C836 - Fundamentals of Information Security Study Notes
CSRF
An attack that misuses the authority of the browser on the user's computer.
large-scale filtering
Blocks out known attacks, spammers, and other undesirable traffic. Such filtering can take the form of dropping traffic from individual IP addresses, to ranges, to the entire IP space of large organizations, ISPs, or even entire countries. This practice is commonly referred to as blackholing, because any traffic to such filtered destinations is simply dropped and appears to have vanished into a black hole from the perspective of the sender.
disaster recovery planning (DRP)
Covers the plans we put in place in preparation for a potential disaster, and what exactly we will do during and after a particular disaster strikes to replace infrastructure. Extreme temperature Gases Liquids Living organisms Projectiles Movement Energy anomalies People Toxins Smoke and fire
Biometric Characteristics
Defined by seven characteristics: universality, uniqueness, permanence, collectability, performance, acceptability, and circumvention
The Bell-LaPadula model
A combination of DAC and MAC and is primarily concerned with the confidentiality of the resource in question. In cases where we see DAC and MAC implemented together, MAC takes precedence over DAC, and DAC works within the accesses allowed by the MAC permissions. "no read up" and "no write down"
Alter Default Accounts
A common weakness in many operating systems is the use of accounts known to be standard. In many operating systems (as well as some applications), we can find the equivalent of a guest account and an administrator account. We may also find a variety of others, including those intended for the use of support personnel, to allow services or utilities to operate, and a plethora of others, widely varying by the operating system vendor, version, and so forth.
Confidentiality
A concept similar to, but not the same as, privacy. A necessary component of privacy and refers to our ability to protect our data from those who are not authorized to view it. A concept that may be implemented at many levels of a process.
Performance
A set of metrics that judge how well a given system functions. Such factors include speed, accuracy, and error rate.
Defense in Depth
A strategy common to both military maneuvers and information security. In both senses, the basic concept of defense in depth is to formulate a multilayered defense that will allow us to still achieve a successful defense should one or more of our defensive measures fail.
Confused deputy problem
A type of attack that is common in systems that use ACLs rather than capabilities. When the software with access to a resource has a greater level of permission to access the resource than the user who is controlling the software
Something you know
A very common authentication factor. This can include passwords, PINs, passphrases, or most any item of information that a person can remember.
Principle of Least Privilege
Dictates that we should only allow the bare minimum of access to perform the functionality needed.
intrusion detection systems (IDSes)
An IDS performs strictly as a monitoring and alert tool, only notifying us that an attack or undesirable activity is taking place.
intrusion prevention systems (IPSes)
An IPS, often working from information sent by the IDS, can actually take action based on what is happening in the environment. In response to an attack over the network, an IPS might refuse traffic from the source of the attack.
Authorization
Enables us to determine, once we have authenticated the party in question, exactly what they are allowed to do. We typically implement authorization through the use of access controls.
Permanence
How well a particular characteristic resists change over time and with advancing age. If we choose a factor that can easily vary, such as height, weight, or hand geometry, we will eventually find ourselves in the position of not being able to authenticate a legitimate user.
Network Intrusion Detection Systems
IDSes monitor the networks, hosts, or applications to which they are connected for unauthorized activity. There are several types of IDSes, including host-based intrusion detection systems (HIDSes), application protocol-based intrusion detection systems (APIDSes), and network-based intrusion detection systems (NIDSes). NIDSes will typically be attached to the network in a location where they can monitor the traffic going by, but they need to be placed carefully so that they are not overloaded. Placing an NIDS behind another filtering device, such as a firewall, can help to eliminate some of the obviously spurious traffic in order to decrease the traffic the NIDS needs to inspect. As NIDSes need to examine a large amount of traffic on a typical network, they can generally do only a relatively cursory inspection in order to determine whether the situation on the network is normal or not. Because of this, an NIDS may miss some types of attacks, particularly those that are specifically crafted to pass through such inspections.
Factors
In terms of authentication, there are several methods we can use, with each category referred to as a factor. Within each factor, there are a number of possible methods we can use. When we are attempting to authenticate a claim of identity, the more factors we use, the more positive our results will be. The different factors are something you know (password), something you are (Iris scan), something you have (swipe card), something you do (gait (walking) recognition), and the place you are (at a specific terminal).
Examples of Interruption Attacks
In the case of a DoS attack on a mail server, we would classify this as an availability attack. In the case of an attacker manipulating the processes on which a database runs in order to prevent access to the data it contains, we might consider this an integrity attack, due to the possible loss or corruption of data, or we might consider it a combination of the two.
Denying access
Preventing access by a given party to the resource in question.
Privacy and Business
Privacy can be a very touchy concept when conducting a business, particularly regarding the handling of sensitive data.
Protecting Data at Rest
Protecting data at rest is an area in which security is often lax and is a particularly bad area in which we choose not to emphasize security. Data is generally considered to be at rest when it is on a storage device of some kind and is not moving over a network, through a protocol, and so forth.
Information Security
Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Impact
Some organizations, such as the US National Security Agency (NSA), add an additional factor to the threat/vulnerability/risk equation, in the form of impact. If we consider the value of the asset being threatened to be a factor, this may change whether we see a risk as being present or not.
Threats
Something that has the potential to cause us harm. Threats tend to be specific to certain environments, particularly in the world of information security. For example, although a virus might pose a threat to a Windows operating system, the same virus will be unlikely to have any effect on a Linux operating system.
Analysis of Vulnerabilities
Vulnerabilities are weaknesses that can be used to harm us. In the case of analyzing the vulnerabilities in the protections we have put in place for our information assets, we will be looking at how the processes that interact with these assets are normally conducted, and where we might attack in order to compromise them.
George Washington
The first president of the United States, was well known for being an astute and skilled military commander and is also well known for promoting good operational security practices. He is known in the operations security community for having said, "Even minutiae should have a place in our collection, for things of a seemingly trifling nature, when enjoined with others of a more serious cast, may lead to valuable conclusion", meaning that even small items of information, which are valueless individually, can be of great value in combination.
Network Usage
network awareness, is an important concept to discuss with users. we do not want to allow foreign devices on our networks.
CAPTCHA
Completely Automated Public Turing Test to Tell Humans and Computers Apart Used to prevent automated tools from carrying out tasks like signing up for new accounts or adding spam comments to blogs.
Discretionary access control (DAC)
A model of access control based on access being determined by the owner of the resource in question. (network shares)
Remove All Unnecessary Software
Each piece of software installed on our operating system adds to our attack surface. Some software may have a much greater effect than others, but they all add up. If we are truly seeking to harden our operating system, we need to take a hard look at the software that should be loaded on it, and take steps to ensure that we are working with the bare minimum need for a functional system.
Database Security Issues
1. Unauthenticated flaws in network protocols 2. Authenticated flaws in network protocols 3. Flaws in authentication protocols 4. Unauthenticated access to functionality 5. Arbitrary code execution in intrinsic SQL 6. elements 6. Arbitrary code execution in securable SQL elements 7. Privilege escalation via SQL injection 8. Local privilege escalation issues
six main ways in which we can decrease our attack surface
1. Removing unnecessary software 2. Removing or turning off unessential services 3. Making alterations to common accounts 4. Applying the principle of least privilege 5. Applying software updates in a timely manner 6. Making use of logging and auditing functions
business continuity planning (BCP)
Refers specifically to the plans we put in place to ensure that critical business functions can continue operations through the state of emergency.
Mutual Authentication
Refers to an authentication mechanism in which both parties authenticate each other. Mutual authentication is often implemented through the use of digital certificates. In cases where we do not perform mutual authentication, we leave ourselves open to impersonation attacks, often referred to as man-in-the-middle attacks.
Utility
Refers to how useful the data is to us. Utility is also the only principle of the Parkerian hexad that is not necessarily binary in nature; we can have a variety of degrees of utility, depending on the data and its format.
Possession or control
Refers to the physical disposition of the media on which the data is stored. This enables us, without involving other factors such as availability, to discuss our loss of the data in its physical medium.
