D. Modifying system or user data with or without detection E. Breaching the user's authentication information F. An unprivileged user gains privileged access and thereby has sufficient access to completely compromise or destroy the entire system
D. Modifying system or user data with or without detection
Please match Kohnfelder and Garg's threat names to corresponding definition Spoofing of user identity A. Making the system temporarily unavailable or unusable, such as those attacks that could force a reboot or restart of the user's machine B. An untrusted user performing an illegal operation without the ability to be traced C. Compromising the user's private or business-critical information D. Modifying system or user data with or without detection E. Breaching the user's authentication information F. An unprivileged user gains privileged access and thereby has sufficient access to completely compromise or destroy the entire system
E. Breaching the user's authentication information
Which of the following is not listed as something the NIST Cybersecurity Framework helps organizations do? A. Assess progress toward the target state B. Describe their target state for cybersecurity C. Communicate among internal and external stakeholders about cybersecurity risk D. Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process E. Describe their current cybersecurity posture F. Execute a penetration test of organization systems and networks
F) Execute a penetration test of organization systems and networks
Please match Kohnfelder and Garg's threat names to corresponding definition Elevation of privilege A. Making the system temporarily unavailable or unusable, such as those attacks that could force a reboot or restart of the user's machine B. An untrusted user performing an illegal operation without the ability to be traced C. Compromising the user's private or business-critical information D. Modifying system or user data with or without detection E. Breaching the user's authentication information F. An unprivileged user gains privileged access and thereby has sufficient access to completely compromise or destroy the entire system
F. An unprivileged user gains privileged access and thereby has sufficient access to completely compromise or destroy the entire system
CIS-20 Control 11. Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Identify, Protect, and Detect
CIS-20 Control 13. Data Protection
Identify, Protect, and Detect
CIS-20 Control 15. Wireless Access Control
Identify, Protect, and Detect
CIS-20 Control 16. Account Monitoring and Control
Identify, Protect, and Detect
CIS-20 Control 9. Limitation and Control of Network Ports, Protocols and Services
Identify, Protect, and Detect
CONTAINMENT, ERADICATION, and RECOVERY
In keeping with the severity of the incident, the organization can mitigate the impact of the incident by containing it and ultimately recovering from it. During this phase, activity often cycles back to detection and analysis—for example, to see if additional hosts are infected by malware while eradicating a malware incident.
XML External Entities
Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks
Sensitive data exposure
Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
NIST Incident Response Life Cycle
PREPARATION DETECTION AND ANALYSIS CONTAINMENT, ERADICATION, and RECOVERY POST-INCIDENT ACTIVITY
Broken Access Control
Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users' data, change access rights, etc.
Protect
Supports the ability to limit or contain the impact of potential cybersecurity events and outlines safeguards for delivery of critical services
Security Misconfiguration
This is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched and upgraded in a timely fashion.
Insufficient logging and monitoring
This, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
CIS-20 Control 10. Data Recovery Capabilities
protect
CIS-20 Control 12. Boundary Defense
protect and detect
CIS-20 Control 14. Controlled Access Based on the Need to Know
protect and detect
CIS-20 Control 3. Continuous Vulnerability Management
protect and detect
CIS-20 Control 4. Controlled Use of Administrative Privileges
protect and detect
CIS-20 Control 5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
protect and detect
CIS-20 Control 7. Email and Web Browser Protections
protect and detect
CIS-20 Control 8. Malware Defenses
protect and detect
Secure Coding
reducing the number of vulnerabilities in software to a degree that can be mitigated by operational controls (aspirational)
Secure Software Development: Testing
•(Automated) Static and Dynamic Code Analysis to identify security policy violations, such as not validating user input •(Manual) Peer code Reviews by developer other than the author •Testing by security team (in addition to business functional testing) •Web Application vulnerability scanning •Interception proxy software that logs and examines communications between two endpoints to check for (i) input validation, (ii)parameter validation, (iii) plaintext credentials, and (iv) session tokens that aren't pseudo-random to prevent attacker guessing •"Fuzzing" that sends large amounts of malformed and unexpected data to a program to trigger failures •Stress testing by placing extreme demands well beyond planning thresholds to determine degree of robustness (simulating Denial of Service attacks)
Norsk Hydro (2019)
•Aluminum production operations are primarily computer controlled but have manual backup; some parts of the operation need to be kept running 24x7 (can't turn furnace off with hot metal inside). •Expensive emergency shutdown due to cyber attack has happened: German steel mill in 2014. •Ransomware blocked access to computer control systems. •Some production was stopped, some switched to manual control. •Affected plants were isolated. •Some operations down or reduced for weeks. •Ransomware was LockerGaga: •Manual targeting (not a worm). •Really destroyware (no way to decrypt files). •Attackers leveraged the single central Active Directory domain to infect multiple workstations simultaneously. •OT (ICS) not on AD; MS Office servers in the cloud (and unaffected).
