SECURITY AND ASSURANCE TEST 3
Security Foundation Key Considerations (Development of Enterprise Security Architecture)
- Active executive participation - Owner, custodian, stakeholder alignment - Assigned responsibility, accountability and authority - Security Life Cycle - Business and IT alignment - Security process and management fundamentals/foundations/baseline versus 'wants'
Executable code/Mobile code
- Code that is downloaded to the user's machine and executed. - Running programs on a computer may give the program unexpected access to resources on the machine.
IDS and IPS Attack Response
- Traditional Intrusion Detection Systems (IDSs) are limited in their automated response capabilities. Aside from alerting an administrator, IDSs can attempt to reset TCP connections on the target host or attacking machine, or reconfigure a firewall or router to deny the connection. However, the Reset command or rule change may not happen quickly enough to stop malicious traffic from reaching the target. - Inline prevention sensors sit on the wire, intercepting and forwarding traffic flows, allowing them to kill attacks automatically, much like a firewall.
Two objectives of O/S
-Control use of system resources -Provide a convenient, easy-to-understand view of the computer to users
Strategic Alignment key components (Development of Enterprise Security Architecture)
-Need executive level sponsorship for the architecture, it has to be enterprise wide and mandatory in order to have an enterprise wide approach to risk -A current status of the enterprise approach to IT risk will provide the "IT Security Culture" to gauge what the architecture has to be to be effective and how it will be received. How ready is the organization to adapt to change. Is the architecture going to be a significant change from where they are today. -How much has the corporate approach to IT Security been considered. -What are the business issues, and strategies that are defined that require an organized approach to IT security? The more the architecture requirements can be directly tied to the business the better. -Is there legislation or regulations that are pushing the organization tin a certain direction?
Strategic Alignment Key Considerations (Development of Enterprise Security Architecture)
-The architecture also must have an identified owner -Who is responsible for defining, reviewing, approving, enforcing? -How will the architecture fit into the IT Security Lifecycle (TRA, policies, implementation admin etc.) -The business requirements and IT requirements must be aligned and inter-related -The architecture should be an obvious progression from the business requirements and justifiable as such. It should not be based on the current "wants" that is more typical with technology selection. -Many security architectures are arrived at by surprise based on installed technology rather than considered thought or planning. The vendors will try to make the organization "Want" technology without the business reason "why".
Network Attack Methodology
1. Identify the target and collect information 2. Analyze the target to identify a vulnerability 3. Gain access to the target 4. Escalate privileges 5. Complete the attack
Security Architecture
A high-level design used to satisfy a system's security requirements as defined in an organization's security policy
Hub (Concentrator/repeater)
A hub, also called a concentrator or repeater, is found in star and star-wired ring topology networks. The hub can be a non-intelligent repeater which simply repeats and amplifies signals. It can offer intelligence, via network management software, to monitor and control network traffic.
Network adapter
A network adapter is the physical link between the computing device and the network media. Typically, a network adapter is a card that slides into a computing device's expansion slot, providing a connector for attaching the network media.
Teardrop attack
A type of denial of service attack that exploits the way that the IP requires a packet that is too large for the next router to handle to be divided into fragments. The fragment packet identifies an offset to the beginning of the first packet that enables the entire packet to be reassembled by the receiving system. In the teardrop attack, the attacker's IP puts a confusing offset value in the second or later fragment. If the receiving operating system does not have a plan for this situation, it can cause the system to crash.
Relational DBMS
A type of logical database model that treats data as if they were stored in two-dimensional tables. It can relate data stored in one table to data in another as long as the two tables share a common data element.
Enterprise Security architecture
Defines the information security strategy that consists of layers of policy, standards, and procedures and the way they are linked across an enterprise
process enhancement (Development of Enterprise Security Architecture)
Evolutionary integration and consistent execution of security across the enterprise
enterprise
Multiple internal networks, internal areas or domains, and various internal devices and systems, applications, and a diverse user presence as a single collective unit.