Port Scanners
Scanners are one of the mainstays of the security testing and assessment industry. We can generally break these into two main categories: port scanners and vulnerability scanners. There is some overlap between the two, depending on the particular tool we are talking about. One of the more famous port scanners that we might want to use is a free tool called Nmap, short for network mapper. Although Nmap is generally referred to as a port scanner, we actually do it a bit of a disservice to call it that. Although Nmap can conduct port scans, it can also search for hosts on a network, identify the operating systems those hosts are running, detect the versions of the services running on any open ports, and much more. For the most part, in terms of network security, scanners are the most useful when used as a tool for discovering the networks and systems that are in our environment.
cryptosystem
a concept that covers a given algorithm and all possible keys, plaintexts, and ciphertexts
Phishing
a particular social engineering technique and is largely employed through the use of electronic communications such as e-mail, texting, or phone calls. Most phishing attacks are very broad in nature and involve convincing the potential victim to click on a link in the e-mail, in order to send the victim to a fake site designed to collect personal information or credentials, or to have the victim install malware on their system.
Michael Porter
a professor at Harvard Business School, published a book titled Competitive Strategy: Techniques for Analyzing Industries and Competitors. This text, now nearing its 60th printing, set the basis for what is referred to as competitive intelligence.
AES
a set of symmetric block ciphers endorsed by the US government through NIST, and now used by a variety of other organizations, and is the replacement for DES as the standard encryption algorithm for the US federal government. AES uses three different ciphers: one with a 128-bit key, one with a 192-bit key, and one with a 256-bit key, all having a block length of 128 bits.
Nonrepudiation
a situation in which sufficient evidence exists as to prevent an individual from successfully denying that he or she has made a statement, or taken an action.
Honeypots
a somewhat controversial tool in the arsenal of those we can use to improve our network security. A honeypot can detect, monitor, and sometimes tamper with the activities of an attacker. Honeypots are configured to deliberately display vulnerabilities or materials that would make the system attractive to an attacker. This might be an intentionally vulnerable service, an outdated and unpatched operating system
cryptology
The overarching field of study that covers cryptography and cryptanalysis
The Operations Security Process
the process is to identify what information we have that needs protection, analyze the threats and vulnerabilities that might impact it, and develop methods of mitigation for those threats and vulnerabilities
Competitive intelligence
the process of intelligence gathering and analysis in order to support business decisions.
Decryption
the process of recovering the plaintext message from the ciphertext. The plaintext and ciphertext may also be generically referred to as the message.
Pretexting
Using a fake identity, we create a believable scenario that elicits the target to give us sensitive information or perform some action which they would not normally do for a stranger.
The third and last law of operations security
"If you are not protecting it (the information), ... THE DRAGON WINS!" This law is an overall reference to the necessity of the operations security process. If we do not take steps to protect our information from the dragon (our adversaries or competitors), they win by default.
The first law of operations security
"If you don't know the threat, how do you know what to protect?"
The second law of operations security
"If you don't know what to protect, how do you know you are protecting it?" This law of operations security discusses the need to evaluate our information assets and determine what exactly we might consider to be our critical information. This second law equates to the first step in the operations security process.
Equal error rate (EER)
A balance between the two error types. If we plot out both the FAR and FRR on a graph, the EER is the point where the two lines intersect. EER is sometimes used as a measure of the accuracy of biometric systems.
Something you do
A factor based on the actions or behaviors of an individual. Such factors may include analysis of the individual's gait, measurement of multiple factors in his or her handwriting, the time delay between keystrokes as he or she types a passphrase, or similar factors.
Something you are
A factor based on the relatively unique physical attributes of an individual, often referred to as biometrics. (retina scan, fingerprints, etc...)
Something you have
A factor generally based on the physical possession of an item or a device. (security token)
Where you are
A geographically based authentication factor. This factor operates differently than the other factors, as its method of authentication depends on the person being authenticated as being physically present at a particular location or locations.
Input Validation Attacks
A good example of an input validation problem is the format string attack. If we are careful to check the input we are taking in, and filter it for unexpected or undesirable content, we can often halt any issues immediately. In the case of the format string attack, we may be able to remove the offending characters from the input or put error handling in place to ensure that they do not cause a problem.
Data Security
A great many solutions exist for protecting data at rest. The primary method we use to protect this type of data is encryption, particularly when we know that the storage media, or the media and the device in which it is contained, will be potentially exposed to physical theft, such as on a backup tape or in a laptop.
Acceptability
A measure of how acceptable the particular characteristic is to the users of the system. In general, systems that are slow, difficult to use, or awkward to use are less likely to be acceptable to the user
Uniqueness
A measure of how unique a particular characteristic is among individuals. (such as DNA, or iris patterns)
Mandatory access control (MAC)
A model of access control in which the owner of the resource does not get to decide who gets to access it, but instead access is decided by a group or individual who has the authority to set access on resources. Often implemented in government organizations, where access to a given resource is largely dictated by the sensitivity label applied to it (secret, top secret, etc.), by the level of sensitive information the individual is allowed to access (perhaps only secret), and by whether the individual actually has a need to access the resource.
Role-based access control (RBAC)
A model of access control that, similar to MAC, functions on access controls set by an authority responsible for doing so, rather than by the owner of the resource. The difference between RBAC and MAC is that access control in RBAC is based on the role the individual being granted access is performing. We can see RBAC implemented in many large-scale applications that are oriented around sales or customer service. While this provides much greater granularity of security, it is also much more labor intensive to implement and manage.
Packet Sniffers
A network or protocol analyzer, also known as a packet sniffer, or just plain sniffer, is a tool that can intercept traffic on a network, commonly referred to as sniffing. Sniffing basically amounts to listening for any traffic that the network interface of our computer or device can see, whether it was intended to be received by us or not.
Administrative
Administrative controls are based on rules, laws, policies, procedures, guidelines, and other items that are "paper" in nature. In essence, administrative controls set out the rules for how we expect the users of our environment to behave.
Interception
Allow unauthorized users to access our data, applications, or environments, and are primarily an attack against confidentiality.
Limiting access
Allowing some access to our resource, but only up to a certain point.
Authenticity
Allows us to talk about the proper attribution as to the owner or creator of the data in question. Authenticity can be enforced through the use of digital signatures.
Clickjacking
Also known as user interface redressing, takes advantage of some of the page rendering features that are available in newer Web browsers.
How
Also of importance is the route we will follow to reach the evacuation meeting place. When planning such routes, we should consider where the nearest exit from a given area can be reached, as well as alternate routes if some routes are impassable in an emergency. We should also avoid the use of areas that are dangerous or unusable in emergencies, such as elevators or areas that might be blocked by automatically closing fire doors.
Protecting Data in Use
Although we can use encryption to protect data while it is stored or moving across a network, we are somewhat limited in our ability to protect data while it is being used by those who legitimately have access to it. Authorized users can print files, move them to other machines or storage devices, e-mail them, share them on peer-to-peer (P2P) file-sharing networks, and generally make a mockery of our carefully laid security measures.
Identification
An assertion of who we are. It is important to note that the process of identification does not extend beyond this claim and does not involve any sort of verification or validation of the identity that we claim. That part of the process is referred to as authentication and is a separate transaction.
Risk Management
At a high level, we need to identify our important assets, identify the potential threats against them, assess the vulnerabilities that we have present, and then take steps to mitigate these risks.
Client-side attacks
Attacks that take advantage of weaknesses in applications that are running on the computer being operated directly by the user, often referred to as the client.
Interruption
Cause our assets to become unusable or unavailable for our use, on a temporary or permanent basis. Interruption attacks often affect availability but can be an attack on integrity as well.
Cryptographic Attacks
Cryptography is easy to implement badly, and this can give us a false sense of security. One of the big "gotchas" in implementing cryptography is to give in to the temptation to develop a cryptographic scheme of our own devising. The major cryptographic algorithms in use today, such as Advanced Encryption Standard (AES) and RSA, have been developed and tested by thousands of people who are very skilled and make their living developing such tools. Additionally, such algorithms are in general use because they have been able to stand the test of time without serious compromise. Although it is possible that our homegrown algorithm may have something to offer, software that stores or processes any sort of sensitive data is likely not a good place to test it out.
Physical Concerns for Data
Depending on the type of physical media on which our data is stored, any number of adverse physical conditions may be problematic or harmful to their integrity. Such media are often sensitive to temperature, humidity, magnetic fields, electricity, impact, and more, with each type of media having its particular strong and weak points.
Circumvention
Describes the ease with which a system can be tricked by a falsified biometric identifier.