CBP Data Breach (2019)
•CBP (US Customs and Border Protection) maintains databases of license plate images, travelers' ID photos, etc. •A subcontractor transferred copies of the data from CBP to external systems; those external systems were subsequently compromised and the data copied. •Press release inadvertently (?) identified Perceptics as the subcontractor (provider of license plate readers). •According to CBP, fewer than 100,000 people were impacted. CBP press release says no data on Internet or dark web, but media reports finding such data on the dark web (along with financial and location information).
Cyber Insurance Potential Coverage
•Cyber insurance can cover direct costs of a cyber incident (but policies vary) •Network security costs (legal expenses, IT forensics, negotiation and payment of ransom, breach notifications to customers, data restoration, public relations expertise •Network business interruptions (from attack, failed software patch, human error) •"Errors and omissions" coverage for inability to deliver on contracts for products and services •Reputational harm (profit impact due to brand damage) Bricking (covers replacement of equipment rendered useless)
Approaches to Identifying Threats
•Informal, unstructured consideration of security issues •Brainstorming or unstructured discussions of security threats in response to system architecture •Structured discussions using STRIDE mnemonic (or variant) •Structured discussions using attack libraries
User Education: Security Awareness Programs
•Mandatory annual training (often computer-based training) •Live-fire phishing campaign
STRIDE
•SPOOFING: pretending to be something or someone else •TAMPERING: modifying something •REPUDIATION: claiming you didn't do something •INFORMATION DISCLOSURE: exposing information to people who are not authorized to see it •DENIAL OF SERVICE: attacks designed to present a system from providing service •ELEVATION OF PRIVILEGE: enabling a program, device, or user to technically do things that they are not allowed to do
Petro Rabigh (2017)
•Saudi Arabian integrated chemical and refining complex. •June 2017 : "Schneider Electric product specialists were called in to assess an apparently malfunctioning Triconex unit. The safety device had tripped part of Petro Rabigh offline, but it wasn't clear why. Everything seemed to be working normally." •Safety devices are designed to act if dangerous circumstances are detected; they serve as a backup to control systems. •August 2017: another outage, this time malware (Triton) is found. •IT infection apparently enabled by a poorly configured firewall; then pivot to OT. •Got to safety devices via Windows workstations. •Malware includes memory manipulation capability on Triconex units. •Plant down for more than one week. •Response included password changes and 2FA. •Attackers changed account phone numbers to intercept 2FA login codes.
Zero Trust Model:
•Zero trust means "verify and never trust" •Inspect and log all traffic •Design from the inside out to protect most sensitive data •Design with compliance in mind for sensitive data •Embed security into network DNA by micro segmentation of network through use of security appliance gateways with access control inside the perimeter of the network
Zero Trust Architecture (NIST 800-207)Network Requirements
●Enterprise systems must have basic network connectivity ●The enterprise must be able to determine which devices/systems are owned or managed by the enterprise and which are not ●The enterprise must be able to capture all network traffic ●Enterprise resources should not be discoverable without accessing a PEP (Policy Enforcement Point) ●The data plane must be logically separate from the control plane ●Enterprise systems must be able to reach the PEP component ●The PEP must be the only component able to reach the Policy Administrator and the Policy Engine ●Remote enterprise systems must be able to access enterprise resources without needing to traverse through the enterprise infrastructure ●Enterprise systems must not be able to reach certain PEPs due to observable factors. For example, mobile systems must not be able to reach certain resources unless using enterprise infrastructure. Observable factors controlling access include location (geolocation or network location) and device type.
Security Through Obscurity
●Hiding assets, services, or procedures in non-standard ways ●May be an added measure ●Examples: oSet up services on non-standard ports oRename local administrator account oReconfigure service banners not to report the server operating system type and version oWhat else?
User Education
●Human element is a very weak security link ●Importance of having easy and friendly process for folks to report suspicious emails
Cyber Incident Risk Transfer
●Risk transfer: insurance to cover cyber incidents ●Early cyber policies were (i) highly customized and negotiated policies or (ii) cheap, limited add-ons to other policies ●Today: mainstream policies offered by major insurance companies including (AIG, Nationwide, Zurich, among others)