Data Diddler
Payload in a Trojan or virus that deliberately corrupts data, generally by small increments over time
Overlapping fragment attack
RFC 791std5, the current IP protocol specification, describes a reassembly algorithm that results in new fragments overwriting any overlapped portions of previously-received fragments. Given such a reassembly implementation, an attacker could construct a series of packets in which the lowest (zero-offset) fragment would contain innocuous data (and thereby be passed by administrative packet filters), and in which some subsequent packet having a non- zero offset would overlap TCP header information (destination port, for instance) and cause it to be modified. The second packet would be passed through most filter implementations because it does not have a zero fragment offset.
Value-Added Network
Refers to the dedicated circuits and network services provided by a Telecommunications provider. These networks and circuits may be considered "trusted" or "untrusted" depending on factors such as source and destination termination and integrity, trustworthiness, security services and sensitivity of transmitted data.
Malformed input attacks
SQL Injection - inserting a series of SQL statements into a 'query' by manipulating data input into an application
Architecture
The highest level concept of a system in its environment.
Security Foundation (Development of Enterprise Security Architecture)
core security and architecture is established
Security Effectiveness (Development of Enterprise Security Architecture)
which is really addressing the 'assurance' part of the security solution, 'how do we know that the solution is actually working properly?'
Wireless LAN Vulnerabilities Subtopics
• Detection • Eavesdropping • Modification • Injection • Hijacking • WLAN Architecture • Radio Frequency Management
Decomissioning / Disposal
• When an asset is being taken out of production and is decommissioned or retired, the asset owner shall ensure the following stages are adhered to: - Information Recovery Protection Requirements - Media Sanitization - Hardware and Software Disposal
Network Aware Example: SQL Slammer
• ~100,000 hosts infected in ten minutes • Sent more than 55 million probes per second world wide • Collateral damage: Bank of America ATMs, 911 disruptions, Continental Airlines cancelled flights • Unstoppable; relatively benign to hosts
twisted pair
•Cheapest, limited in distance & bandwidth. •Used within buildings or small areas. •Easily tapped.
Satellite
•High latency (transmission delay). Cabling Issues: - Attenuation - loss of signal strength during a transmission due to cable length exceeding maximum range. - Dispersion - in optical networking, light pulses can spread out and overlap with preceding or following pulses.
IP Security Issues
•IP Fragmentation Attacks -Tiny fragment attack -Overlapping fragment attack -Teardrop Denial of Service Attack •IP Address Spoofing •Source Routing •Smurf and Fraggle •IP Tunneling over other protocols
Security Effectiveness Key Components (Development of Enterprise Security Architecture)
•Key Performance Indicators -High Risk Elements -Critical Resources -Core Management Processes -Customer Satisfaction •Information Structure •Presentation and Reporting -Metrics -Source Data •Compliance Monitoring -Internal and External Audit Plans -Regulatory -IT Scanning / Self-Assessments
Infared
•Line of sight limitations. •Affected by rain.
Security Foundation Key Components (Development of Enterprise Security Architecture)
•Security Management Plan -Program, Organization, Administration •Business Continuity Management Plan •Infrastructure Security Plan -Physical and Environmental -Systems & Network Infrastructure -Logging, Monitoring & Reporting •Application Integrity Plan •Identity Management Plan •Privacy Plan
Enterprise Security needed components:
- A common architecture language, which addresses and ensures you can deal with your security principles, --- principles including motivation and implications - A architecture model, which allows you to build nested architectures (all addressing the needs and goals of the organization) as well as guidance to all levels of the organization. ---provides guidance at multiple levels of the organization - The Zachman model is a popular choice today for enterprise architectures, because it's a two-dimensional representation of the needed components of any architecture. The Zachman Framework has gained wide acceptance in the industry. It will be shown over the next couple of slides.
Intranet
- A private 'Internet' operating on your company's internal network - Uses same network protocol as Internet (TCP/IP)
Major elements of DBMS
- Database - Hardware - Software - Users
Virtual Private Network (VPN)
- Dynamically established secure network link between two specific network nodes or subnets using a secure encapsulation method. - Uses tunneling AND encryption to protect private traffic over an un-trusted network.