Deterrent
Designed to discourage those who might seek to violate our security controls from doing so, whether the threat is external or internal. Examples of this include signs in public places that indicate that video monitoring is in place, and the yard signs with alarm company logos that we might find in residential areas. The signs themselves do nothing to prevent people from acting in an undesirable fashion, but they do point out that there may be consequences for doing so. Such measures, while not directly adding to what we might think of as physical security, do help to keep honest people honest.
The Brewer and Nash model
Designed to prevent conflicts of interest. Commonly used in industries that handle sensitive data, such as that found in the financial, medical, or legal industry.
Kurt's Laws of Operations Security
Developed by Kurt Haase while he was employed at the Nevada Operations Office of the DOE. These laws represent a distillation of the operations security process
Vietnam War
During the Vietnam War, the United States came to realize that information regarding troop movements, operations, and other military activities was being leaked to the enemy. Clearly, in most environments, military or otherwise, having our opponents gain foreknowledge of our activities is a dangerous thing, particularly so when lives may be at stake. In an effort to curtail this unauthorized passing of information, a study, codenamed Purple Dragon, a symbol of OPSEC that persists to this day.
personally identifiable information (PII)
European Union's (EU) Data Protection Directive (Directive 95/46/EC) which covers the requirements to protect individual's personally identifiable information (PII). These are much more stringent than current US requirements but if an US company is storing data on EU citizens in the United States, they must still comply with EU laws.
False acceptance rate (FAR)
FAR occurs when we accept a user whom we should actually have rejected. This type of issue is also referred to as a false positive.
False rejection rate (FRR)
FRR is the problem of rejecting a legitimate user when we should have accepted him. This type of issue is commonly known outside the world of biometrics as a false negative.
Web Application Analysis Tools
For purposes of analyzing Web pages or Web-based applications Most of these tools perform the same general set of tasks and will search for common flaws such as XSS or SQL injection flaws, as well as improperly set permissions, extraneous files, outdated software versions, and many more such items.
Environmental Conditions
For the equipment within our facilities, maintaining proper environmental conditions can be crucial to continued operations. Computing equipment can be very sensitive to changes in power, temperature, and humidity, as well as electromagnetic disturbances. Particularly in areas where we have large quantities of equipment, such as we might find in a data center
Wireless Network Security
For the legitimate and authorized devices on our network, our chief method of protecting the traffic that flows through them is the use of encryption. The encryption used by 802.11 wireless devices, the most common of the wireless family of network devices, breaks down into three major categories: Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), and Wi-Fi Protected Access version 2 (WPA2). Of these, WPA2 is the most current and offers the strongest inherent security.
Access Control
Four basics tasks we might want to carry out: allowing access, denying access, limiting access, and revoking access.
Allowing access
Give a particular party, or parties, access to a given resource.
Collectability
How easy it is to acquire a characteristic with which we can later authenticate a user. Most commonly used biometrics, such as fingerprints, are relatively easy to acquire, and this is one reason they are in common use.
Mitigating risks
In order to help us mitigate risk, we can put measures in place to help ensure that a given type of threat is accounted for. These measures are referred to as controls. Controls are divided into three categories: physical, logical, and administrative.
Identity Verification
Identity verification is a step beyond identification, but it is still a step short of authentication. Identity verification is used not only in our personal interactions but also in computer systems. In many cases, such as when we send an e-mail, the identity we provide is taken to be true, without any additional steps taken to authenticate us.
Examples of Modification Attacks
If we access a file in an unauthorized manner and alter the data it contains, we have affected the integrity of the data contained in the file. However, if we consider the case where the file in question is a configuration file that manages how a particular service behaves, perhaps one that is acting as a Web server, we might affect the availability of that service by changing the contents of the file.
Structured Query Language (SQL) injection
If we are careful to validate the input we take into our Web applications and filter out characters that might be used to compromise our security, we can often fend off such an attack before it even begins. In many cases, filtering out special characters such as *, %, ',;, and / will defeat such attacks entirely.
Policy and Regulatory Knowledge
If we expect our users to follow the rules that we have laid out in the form of policies, regulations with which we must comply, and other such items that we, as an organization, may be compelled to comply with, we need to make some effort to communicate these policies.
Examples of Fabrication Attacks
If we generate spurious information in a database, this would be considered to be a fabrication attack. We could also generate e-mail, which is commonly called spoofing. This can be used as a method for propagating malware, such as we might find being used to spread a worm. In the sense of an availability attack, if we generate enough additional processes, network traffic, e-mail, Web traffic, or nearly anything else that consumes resources, we can potentially render the service that handles such traffic unavailable to legitimate users of the system.
Extraneous files
If we leave archives of the source code from which our applications are built, backup copies of our files, text files containing our notes or credentials, or any such related files, we may be handing an attacker exactly the materials he or she needs in order to compromise our system.
Authentication
In an information security sense, the set of methods we use to establish a claim of identity as being true. It is important to note that authentication only establishes whether the claim of identity that has been made is correct. Authentication does not infer or imply anything about what the party being authenticated is allowed to do; this is a separate task known as authorization.
Fabrication
Involve generating data, processes, communications, or other similar activities with a system. Fabrication attacks primarily affect integrity but could be considered an availability attack as well.
Modification
Involve tampering with our asset. Such attacks might primarily be considered an integrity attack but could also represent an availability attack.
The Biba model
Is primarily concerned with protecting the integrity of data, even at the expense of confidentiality. Has two security rules that are the exact reverse of those in the Bell-LaPadula model. "no read down" and "no write up"
Revocation of access
It is vital that once we have given a party access to a resource, we be able to take that access away again. If we were, for instance, to fire an employee, we would want to revoke any accesses that they might have.
Residual Data
Left over data on storage media. We must be able to render the data inaccessible when it is no longer required.
Logical and technical controls
Logical controls, sometimes called technical controls, are those that protect the systems, networks, and environments that process, transmit, and store our data. Logical controls can include items such as passwords, encryption, logical access controls, firewalls, and intrusion detection systems. Logical controls enable us, in a logical sense, to prevent unauthorized activities from taking place.
Attribute-based access control (ABAC)
Logically, based on attributes. These can be the attributes of a particular person, of a resource, or of an environment.
Remove All Unessential Services
Many operating systems ship with a wide variety of services turned on in order to share information over the network, locate other devices, synchronize the time, allow files to be accessed and transferred, and perform other tasks. We may also find that services have been installed by various applications, to provide the tools and resources on which the application depends in order to function.
Falsifying Identification
Methods of identification are subject to change. As such, they are also subject to falsification. Identity theft, based on falsified information, is a major concern today, costing US consumers an estimated $20.9 billion in 2012 [2]. This type of attack is unfortunately common and easy to execute.
Anti-Malware Tools
Most detect threats in the same way the IDS. Either by matching against a signature or by detecting anomalous activities taking place. Anti-malware tools do tend to depend more heavily on signatures than on anomaly detection, which is typically referred to in the anti-malware field as heuristics. Malware signatures are usually updated by the vendor of the application at least once a day and may be updated more often than that if the need arises.
Parkerian hexad
Not as widely known as the CIA triad. Encompasses the three principles of the CIA triad, adds Possession or control, Authenticity, Utility. There is some variance in how Parker describes integrity, as he does not account for authorized, but incorrect, modification of data and instead focuses on the state of the data itself in the sense of completeness.
Backups
Not only do we need to back up the data itself, but we also need to maintain backups of the equipment and infrastructure that are used to provide access to the data.
Access Control Lists
Often referred to as "ackles," are a very common choice of access control implementation. ACLs are usually used to control access in the file systems on which our operating systems run and to control the flow of traffic in the networks to which our systems are attached. ACLs are most commonly discussed in the context of firewalls and routers.
Server-Side Attacks
On the server side of the Web transaction, a number of vulnerabilities may cause us problems as well. Such threats and vulnerabilities can vary widely depending on our operating system, Web server software, various software versions, scripting languages, and many other factors.
Application of Countermeasures
Once we have discovered what risks to our critical information might be present, we would then put measures in place to mitigate them. Such measures are referred to in operations security as countermeasures.
Identify threats
Once we have enumerated our critical assets, we can then begin to identify the threats that might affect them. It is often useful to have a framework within which to discuss the nature of a given threat, and the CIA triad or Parkerian hexad
Assess risks
Once we have identified the threats and vulnerabilities for a given asset, we can assess the overall risk. As we discussed earlier in this lesson, risk is the conjunction of a threat and a vulnerability. A vulnerability with no matching threat or a threat with no matching vulnerability do not constitute a risk.
Availability
One of our larger concerns when we discuss protecting data is to ensure that the data is available to us when we need to access it. The availability of our data often hinges on both our equipment and our facilities remaining in functioning condition
Identify Assets
One of the first and, arguably, one of the most important parts of the risk management process is identifying and categorizing the assets that we are protecting.
Auditing
One of the primary ways we can ensure accountability through technical means is by ensuring that we have accurate records of who did what and when they did it. In nearly any environment, from the lowest level of technology to the highest, accountability is largely accomplished through the use of auditing.
Practice
Particularly in large facilities, a full evacuation can be a complicated prospect. In a true emergency, if we do not evacuate quickly and properly, a great number of lives may be lost.
Network ACLs
Permissions in network ACLs tend to be binary in nature, generally consisting of allow and deny. When we set up the ACL, we use our chosen identifier or identifiers to dictate which traffic we are referring to and simply state whether the traffic is to be allowed or not.
Physical
Physical controls are those controls that protect the physical environment in which our systems sit, or where our data is stored. Such controls also control access in and out of such environments.
Tailgating
Physical tailgating, also known as "piggybacking," is the act of following someone through an access control point, such as secure door, without having the proper credentials, badge, or key, normally needed to enter the door.
Authorization Attacks
Placing authorization mechanisms on the client side is a bad idea as well. Any such process that is performed in a space where it might be subject to direct attack or manipulation by users is almost guaranteed to be a security issue at some point. We should instead authenticate against a remote server or on the hardware of the device, if we have a portable device, where we are considerably more in control.
Perform Updates
Regular and timely updates to our operating systems and applications are critical to maintaining strong security. New attacks are published on a regular basis, and if we do not apply the security patches released by the vendors that manufacture our operating systems and applications, we will likely fall victim very quickly to a large number of well-known attacks.
Nmap
Scanner, has a very large and broad set of functionality and can give us considerably more information. In addition to the many features built into Nmap, we can create custom Nmap functionality of our own, through the use of the Nmap Scripting Engine (NSE).
Hashing algorithms
SHA-2 and the soon-to-arrive SHA-3 have replaced MD5 in cases where stringent hash security is required Many other hash algorithms exist and are used in a variety of situations, such as MD2, MD4, and RACE.
Protecting Data in Motion
SSL and TLS are often used to protect information sent over networks and over the Internet, and they operate in conjunction with other protocols such as Internet Message Access Protocol (IMAP) and Post Office Protocol (POP) for e-mail, Hypertext Transfer Protocol (HTTP) for Web traffic, VoIP for voice conversations, instant messaging, and hundreds of others. SSL is actually the predecessor of TLS, and TLS is based heavily on the last version of SSL. The terms are often used interchangeably, and they are nearly identical to each other. Both methods are still in common use.
Detective
Serve to detect and report undesirable events that are taking place. The classic example of a detective control can be found in burglar alarms and physical intrusion detection systems. Such systems typically monitor for indicators of unauthorized activity, such as doors or windows opening, glass being broken, movement, and temperature changes, and also can be in place to monitor for undesirable environmental conditions such as flooding, smoke and fire, electrical outages, and excessive carbon dioxide in the air.
Symmetric key algorithms
Some of the cryptographic algorithms that are more recognizable to the general public are symmetric key algorithms. Several of these, such as DES, 3DES, and AES, are or have been in regular use by the US government and others as standard algorithms for protecting highly sensitive data. There are a large number of other well-known symmetric block ciphers, including Twofish, Serpent, Blowfish, CAST5, RC6, and IDEA, as well as stream ciphers, such as RC4, ORYX, and SEAL.
Passwords
Still the most common form of validation. Passwords, although only a single factor of authentication, can, when constructed and implemented properly, represent a relatively high level of security.
Universality
Stipulates that we should be able to find our chosen biometric characteristic in the majority of people we expect to enroll in the system.
Block vs stream ciphers
Symmetric key cryptography makes use of two types of ciphers: block ciphers and stream ciphers. A block cipher takes a predetermined number of bits, known as a block, in the plaintext message and encrypts that block. Blocks are commonly composed of 64 bits but can be larger or smaller depending on the particular algorithm being used and the various modes in which the algorithm might be capable of operating. A stream cipher encrypts each bit in the plaintext message, 1 bit at a time. It is also possible for a block cipher to act as a stream cipher by setting a block size of 1 bit.
Asymmetric key algorithms
The RSA algorithm, named for its creators Ron Rivest, Adi Shamir, and Leonard Adleman, is an asymmetric algorithm used all over the world, including in the Secure Sockets Layer (SSL) protocol Several other asymmetric algorithms exist, including ElGamal, Diffie-Hellman, and Digital Signature Standard (DSS). We can also see a variety of protocols and applications that are based on asymmetric cryptography, including Pretty Good Privacy (PGP) for securing messages and files, SSL and Transport Layer Security (TLS) for several kinds of traffic including Web and e-mail, and some Voice over IP (VoIP) for voice conversations.
Availability
The ability to access our data when we need it. Loss of availability can refer to a wide variety of breaks anywhere in the chain that allows us access to our data. Such issues can result from power loss, operating system or application problems, network attacks, compromise of a system, or other problems.
Integrity
The ability to prevent our data from being changed in an unauthorized or undesirable manner. We not only need to have the means to prevent unauthorized changes to our data but also need the ability to reverse authorized changes that need to be undone.
Identification of Critical Information
The initial step, and, arguably, the most important step in the operations security process, is to identify our most critical information assets.
Risk
The likelihood that something bad will happen. In order for us to have a risk in a particular environment, we need to have both a threat and a vulnerability that the specific threat can exploit.
The main advantage of asymmetric key cryptography over symmetric key cryptography
The loss of the need to distribute the key. As we discussed earlier in this lesson, when we use a symmetric algorithm, we need to distribute the key in some way. We might do this by exchanging keys in person, sending a key in e-mail, or repeating it verbally over the phone, but we generally need to communicate the key in an out-of-band manner, meaning that we do not want to send the key with the message, as this would leave our message easily available to an eavesdropper. When we use asymmetric key cryptography, we have no need to share a single key. We simply make our public key easily available, and anyone who needs to send us an encrypted message makes use of it.
Access Control Models
The most common are: discretionary access control, mandatory access control, rule-based access control, role-based access control, and attribute-based access control.
Who
The most vital portion of the evacuation, of course, is to ensure that we actually get everyone out of the building, and that we can account for everyone at the evacuation meeting place. This process typically requires at least two people to be responsible for any given group of people: one person to ensure that everyone he or she is responsible for has actually left the building and another at the meeting place to ensure that everyone has arrived safely.
Physical Concerns for Equipment
The physical threats that might harm our equipment, although fewer than those we might find harmful to people, are still numerous. Extreme temperatures can be very harmful to equipment. Liquids can be very harmful to equipment, even when in quantities as small as those that can be found in humid air. Living organisms can also be harmful to equipment, although in the environments with which we will typically be concerned, these will often be of the smaller persuasion. Insects and small animals that have gained access to our equipment may cause electrical shorts, interfere with cooling fans, chew on wiring, and generally wreak havoc. Movement in earth and in the structure of our facilities can be a very bad thing for our equipment. One of the more obvious examples we can look at is an earthquake. Energy anomalies can be extremely harmful to any type of electrical equipment in a variety of ways. If we see issues with power being absent or temporarily not sending the expected amount of voltage, our equipment may be damaged beyond repair as a result. Smoke and fire are very bad for our equipment, as they introduce a number of harmful conditions. With smoke or fire, we might experience extreme temperatures, electrical issues, movement, liquids, and a variety of other problems.
Keyspace
The range of all possible values for the key. The larger the keyspace, the harder it is to decrypt the message.
cryptanalysis
The science of breaking through the encryption used to create the ciphertext
Cryptographic algorithm
The specifics of the process used to encrypt the plaintext or decrypt the ciphertext is referred to as a cryptographic algorithm. generally use a key, or multiple keys, in order to encrypt or decrypt the message, this being roughly analogous to a password.
Personal Equipment
The use of personal equipment being acceptable or not in the workplace varies considerably from one working environment to the next, but there are often commonalities.