Internet
- Global network of public networks and Internet Service Providers (ISP) throughout the world - Uses Transport Control Protocol/Internet Protocol (TCP/IP) - All communications considered to be public unless protected by end users
Data netowkr components include:
- Mainframe/Server Hosts - File Servers - Workstations - Software - Network Operating System and Applications - Network Adapter/Network Interface Card - Hub/Concentrator/Repeater - Bridges - Switches - Layer 2, 3, 4, etc. - Routers - Gateways - Physical Cabling • Twisted Pair/Coaxial Cable/Fiber Optics - Wireless • Radio Frequency/ Infrared/Optical/ Satellite
Modern malware is network aware
- New means of spread - New methods of attack - New payloads
Secure Shell (SSH)
- Powerful method of performing client authentication - Safeguards multiple service sessions between two systems. • Provides support for: - Host and user authentication - Data compression - Data confidentiality and integrity • Credentials are validated by digital certificate exchange using RSA.
Zachman Architecture Framework columns:
- The columns represent a different area of interest for each view using the six "abstractions". - These define the independent variables that form a comprehensive depiction of the subject or object being described.
Acceptance, Testing and Transition to Production (SDLC)
- The critical element in this phase is testing the program before it is brought into full-line production. - Certification and Accreditation are the finals steps involved in accepting the system as described in our section in the Security Architecture domain.
Buffer Overflow
- The process of exploiting a program weakness by sending long strings of input data to a system that is not prepared to truncate it through proper bounds checking. - Developers should take this type of vulnerability into account when developing and testing programs.
Denial of Service
- The result of another person or process consuming the resources on the system and thus denying the resources for the use of others. - When testing programs, test for how the application would respond to a DoS attack.
Zachman Architecture Framework rows:
- The rows represent six "levels" of architectures or views with increasing levels of detail - *Note - Security Architecture is not a view but rather provides components and supports many other "views"
Wireless Radio Frequency Band
- These are the frequencies commonly unlicensed within many developed countries. Unlicensed means that many users can share that frequency range without a right to exclusive use from the government. From a security standpoint, this is a problem because anyone can do whatever they want, without many real 'rules'. - Note that portable cordless phones (the household variety, not cellular/mobile phones) use the same bands as many networking protocols, and thus interference can cause a lack of availability of your network.
The objectives of network security:
- Transmission channels and services are secure and accessible. - Interoperability of network security mechanisms are operational. - Messages sent are the messages that are received. - Message link is between valid source and destination nodes. - Message non-repudiation is available. - Prevent unauthorized disclosure of messages. - Prevent unauthorized disclosure of traffic flows. - Remote access mechanisms are secure. - Security mechanisms are easy to implement and maintain. - Security mechanisms are transparent to end-users.
Remote Access Technologies
Allows users to access network information through a dial-in or wireless connection.
Internet Access
Allows users to access network information through an Internet Service Provider (ISP) connection.
Detailed Design Specifications (SDLC)
Fine tuning and making the security requirements more detailed and integrated into the design make the security elements more cohesive.
VPN LAN-to-LAN Configuration
First, we can establish a VPN between a remote network and a main network (as we illustrate on this slide) or between a single remote/mobile host and a main network (as we illustrate on the next slide). Second, there are three different places we can place a VPN server in our network perimeter, regardless of whether we are using a LAN-to-LAN VPN or a client-to-LAN VPN. (You can place the VPN server on the "inside" of your firewall, on a DMZ, or on the firewall host itself. In these two diagrams, we show encrypted traffic in red, and unencrypted traffic in black. On the left side of this diagram, we show the first option. If you put the VPN server behind the firewall, you can protect the VPN server from attack from the outside, but then you can't inspect the tunneled (encrypted) data packets at the firewall. On the right side of this diagram, we show the second option. If you put the VPN server on a DMZ, you can protect it with the firewall from attack from both the inside and the outside, and additionally inspect the decrypted traffic before it enters the LAN. This is the most scalable solution; combines security with performance.