Federal Privacy Act of 1974
This act "safeguards privacy through creating four procedural and substantive rights in personal data. First, it requires government agencies to show an individual any records kept on him or her. Second, it requires agencies to follow certain principles, called 'fair information practices,' when gathering and handling personal data. Third, it places restrictions on how agencies can share an individual's data with other people and agencies. Fourth and finally, it lets individuals sue the government for violating its provisions"
The Confidentiality, Integrity, and Availability Triad (CIA)
Three of the primary concepts in information security. Gives us a model by which we can think about and discuss security concepts, and tends to be very focused on security, as it pertains to data.
technical obsolescence
Type of storage media, software, interfaces, and other factors can affect our ability to read stored data. For example, Sony ended production of floppy diskettes in March 2011, after having been responsible for 70% of the remaining production of such media
Examples of Interception Attacks
Unauthorized file viewing or copying, eavesdropping on phone conversations, or reading e-mail, and can be conducted against data at rest or in motion. Properly executed, interception attacks can be very difficult to detect.
Sandbox
Used to describe the limitations that are put in place. A set of resources devoted to a program, process, or similar entity, outside of which the entity cannot operate.
Preventive
Used to physically prevent unauthorized entities from breaching our physical security. An excellent example of preventive security can be found in the simple mechanical lock. Locks are nearly ubiquitous for securing various facilities against unauthorized entry, including businesses, residences, and other locations.
Malware
User education in the area of malware can be difficult to communicate to users as education in this area often revolves around teaching them to not indiscriminately click things.
Multifactor Authentication
Uses one or more of the authentication factors.
Effectively Reaching Users
We can also gain the attention of our users through the use of security-oriented posters, giveaways (pens, coffee mugs, etc.), newsletters, and a great number of similar devices. Ultimately it does not matter to any great extent what these other avenues of awareness specifically are, but that there are different approaches to communicating the same information. If we can offer repeated and varied avenues for bringing this information to the users' attention throughout their day, we stand a better chance of the information sinking in over the long term.
Sniffers
We can also use such tools very specifically in order to watch the network traffic being exchanged with a particular application or protocol.
Arbitrary Code Execution
We can find a number of areas for security flaws in the languages we use to talk to databases. Generally, these are concentrated on SQL, as it is the most common database language in use. In the default SQL language, a number of built-in elements are possible security risks, some of which we can control access to and some of which we cannot.
Unix/Linux ACLs
We can give an individual user read, write, and execute permissions, a group of different users read, write, and execute permissions, and a different set of read, write, and execute permissions to anyone that is not an individual or group that we have already covered. These three sets of permissions will display as rwxrwxrwx, with the first rwx set representing the user, the second the group, and the third other
Who We Claim To Be
We can identify ourselves by our full names, shortened versions of our names, images of ourselves, nicknames, account numbers, usernames, ID cards, fingerprints, DNA samples, and an enormous variety of other methods. Who we claim to be can, in many cases, be an item of information that is subject to change. One of the most crucial factors to realize when we are working with identification is that an invalidated claim of identity is not reliable information on its own.
Wireless
We can use several tools to detect wireless devices. One of the best-known tools for detecting such devices is called Kismet, which runs on Linux and can be found on the Kali distribution. Kismet is commonly used to detect wireless access points and can find them even when attempts have been made to make doing so difficult. A similar piece of software, called NetStumbler, exists for Windows, although it does not have as full a feature set as Kismet. In addition to detecting wireless devices, some tools can enable us to break through the different varieties of encryption that are in use on such networks. Many tools for such purposes exist, but a few of the more common ones for cracking WEP, WPA, and WPA2 include coWPAtty and Aircrack-NG.
File system ACLs
We commonly see three permissions in use: read, write, and execute.
Vulnerabilities
Weaknesses that can be used to harm us. In essence, they are holes that can be exploited by threats in order to cause us harm.
Protocol Issues
When we are dealing with known protocol issues, the absolute best defense is to ensure that we are using the most current software version and patches for the database software in question Defending against presently unknown network protocol issues often revolves around limiting access to our databases, either in the sense of actually limiting access to who is able to connect to the database over the network
Unauthenticated Access
When we give a user or process the opportunity to interact with our database without supplying a set of credentials, we create the possibility for security issues. Such issues may be related to simple queries to the database through a Web interface, in which we might accidentally expose information contained in the database; or we might expose information on the database itself, such as a version number, giving an attacker additional material with which to compromise our application.
Assess vulnerabilities
When we look at assess vulnerabilities, we need to do so in the context of potential threats. Any given asset may have thousands or millions of threats that could impact it, but only a small fraction of these will actually be relevant.
Layers
When we look at the layers we might place in our defense in depth strategy, we will likely find that they vary given the particular situation and environment we are defending.
Authentication Attacks
When we plan the authentication mechanisms our applications will use, taking care to use strong mechanisms will help to ensure that we can react in a reasonable manner in the face of attacks.
Network segmentation
When we segment a network, we divide it into multiple smaller networks, each acting as its own small network called a subnet. We can control the flow of traffic between subnets, allowing or disallowing traffic based on a variety of factors, or even blocking the flow of traffic entirely if necessary.
Where
Where we will be evacuating to is an important piece of information to consider in advance, whether we are evacuating a commercial building or a residence.
Wireless exposure
Wireless networks, in particular, are one of the major security risks when we consider places where our data might be exposed. Free wireless Internet access is commonly provided today in a number of places. Although it may be nice to be able to get network access for free, many people do not understand the security risk that accompanies such a service. In general, such networks are set up without a password and without encryption of any kind, which we would normally see in place in order to protect the confidentiality of the traffic flowing over the network.
Sun Tzu
a Chinese military general who lived in the sixth century BC. Among those of a military or strategic bent, Sun Tzu's work The Art of War is considered one of the foundational doctrinal texts for conducting such operations.
Privilege Escalation
a category of attack in which we make use of any of a number of methods to increase the level of access above what we are authorized to have or have managed to gain on the system or application through attack. Generally speaking, privilege escalation is aimed at gaining administrative access to the software in order to carry out other attacks without needing to worry about not having the access required.
certificate revocation
a certificate reaches its expiration date, the certificate is compromised, or another reason arises in which we need to ensure that the certificate can no longer be used. In this case, we will likely see the certificate added to a certificate revocation list (CRL).
Elliptic curve cryptography (ECC)
a class of cryptographic algorithms, although it is sometimes referred to as though it were an algorithm in and of itself. ECC is named for the type of mathematical problem on which its cryptographic functions are based. We can see ECC implemented in a variety of cryptographic algorithms, including Secure Hash Algorithm 2 (SHA-2) and Elliptic Curve Digital Signature Algorithm (ECDSA).
Caesar Cipher
a classic example of ancient cryptography and is said to have been used by Julius Caesar. The Caesar cipher is based on transposition and involves shifting each letter of the plaintext message by a certain number of letters, historically three
Tcpdump
a classic sniffing tool, and it has been around since the late 1980s. Tcpdump is a command-line tool that allows us to monitor the activities of the network to which we are attached and has only a few other key features, such as filtering of traffic. Tcpdump runs only on UNIX-like operating systems, but a version has been ported to Windows, called WinDump.
DMZs (demilitarized zone)
a combination of a network design feature and a protective device such as a firewall.
The BSA
a company that, on behalf of software companies (Adobe or Microsoft, for instance), regularly audits other companies to ensure their compliance with software licensing.
Nikto and Wikto
a free and open source Web server analysis tool that will perform checks for many of the common vulnerabilities we mentioned at the beginning of this section and discussed earlier in the lesson when we went over server-side security issues. Nikto will index all the files and directories it can see on the target Web server, a process commonly referred to as spidering and will then locate and report on any potential issues it finds Nikto is a command-line interface tool that runs on Linux. For those of us who are in a Windows-centric environment, or prefer to use a graphical interface, SensePost has produced a Windows version of Nikto called Wikto
The CRL
a generally public list that holds all the revoked certificates for a certain period of time, depending on the organization in question.
Deterrence
a great deterrent against misbehavior in our environments. If those we monitor are aware of this fact, and it has been communicated to them that there will be penalties for acting against the rules, these individuals may think twice before straying outside the lines.
Executable Space Protection
a hardware- and software-based technology that can be implemented by operating systems in order to foil attacks that use the same techniques we commonly see used in malware. In short, executable space protection prevents certain portions of the memory used by the operating system and applications from being used to execute code. This means classic attacks such as buffer overflows that depend on being able to execute their commands in hijacked portions of memory may be prevented from functioning at all. Many operating systems also use address space layout randomization (ASLR) in order to shift the contents of the memory in use around so that tampering with it is even more difficult.
Lack of input validation
a large problem when we look at Web platforms. As we discussed earlier in the lesson, this is a general security issue when developing software, but some of the most common server-side Web attacks use this weakness to carry out their attacks.
Regulatory Compliance
a matter that is very specific to the industry in which a given company or organization is operating and how it is structured, although it is often more far-reaching than we might imagine.
Firewalls
a mechanism for maintaining control over the traffic that flows into and out of our network(s). A firewall is typically placed in a network where we see the level of trust change. We might see a firewall on the border between our internal network and the Internet
Proxy servers
a specialized variant of a firewall. These servers provide security and performance features, generally for a particular application, such as mail or Web browsing. Proxy servers can serve as a choke point in order to allow us to filter traffic for attacks or undesirable content such as malware or traffic to Web sites hosting adult content. They also allow us to log the traffic that goes through them for later inspection, and they serve to provide a layer of security for the devices behind them, by serving as a single source for requests.
Monitoring
a subset of auditing and tends to focus on observing information about the environment being monitored in order to discover undesirable conditions such as failures, resource shortages, security issues, and trends that might signal the arrival of such conditions. Monitoring is largely a reactive activity, with actions taken based on gathered data, typically from logs generated by various devices.
Spear phishing
a targeted attack against a specific company, organization, or person. A spear phishing attack requires advanced reconnaissance so that the vehicle for the attack will be seen as legitimate and directs the potential victim to a fake site that the victim would expect, and see as valid. In addition, our e-mail must be seen to come from a valid sender—someone the victim would trust, such as someone from human resources, a manager, the corporate IT support team, a peer, or friend.
Social Engineering
a technique that relies on the willingness of people to help others, particularly when the target is faced with someone that appears to be in distress, someone that is intimidating, or someone that we would normally expect to see in a given situation.
Analysis of Threats
a threat is something that has the potential to cause us harm. In the case of analyzing threats to our information assets, we would start with the critical information we identified in the previous step. With the list of critical information, we can then begin to look at what harm or financial impact might be caused by critical information being exposed, and who might exploit the exposure.
a certificate authority (CA).
a trusted entity that handles digital certificates. One well-known CA, at present, is VeriSign. Additionally, some large organizations, such as the US Department of Defense (DoD), that utilize a large number of certificates may choose to implement their own CA in order to keep costs down.
redundant arrays of inexpensive disks (RAID)
a variety of configurations to ensure that we do not lose data from hardware failures in individual disks, we can replicate data from one machine to another over a network, or we can make copies of data onto backup storage media, such as DVDs or magnetic tapes
Software Firewalls
a very useful additional layer of security we can add to the hosts residing on our networks. Such firewalls generally contain a subset of the features we might find on a large firewall appliance but are often capable of very similar packet filtering and stateful packet inspection.
Kismet
also a specialized sniffer. Although many of the other sniffers are network media agnostic, for the most part, Kismet will only sniff from wireless networks. Owing to this very specific focus, it can provide us with a much more specific set of tools. We may also see packet sniffers in hardware form, such as the OptiView Portable Network Analyzer from Fluke Networks. Although we can definitely benefit from well-equipped portable analyzers such as this, they often tend to be very expensive and well beyond the budget of the average network or security professional
Symmetric cryptography
also known as private key cryptography, utilizes a single key for both encryption of the plaintext and decryption of the ciphertext. The key itself must be shared between the sender and the receiver, and this process, known as key exchange, constitutes an entire subtopic of cryptography.
The Brewer and Nash model
also known as the Chinese Wall model, is an access control model designed to prevent conflicts of interest. Brewer and Nash is commonly used in industries that handle sensitive data, such as that found in the financial, medical, or legal industry. 1. Objects: Resources such as files or information, pertaining to a single organization. 2. Company groups: All objects pertaining to a particular organization. 3. Conflict classes: All groups of objects that concern competing parties.
Buffer Overflows
also referred to as buffer overruns, occur when we do not properly account for the size of the data input into our applications. Proper bounds checking can nullify this type of attack entirely. Depending on the language we choose for the development effort, bounds checking may be implemented automatically, as is the case with Java and C#
Penetration testing
although it may use vulnerability assessment as a starting place, takes the process several steps further. When we conduct a penetration test, we mimic, as closely as possible, the techniques an actual attacker would use.
Cross-site scripting (XSS)
an attack carried out by placing code in the form of a scripting language into a Web page, or other media, that is interpreted by a client browser, including Adobe Flash animation and some types of video files. When another person views the Web page or media, he or she executes the code automatically, and the attack is carried out. A good example of such an attack might be for the attacker to leave a comment containing the attack script in the comments section of an entry on a blog. Every person reading the command in her browser would execute the attack. This kind of attack is used on legitimate sites like banks or e-retailers to turn them into malicious sites.
Clickjacking
an attack that takes advantage of the graphical display capabilities of our browser to trick us into clicking on something we might not otherwise. Clickjacking attacks work by placing another layer over the page, or portions of the page, in order to obscure what we are actually clicking. For example, the attacker might hide a button that says "buy now" under another layer with a button that says "more information."
Format string attacks
an issue where certain print functions within a programming language can be used to manipulate or view the internal memory of an application. In some languages, C and C++ in particular, we can insert certain characters into our commands that will apply formatting to the data we are printing to the screen, such as %f, %n, %p. Although such parameters are indeed a legitimate part of the language, if we are not careful to filter the data input into our applications, they can also be used to attack us.
Physical security
another important step in protecting data at rest. If we make it more difficult for attackers to physically access or steal the storage media on which our sensitive data is contained, we have solved a large portion of our problem.
Deep packet inspection
are capable of analyzing the actual content of the traffic that is flowing through them. Although packet filtering firewalls and stateful firewalls can only look at the structure of the network traffic itself in order to filter out attacks and undesirable content, deep packet inspection firewalls can actually reassemble the contents of the traffic to look at what will be delivered to the application for which it is ultimately destined.
Certificates
are created to link a public key to a particular individual and are often used as a form of electronic identification for that particular person. A certificate is typically formed by taking the public key and identifying information, such as a name and address, and having them signed by a certificate authority (CA).
Multilevel access control
are used where the simpler access control models that we just discussed are considered to not be robust enough to protect the information to which we are controlling access. Such access controls are used extensively by military and government organizations, or those that often handle data of a very sensitive nature. We might see multilevel security models used to protect a variety of data, from nuclear secrets to protected health information (PHI).
Administrative Controls
are usually based on rules of some variety. More specifically, they may be policies, procedures, guidelines, regulations, laws, or similar bodies, and may be instituted at any level from informal company policies to federal laws. One of the most common is the background check.
Industry Compliance
compliance with regulations which are not mandated by law, but which can nonetheless have severe impacts upon our ability to conduct business. The primary example of this which is in common use is compliance with the PCI DSS, often simply referred to as PCI compliance. In this particular case, a body composed of credit card issuers (Visa, American Express, and MasterCard, among others) has set up a body of security standards as a condition of processing credit card transactions using cards issued by their various members.
PGP
created by Phil Zimmerman, was one of the first strong encryption tools to reach the eye of the general public and the media. Created in the early 1990s, the original release of PGP was based on a symmetric algorithm and could be put to use in securing data such as communications and files.
Asymmetric cryptography
asymmetric key cryptography, also known as public key cryptography, utilizes two keys: a public key and a private key. The public key is used to encrypt data sent from the sender to the receiver and is shared with everyone. We see public keys included in e-mail signatures, posted on servers that exist specifically to host public keys, posted on Web pages, and displayed in a number of other ways. Private keys are used to decrypt data that arrives at the receiving end and are very carefully guarded by the receiver.
Protecting the connection
encrypt all our network traffic with a virtual private network (VPN) connection. VPN connections use a variety of protocols to make a secure connection between two systems. We might use a VPN when we are connecting from a potentially insecure network, such as the wireless connection in a hotel, to the internal resources that are secure behind our company firewalls.
The Bell-LaPadula model
implements a combination of DAC and MAC and is primarily concerned with the confidentiality of the resource in question. 1. The simple security property: The level of access granted to an individual must be at least as high as the classification of the resource in order for the individual to be able to access it. 2. The * property: Anyone accessing a resource can only write its contents to one classified at the same level or higher.