Intrusion Prevention Systems (IPS)
Intrusions are prevented. • Ability to block attacks in real time. • Actively intercept and forward packets. • Considered 'access control' and 'policy enforcement' whereas IDS is considered 'network monitoring' and 'audit'. • Preventive control
Mobile User-to-LAN VPN
It also shows the third option of where to place the VPN server, on the firewall host itself. If you combine the VPN and firewall together, you get similar benefits to the DMZ option, but you only need one box, but you may need to buy a larger box to do this, or buy an encryption accelerator card because VPN encryption/decryption is CPU intensive and may slow the firewall down. Usually only used on small networks with low bandwidth connection to the Internet. You also risk compromise of the firewall if there is a vulnerability in the VPN software.
Switches
Switches combine bridge and hub technologies. Each port on the switch acts as a mini-bridge to segregate traffic. It does this by keeping track of the MAC addresses of the machines attached to it and only routing traffic to the assigned port. This provides added security and performance.
Operating system (O/S)
The software interface between the hardware and the applications and end user. - first layer of software
Bridge
The technology that interconnects two networks that use the same technology is called a bridge. The bridge arbitrates traffic between two networks, routing packets from one network to the other. In addition to arbitrating the traffic between two interconnecting networks, bridges can also often enhance the performance, reliability, and security of networks.
Develop and Document (SDLC)
These are the security elements that take place during the development of the program.
Functional Design Definition (SDLC)
This is when the "wish list" of what the application should do is planned into reality.
Remote access Services
Typically conducted over an untrusted network. • Increased risk to disclosure, modification, and denial of service. • Remote access security minimums - Strong identification and authentication services • Rapid growth of remote access via the Internet - Wide availability - Economical
Eavesdropping
WLAN signals extend beyond physical security boundaries • Standard Wired Equivalent Privacy (WEP) encryption is often not used. • When used, WEP is flawed and vulnerable. • No user authentication in WEP.
Detection
WLAN will generate and broadcast detectable radio waves for a great distance
Time Of Check/Time Of Use (TOC/TOU)
When control information is changed between the time that the system security functions check the contents of the variables and when the variables are actually used.
Tiny Fragment attack
With many IP implementations it is possible to impose an unusually small fragment size on outgoing packets. If the fragment size is made small enough to force some of a TCP packet's TCP header fields into the second fragment, filter rules that specify patterns for those fields will not match. If the filtering implementation does not enforce a minimum fragment size, a disallowed packet might be passed because it didn't hit a match in the filter.
Project Initiation and Planning (SDLC)
Work done at this point saves a bunch of time and effort later on.
Business Enablement (Development of Enterprise Security Architecture)
end-to-end transaction integrity
Enterprise Security Architecture... pt. 1
pt. 1 • Strategic - longer life than a blueprint, design specification, topology or configuration - Constrained by current or changing circumstances if too specific, - Cannot provide good guidance if it is too general, - Support long term view of technical direction, not short term technical constraints, - Not invalidated by changes in technical direction
Enterprise Security Architecture... pt. 2
pt. 2 • Business centered acceptance and management of risk • Allows for multiple implementations depending on requirements - Guidance for implementation of security for internal and external organizations --- Interoperability --- Integration --- Ease-of-use --- Standardization
General Remote Safeguards pt. 2
pt. 2 • Use phone lines restricted to outbound access for dial-out services. • Set modems to answer after a pre-determined number of rings; counters "war dialers." • Use secure modems for single-port diagnostic and administrative access, or unplug when not in use. • Consolidate remote access facilities when practical. • Implement two-factor user authentication and network access restrictions for remote access to all resources on private WAN/LANs. • Use Virtual Private Networks for sensitive data communications on public networks. • Use personal firewalls and anti-virus tools on remote computers.
Lock Controls - the ACID Test
• *Atomicity* - either all changes take effect or none do. • *Consistency* - a transaction is allowed only if it meets owner/system-defined integrity constraints. • *Isolation* - the results of the transaction are not visible until the transaction is complete. • *Durability* - a completed transaction is permanent.