Software Development Vulnerabilities
include buffer overflows, race conditions, input validation attacks, authentication attacks, authorization attacks, and cryptographic attacks
Environmental attributes
can be used to enable access controls that operate based on environmental conditions. We commonly use the time attribute to control access, in both a physical and a logical sense, based on length of time passed, or time of day.
Improper or inadequate permissions
can often cause us problems with Web applications, and Internet-facing applications of most any kind. Particularly with Web applications and pages, there are often sensitive files and directories that will cause security issues if they are exposed to general users. One area that might cause us trouble is the exposure of configuration files.
Virtual Private Networks (VPNs)
can provide us with a solution for sending sensitive traffic over unsecure networks. A VPN connection, often referred to as a tunnel, is an encrypted connection between two points. This is generally accomplished through the use of a VPN client application on one end of the connection and a device called a VPN concentrator on the other end. The client uses the software to authenticate to the VPN concentrator, usually over the Internet, and after the connection has been established, all traffic exchanged from the network interface connected to the VPN flows through the encrypted VPN tunnel.
Capability-based security
can provide us with an alternate solution to access control that uses a different structure than what we see in ACLs. Capabilities are oriented around the use of a token that controls our access. We can think of a token in a capability as being analogous to the personal badge we might use to open the door in a building.
Enigma machine
created by Arthur Scherbius in 1923 and was used to secure German communications during World War II. based on a series of wheels, referred to as rotors, each with 26 letters and 26 electrical contacts on them, similar in general concept to the Jefferson Disk. The device also had a keyboard, on which the plaintext message was entered, and a set of 26 characters above the keyboard, each of which could be lit.
DES
first came into use in 1976 in the United States and has since been used by a variety of parties globally. DES is a block cipher based on symmetric key cryptography and uses a 56-bit key. Although DES was considered to be very secure for some period of time, it is no longer considered to be so.
Stateful packet inspection
function on the same general principle as packet filtering firewalls, but they are able to keep track of the traffic at a granular level. While a packet filtering firewall only examines an individual packet out of context, a stateful firewall is able to watch the traffic over a given connection, generally defined by the source and destination IP addresses, the ports being used, and the already existing network traffic. A stateful firewall uses what is called a state table to keep track of the connection state and will only allow traffic through that is part of a new or already established connection. Most stateful firewalls can also function as a packet filtering firewall, often combining the two forms of filtering.
public key infrastructure (PKI)
generally composed of two main components, although some organizations may separate some functions out into more than just these. In a PKI, we often find the CAs that issue and verify certificates and the registration authorities (RAs) that verify the identity of the individual associated with the certificate.
Vulnerability assessments
generally involve using vulnerability scanning tools, such as Nessus, in order to locate such vulnerabilities.
Logging
gives us a history of the activities that have taken place in the environment being logged. Without this evidence, audits and investigations are not practical.
Operations security (OPSEC)
government use of operations security
Digital Signatures
great example of where the hash function is used. Digital signatures allow us to sign a message in order to enable detection of changes to the message contents, to ensure that the message was legitimately sent by the expected party, and to prevent the sender from denying that he or she sent the message, known as nonrepudiation.
Magnetic media
hard drives, tapes, floppy disks, or otherwise, generally involves some variety of movement and magnetically sensitive material on which the data is recorded. The combination of magnetic sensitivity and moving parts often makes such storage media fragile in one way or another.
Redundancy in network design
includes planned redundancy for devices failing, connectivity being lost, or coming under attack to the point that they are rendered useless or we lose control of them. For example, if one of our border devices is being subjected to a DDoS attack, there are few steps we can take to mitigate the attack. We can, however, switch to a different connection to the Internet, or route traffic through a different device until we can come to a longer-term solution.
The Jefferson Disk
invented by Thomas Jefferson in 1795, is a purely mechanical cryptographic machine. It is composed of a series of disks, each marked with the letters a to z around its edge.
Hping3
is a well-known and useful firewall tool. It is able to construct specially crafted Internet Control Message Protocol (ICMP) packets in such a way as to evade some of the normal measures that are put in place to prevent us from seeing the devices that are behind a firewall. We can also script the activities of Hping3 in order to test the responses of firewalls and IDSes, so that we can get an idea of the rules on which they are operating.
Clean Desk
is common in many environments where any sort of regulated or sensitive data is handled. Such policies typically state that sensitive information is not to be left out on a desk when it is to be unattended for any significant period of time, such as leaving for the day or going to lunch.
Encryption
itself is actually a subset of cryptography, referring specifically to the transformation of unencrypted data, called plaintext or cleartext, into its encrypted form, called ciphertext.
Physical security
largely concerned with the protection of three main categories of assets: people, equipment, and data. Our primary concern, of course, is to protect people. People are considerably more difficult to replace than equipment or data, particularly when they are experienced in their particular field and are familiar with the processes and tasks they perform.
Application Security Tools
less familiar and more complex, such as fuzzers and reverse engineering tools. Some of these tools require a certain amount of experience in developing software and a higher level of familiarity with the technologies concerned in order to be able to use them effectively
weaknesses of symmetric key cryptography
lies in the use of one key. If the key is exposed beyond the sender and the receiver, it is possible for an attacker who has managed to intercept it to decrypt the message or, worse to decrypt the message, alter it, then encrypt it once more and pass it on to the receiver in place of the original message. Since such issues are present, symmetric key cryptography by itself provides only confidentiality, and not integrity, as we would not be aware that the message in our example had been altered.
Stuxnet
malware that targeted the Supervisory Control and Data Acquisition (SCADA) systems that run various industrial processes. In the case of this attack, it was a nation state attacking another nation state's military capability.
Mobile Device Management (MDM)
most utilize an agent on the mobile device that exists to enforce a certain configuration on the client. These agents typically regulate access to enterprise resources, such as e-mail, calendaring, or network resources, and can discontinue access by the client in the event that it becomes noncompliant in configuration, is stolen, or the user's employment is terminated. Additionally, many MDM solutions enable the device to be remotely wiped, either completely or just corporate data, and/or disabled entirely.
National Institute of Standards and Technology (NIST) 800
numerous guides for both development and deployment of technologies and applications and is a great starting place for organizations that do not have internal development and deployment standards of their own.
Race Conditions
occur when multiple processes or multiple threads within a process control or share access to a particular resource, and the correct handling of that resource depends on the proper ordering or timing of transactions. Race conditions can be very difficult to detect in existing software, as they are hard to reproduce. When we are developing new applications, careful handling of the way we access resources to avoid dependencies on timing can generally avoid such issues.
IDS detection methods
often classified by the way they detect attacks. In general, they are divided into two main categories: signature-based detection and anomaly-based detection.
Vulnerability Assessment Tools
often include some portion of the feature set we might find in a tool such as Nmap, are aimed specifically at the task of finding and reporting network services on hosts that have known vulnerabilities.
RAID
often redundantly referred to as RAID arrays, was developed in the late 1980s at the University of California at Berkeley There are a number of different ways to configure RAID, but the ultimate goal is to copy data to more than one storage device in order to prevent the loss of any one device from destroying its stored data.
Evacuation
one of the best methods we can use to keep our people safe. In almost any dangerous situation, an orderly evacuation away from the source of danger is the best thing we can do. There are a few main principles to consider when planning an evacuation: where, how, and who.
Packet filtering
one of the oldest and simplest of firewall technologies. Packet filtering looks at the contents of each packet in the traffic individually and makes a gross determination, based on the source and destination IP addresses, the port number, and the protocol being used, of whether the traffic will be allowed to pass.
Wireshark
previously known as Ethereal, is a fully featured sniffer that is capable of intercepting traffic from a wide variety of wired and wireless sources. It has a graphical interface it includes a large number of filtering, sorting, and analysis tools; and it is one of the more popular sniffers on the market today. Wireshark can also import data from other applications like Tcpdump. Wireshark is a great tool for troubleshooting traffic on the network so is used my many network operations teams as well as security teams.
The Biba model
primarily concerned with protecting the integrity of data, even at the expense of confidentiality. 1. The simple integrity axiom: The level of access granted to an individual must be no lower than the classification of the resource. 2. The * integrity axiom: Anyone accessing a resource can only write its contents to one classified at the same level or lower.