Network protocol
• A standard set of rules that governs the exchange of data between hardware and/or software components in a communications network. •A Network Protocol also describes the format of a message and how it is exchanged. -When computers communicate with one another, they exchange a series of messages. -To understand and act on these messages, computers must agree on what a message means.
Architecture information
• Are fundamental statements of value, operation or belief that defines the overall approach to IT security, • Define the philosophy of the organization that directs the definition of the security policies, • Will require formal commitment from the executives to be relied upon for guidance, and • Often are challenging to define. - May require assistance with scope definition and management, issue validation, and the definition of the resulting Security Principles.
DNS Security Issues
• Attackers have been known to corrupt the tree and obtain access to a trusted machine. • The name servers can be poisoned so that legitimate addresses are replaced. • Unauthorized users could discover sensitive information if querying is allowed by users.
Virus (malware type)
• Central characteristic is reproduction • Generally requires some action by the user • May or may not carry payloads • Payload may or may not be damaging
Application software
• Comprised of programs, processes, utilities, drivers, etc to provide user functionality and support business activities. • Allows users to execute and perform computerized tasks.
Benefits of Enterprise Security Architecture
• Consistently manage IT risk across the enterprise while leveraging industry best practices. • Reduce the costs of managing IT risk and improve flexibility by implementing common security solutions across the enterprise. • Allow decision makers to make better and quicker security-related decisions across the enterprise. • Promote interoperability, integration and ease-of-access while effectively managing risk. • Provide a reference for guidance to other organizations interacting with the enterprise.
Database Management System (DBMS)
• Databases - developed to manage information from many sources in one location. - Eliminates the need for duplication of information in the system. - Preserves storage space. - Prevents inconsistency in data by making changes in one central location.
Various Network Threats & Attacks
• Denial of Service (DoS) • Distributed DoS • Mobile Code • Malicious Code • Wireless LAN Vulnerabilities • Spoofing • Sniffing • Eavesdropping • Masquerading • Instant Messaging (IM) Vulnerabilities
OLTP Systems Should:
• Detect when individual processes abort. • Automatically restart an aborted process. • Back out of a transaction if necessary. • Have transaction logs record information on a transaction before it is processed, then mark it as processed after it is done.
Confidentiality (application security)
• Direct loss (backdoors, viruses, etc.) • Indirect loss (Consequential damage due to unauthorized disclosure of confidential information, etc.)
Domain Naming System (DNS)
• Distributed Internet directory service. • Global network of "name servers" that translate host names to numerical IP addresses. - www.ISC2.org = 209.164.6.194 • Internet services rely on DNS to work, if DNS fails, web sites cannot be located and email delivery stalls. • It is tree structured. • Contains two elements: - Name Server - responds to client requests by supplying name to address conversions. - Resolver - when it does not know the answer, the resolver element will ask another name server for the information.
Relational Database Security Issues
• Ensuring integrity of input data. • Preventing deadlocking (stalemate when 2 or more processes are each waiting for the other to do something before they can proceed) • Access controls ensuring only authorized users are performing authorized activities
DDOS Zombie (malware type)
• Expands effect of denial of service. - Middle of master / attacker - agent - target structure. - Hides attacker, multiplies attack.
Virus Types
• File infector • Boot sector infector • System infector • Email virus • Multipartite • Macro virus • Script virus • Hoax
Logic Bomb (malware type)
• Generally implanted by an insider • Waits for condition or time • Triggers negative payload
Objectives of Enterprise Security architecture
• Guidance for decision makers. - The resulting business and security decisions will be strategically aligned and consistent across the enterprise. - Provides specific security-related guidance to decision makers. • Security-related input into IT technology, system and application design. • Ensures application of security best practices. • Describes security zones, to compartmentalize the enterprise security environment.
Infrastructure includes items such as:
• Hardware • Software • Operating System and all associated functions • Applications • Utilities • Network environment
Backdoor, Trapdoor (malware type)
• Implanted intentionally in development, or by error, usually by an insider • Maintenance hook (may have been deliberate and useful) • Also bug / loophole / wormhole
Database Security Issues
• Inference • Aggregation • Unauthorized Access • Improper Modification of Data • Access Availability • Database Views • Query attacks • Bypass attacks • Interception of data • Web Security • Data contamination
Infrastructure vs. Architecture
• Infrastructure refers to the supporting elements needed for functionality • Architecture refers to the cohesive design of the elements.
5. Complete the attack (Network Attack Methodology)
• Install a backdoor mechanism that allows the attacker to bypass access control and avoid detection, such as a rootkit. • Create rogue user account. • Close the original vulnerability so no one else can compromise the system. • Modify audit logs if they are stored locally to prevent discovery of the attack.
RAT (malware type)
• Installed, usually remotely, after system installed and working, not in development - Trojan vs. tool - Rootkits require working account, RATs generally don't
Spyware and Adware (malware type)
• Intended as marketing, not malice • Installed with other software - As a separate function or program • Generates unwanted or irrelevant advertising • Reports on user activities - possibly other installed programs, possibly user surfing
Intrusion Detection Systems (IDS)
• Intrusion attempts and any set of actions that attempt to gain unauthorized access are detected. • Auditing for intrusion attempts in a timely basis.
3. Gain access to target (Network Attack Methodology)
• Make connection attempts using: - Direct login attempts to reach hosts - Modems to attack remote access servers and modems attached to individual computers. •Try to guess passwords • Exploit known security vulnerabilities • Perform piggybacking/hijacking/spoofing • Use social engineering • Perform a denial of service attack
Managements expectations (Enterprise security architecture)
• Mitigate risk - First need to know what risk is present. • Enhance user productivity - Security should not get in the way of productivity. • Reduce Cost - Most security is assumed to be built in. • Streamline Application Development/Integration - Security must not inhibit applications.
IM Security Issues
• Most lack encryption capabilities. • Most have features to bypass traditional corporate firewalls. • Insecure password management. • Increased exposure to account hijacking and spoofing.
BotNets (malware types)
• Networks of infected machines. - for distributed denial of service. - as proxies for SPAM. - often controlled via Internet Relay Chat servers
Application Environment Threats
• Object reuse - An object may contain sensitive residual data • Garbage collection - De-allocation of storage following program execution • Trap doors/back doors - Hidden mechanisms that bypass authentication measures - Could enable unauthorized access
Example of data network structures:
• Personal Area Network • Wireless Personal Area Network • Local Area Network • Metropolitan Area Network • Campus Area Network • Wide Area Network • Internet • Intranet • Extranet • Value Added Network • World Wide Web • Global Area Network
Architecture includes items such as:
• Principles • Concepts • Methods • Practices • Standards - Shift from an IT-centric to a business-centric security process to more effectively manage risk.
Availability (application security)
• Programs • Data • Processing • Resources -Bandwidth, memory, disk space, mail queues, etc.
Integrity (application security)
• Programs • System • Data • Trust relationships - Formal (technical trust between subnets and domains) --- Informal (social relations between partners, customers, and clients)
System Life Cycle
• Project management-based methodology used to plan, execute, and control software development and maintenance • Provides a framework for the phases of software development projects and includes disposal stage • Involves teams of developers, analysts, owners, users, technical experts, and security experts
Transmission Control Protocol (TCP)
• Provides reliable data transmission. •Retransmits lost/damaged data segments. • Sequences incoming segments to match original order. • Marks every TCP packet with a source host and port number, as well as a destination host and port number.
General Remote Access Safeguards
• Publish a clear/definitive remote access policy and enforce it through audit. • Justify all remote users and review regularly, such as yearly. • Identify and periodically audit all remote access facilities, lines and connections. • Consolidate all general user dial-up facilities into a central bank that is positioned on a DMZ.
Trojan Horse (malware type)
• Purported to be a positive utility - Hidden negative payload - Social engineering
2. Analyze the target to identify a vulnerability (Network Attack Methodology)
• Query to gather detailed information such as: - Operating system and services running -- many systems will freely volunteer the product name and version number in a greeting banner. - List of user ids, shared file systems, system information. - Probe telephone lines for modems that answer.
Online Transaction Processing (OLTP)
• Records transactions as they occur - in real-time. • Security concerns are concurrency and atomicity. - Concurrency controls ensure that two users cannot simultaneously change the same data. - Atomicity ensures that if one step fails, then all steps should not complete.
Worm (malware type)
• Reproduces - Generally uses loopholes in systems --- Does not involve user - Often attacks server software of some type
Change Management key Points
• Rigorous process that addresses quality assurance. • Changes must be submitted, approved, tested and recorded. • Should have a back out plan in case change is not successful.
Business Enablement Key Components (Development of Enterprise Security Architecture)
• Security Solution Diagnostic - policy and standards - organizational alignement - Technical control architecture - process alignment - awareness and training - compliance and assurance • Security Solution Methodologies - information security risk assessment - system analysis and desing - solution and specific templates
View-Bases Access Controls
• Security achieved through the appropriate use of 'views.' - Allows the database to be logically divided into pieces - sensitive data is hidden from unauthorized users. - Controls are located in the front-end application that the user interfaces with and not the back-end query engine.
The Target of Remote Access Threats
• Sensitive and critical information. • Computing services, such as storage space and other resources. • Toll telephone services • Voice mail • Network access to interconnected networks, such as customers or business partners.
OSI Model
• Seven Layers • Data transfer is accomplished by a layer interacting with the layer above or below through the use of interface control information. • ISO 7498 - Describes the OSI model - Defines the security services that are available and where they fit in the layered model.
Malicious software definition
• Software or programs intentionally designed to include functions for penetrating a system, breaking security policies, or to carry malicious or damaging payloads. • Programming bugs or errors are not generally included in the topic • Backdoors, data diddlers, DDoS, hoax warnings, logic bombs, pranks, RATs, trojans, viruses, worms, zombies, etc.
1. Identify the target and collect information (Network Attack Methodology)
• Systematically map the target's network. - Traceroute, Ping scanning, Port scanning, TCP half scanning, FIN scanning, OS fingerprinting. • Information wanted: - Domain names and network numbers - IP addresses - Names/phone numbers of personnel - Network map, including services that are available or running. - Operating System type and version
Remote Access Threat
• Targets of opportunity include: - Insecure Internet connections - Unsecured modem access - Diagnostic ports on various network devices - Administrative ports on voice mail systems, PBX, fax servers - Unauthenticated sessions
TCP/IP
• The protocols in the TCP/IP suite work together to: -Break the data into small pieces that can be efficiently handled by the network. - Communicate the destination of the data to the network. - Verify the receipt of the data on the other end of the transmission. - Reconstruct the data in its original form.
Data Encapsulation
• To transmit data across a layered network, the data passes through each layer of the protocol stack. • It begins at the application layer with the application software passing the data to the next lower protocol in the stack. • At each layer the data is encapsulated - the protocol processes the data in the format that the next protocol layer requires.
DBMS should provide:
• Transaction persistence • Fault tolerance and recovery • Sharing by multiple users • Security controls
4. Escalate privileges (Network Attack Methodology)
• Try to gain administrative or operator privileges. • Try to utilize the compromised system to gain access to more valuable systems. • Techniques: - Buffer overflows - Trojan horses - Password guessing or install a password sniffing/gathering/cracking tool. - Exploit trust relationships
Tunneling
• Tunneling is the act of packaging one network packet (the tunneled packet) inside another (the transport packet). • The tunnel is the vehicle for encapsulating packets inside a protocol that is understood at the entry and exit points of a given network. • For confidentiality and integrity, the tunnels should be encrypted.
Lack of an enterprise security approach is evidenced through many symptoms
• Unable to quickly, and effectively, support increased user access requirements (regardless of location and type of end-user) while containing and controlling associated costs. • Inability to readily identify or understand exposures from the greater number of access points introduced by Portals and Internet-based solutions. •Increased consumer complaints about misuse of personal and confidential information. •IT and the affected business units do not both fully understand the more stringent regulatory and legal compliance requirements. •Difficulty in supporting e-commerce business models while at same time maintaining a legacy infrastructure.
Lock controls
• Used to control read and write access to specific rows of data in relational systems, or objects in object-oriented systems. • Locks ensure only one user at a time can alter data. • Better programming logic and testing reduce deadlocking problems.
Address Resolution Protocol (ARP)
• Used when a node knows the network layer address, but needs the data link layer address to forward the encapsulating frame. • The ARP software maintains a table of translations between IP addresses and data link addresses.
Hoax (malware type)
• Uses users rather than programming • 'Meme' or mind virus, social engineering • Usually warns of a 'new virus' • Can be a bigger problem than viruses themselves
Malware Types
• Virus • Worm • Hoax warning • Trojan • Logic bomb • Data diddler • Backdoor • RAT (Remote Access Trojan) • DDoS (Distributed Denial of Service) zombie • Prank • Spyware / Adware • Botnets *Many modern malware are a cross of different types*
Examples of Executable code/Mobile code include:
• Web applets - mini programs written in Java that are automatically loaded and run. • Dynamic email - active scripts/messages are included in email messages.
fiber optics
•Carries signals as light waves on glass or plastic cable. •Higher speed, longer distance, many channels. •Difficult to tap, resistant to interference. •Most expensive when the cost of termination and equipment is included.
IP Addresses
•Composed of 32-bit addresses that are often displayed in the form of four groups of decimal digits separated by a period/dot. •Each group of numbers cannot be larger than 254. - EX: 11011000/ 00011001/01101000/11001111 --- IP address would be 216.25.104.207
radio frequency
•Directional antennae provide line of sight links. •Omni directional antennae cover a broader area, but can broadcast sensitive information beyond the physical control boundary.
Security Effectiveness Key Considerations (Development of Enterprise Security Architecture)
•Focus on a few critical objective indicators that truly enhance visibility •Internal audit alignment •Communication of successes/failures •Service Level Agreements (SLA) for customer satisfaction •IT Return on Investment (ROI) •Critical vendor maintenance contracts •Metrics for day-to-day operations •Reporting timelines Existing balanced scorecard system
Process enhancement Key Considerations (Development of Enterprise Security Architecture)
•Key security standards, model and criteria proactively championed through existing enterprise-wide management processes •Center of Excellence (COE) approach -Breadth of coverage - end-to-end transaction -Depth - subject experts -Facilitator roles versus owner •Incentive concept to promote security staff as enablers versus roadblocks •Roles and responsibilities clearly defined and championed
coaxial cable
•More expensive & resistant to electromagnetic interference. •Greater bandwidth & distance. •Baseband - single channel. •Broadband - many channels (video, voice, data).
Business Enablement Key Considerations (Development of Enterprise Security Architecture)
•People, process and technology driven requirements •Consistent application of solution models •Zone analysis for end-to-end transaction integrity •Security Plans practically applied to all aspects of a business' operation - network, applications, processes, etc.
Process enhancement Key components (Development of Enterprise Security Architecture)
•Security Criteria -Philosophy/ Models •Core Enterprise Processes -Architecture, Engineering -Project & Risk Management -IT Operations Management •Security Champions - Subject Matter Experts - Awareness & Training •Security Communication Portal -Self Service -Knowledge Management
The security architecture (enterprise security architecture) must address all components of the enterprise security program not just the technical components:
•Strategic alignment •Business Enablement •Process enhancement •Security Foundation •Aligned with best practices
Challenges of enterprise Security architecture
•The variety and location of those that need to interact electronically with the organization is putting major pressure on accepting the risks associated with this new model •The legal requirements are also forcing controls on organizations •PIPEDA - Personal Information Protection and Electronic Documents Act (Canada) •HIPAA - Health Information Portability and Accountability Act (US)
Free space optics
•Uses lasers to send packets optically without cables. •Line of sight limitations. •Affected by fog.