Gramm-Leach-Bliley Act (GLBA)
protects the customers of financial institutions, essentially any company offering financial products or services, financial or investment advice, or insurance. The GLBA Privacy Rule requires financial institutions to safeguard a consumer's "nonpublic personal information," or NPI. GLBA also mandates the disclosure of an institution's information collection and information sharing practices, and establishes requirements for providing privacy notices and opt-outs to consumers.
Family Educational Rights and Privacy Act (FERPA)
protects the privacy of students and their parents. FERPA requires all schools that receive funds from programs administered by the U.S. Department of Education to comply with standards regarding the disclosure and maintenance of educational records, including educational information, personally identifiable information, and directory information. FERPA also grants certain rights to students and parents regarding the student's own records.
Exploit Frameworks
provide a variety of tools, including network mapping tools, sniffers, and many more, but one of the main tools we can find in exploit frameworks is, logically, the exploit. such as Rapid7's Metasploit, Immunity CANVAS, and Core Impact. Some tools can even be configured to automatically seek out and attack systems, spreading further into the network as they gain additional access. We commonly see the use of exploit frameworks in penetration testing
Federal Information Security Modernization Act (FISMA)
provides a framework for ensuring the effectiveness of information security controls in government. This legislation is intended to protect government information, operations, and assets from any natural or manmade threat.
Operating System Hardening
reduce the number of available avenues through which our operating system might be attacked. The total of these areas is referred to as our attack surface The larger our attack surface is, the greater chance we stand of an attacker successfully penetrating our defenses.
Bring Your Own Device (BYOD)
refers to an organization's strategy and policies regarding the use of personal versus corporate devices. This can range from only corporate-owned devices being allowed to interact with enterprise resources to only personal devices being used and any combination in between. BYOD is very popular with folks managing the budget because they are leveraging equipment that the organization didn't pay for. In some cases, they will push to move to BYOD without addressing the security because of the savings.
Sarbanes-Oxley Act (SOX)
regulates the financial practice and governance of corporations. SOX is designed to protect investors and the general public by establishing requirements regarding reporting and disclosure practices. The act mandates standards in regards to areas such as corporate board responsibility, auditor independence, fraud accountability, internal controls assessment, and enhanced financial disclosures. SOX also established the Public Company Accounting Oversight Board (PCAOB), which oversees public accounting firms and independently ensures compliance with SOX for auditing practices.
Hash Functions
represent a third cryptography type alongside symmetric and asymmetric cryptography, what we might call keyless cryptography. Hash functions, also referred to as message digests, do not use a key, but instead create a largely unique and fixed-length hash value, commonly referred to as a hash, based on the original message, something along the same lines as a fingerprint. Any slight change to the message will change the hash.
Health Insurance Portability and Accountability Act (HIPAA)
require privacy protections for individually identifiable health information, also known as protected health information, or PHI. These provisions, collectively known as the HIPAA Privacy Rule, mandate safeguards to protect patient privacy. The HIPAA Privacy Rule sets limits on the use and disclosure of patient information without authorization, and grants individuals rights over their own health records.
Executable space protection
requires two components to function: a hardware component and a software component. Both of the main CPU chip manufacturers, Intel and AMD, support executable space protection, with Intel calling it the Execute Disable (XD) bit and AMD calling it Enhanced Virus Protection. The software implementation of executable space prevention can be found in many common operating systems. Both executable space prevention and address space layout randomization (ASLR) can be found in many operating systems from Microsoft and Apple, as well as a number of Linux distributions, just to name a few.
Assessment of Risks
risk occurs when we have a matching threat and vulnerability, and only then.
Burp Suite
runs in a GUI and, in addition to the standard set of features we might find in any Web assessment product, includes several more advanced tools for conducting more in-depth attacks.
A cross-site request forgery (XSRF)
similar to XSS, in a general sense. In this type of attack, the attacker places a link, or links, on a Web page in such a way that they will be automatically executed, in order to initiate a particular activity on another Web page or application where the user is currently authenticated. For instance, such a link might cause the browser to add items to our shopping cart on Amazon or transfer money from one bank account to another.
Kerckhoffs' Principle
six principles around which a cryptographic system should be based: 1. The system must be substantially, if not mathematically, undecipherable. 2. The system must not require secrecy and can be stolen by the enemy without causing trouble. 3. It must be easy to communicate and remember the keys without requiring written notes, and it must be easy to change or modify the keys with different participants. 4. The system ought to be compatible with telegraph communication. 5. The system must be portable, and its use must not require more than one person. 6. Finally, regarding the circumstances in which such system is applied, it must be easy to use and must require neither the stress of mind nor the knowledge of a long series of rules.
Optical media
such as CDs and DVDs, is fairly fragile, as those with small children or pets can attest to. Even small scratches on the surface of the media may render it unusable. It is also very temperature sensitive, being constructed largely of plastic and thin metal foil. Outside of a protected environment, such as a purpose-built media storage vault, any of a variety of threats may destroy the data on such media
Symmetric vs Asymmetric Cryptography
symmetric key cryptography is much faster than asymmetric, but symmetric cryptography brings with it the issue of key exchange so it was difficult to determine which was best to use when designing a secure infrastructure.
Client-Side Attacks
take advantage of weaknesses in the software loaded on our clients, or those attacks that use social engineering to trick us into going along with the attack. There are a large number of such attacks
Flash media
the general category of media that stores data on nonvolatile memory chips, is actually rather hardy in nature. If we can avoid impacts that might directly crush the chips on which the data is stored and we do not expose them to electrical shocks, they will generally withstand conditions that many other types of media will not.
Accountability
the means to trace activities in our environment back to their source. In addition, it provides us with a number of capabilities, when properly implemented, which can be of great use in conducting the daily business of security and information technology in our organizations.
Safety
the safety of people is the first and foremost concern on our list when we plan for physical security. Safety of people falls above any other concern and must be prioritized above saving equipment or data, even when such actions will directly cause such items to be damaged.
Cryptography
the science of keeping information secure (secure, in this case, in the sense of confidentiality and integrity (through hashing)
Privacy
the state or condition of being free from being observed or disturbed by other people
collision
theoretically possible to engineer a matching hash for two different sets of data
Subject attributes
those of a particular individual.
Resource attributes
those that relate to a particular resource, such as an operating system or application.
California's Senate Bill 1386 (SB 1386)
tipulates "requires an agency, person, or business that conducts business in California and owns or licenses computerized 'personal information' to disclose any breach of security (to any resident whose unencrypted data is believed to have been disclosed)"
choke points
to funnel network traffic through certain points where we can inspect, filter, and control the traffic. might be the routers that move traffic from one subnet to another, the firewalls or proxies that control traffic moving within, into, or out of our networks or portions of our networks, or the application proxies that filter the traffic for particular applications such as Web or e-mail traffic. Choke points come with some risk because if they fail the network is compromised.
Fuzzers
tools we can use to find completely unexpected problems, a process referred to as fuzz testing. work by bombarding our applications with all manner of data and inputs from a wide variety of sources, in the hope that we can cause the application to fail or to perform in unexpected ways.
Host Intrusion Detection (HID)
used to analyze the activities on or directed at the network interface of a particular host. They have many of the same advantages as network-based intrusion detection systems (NIDS) have but with a considerably reduced scope of operation. As with software firewalls, such tools may range from simple consumer versions to much more complex commercial versions that allow for centralized monitoring and management.
ROT13
uses the same mechanism as the Caesar cipher but moves each letter 13 places forward. The convenience of moving 13 places lies in the fact that applying another round of encryption with ROT13 also functions as decryption, as two rotations will return us to the original starting place in the alphabet. Utilities for performing ROT13 can be found in the basic set of tools that ship with many Linux and UNIX operating systems.
Assessments
vulnerability assessments and penetration testing. While these terms are often used interchangeably, they are actually two distinct sets of activities.
The concept of fuzzing
was first developed by Barton Miller for a graduate-level university operating system class in the late 1980s A wide variety of fuzzing tools are available, some with a specific focus and some that are more general. Microsoft has released several very specific fuzzing tools to assist in discovering vulnerabilities in both existing software and software in development, including the MiniFuzz File Fuzzer, designed to find flaws in file-handling source code, the BinScope Binary Analyzer, for examining source code for general good practices, and the SDL Regex Fuzzer, for testing certain pattern-matching expressions for potential vulnerabilities. A great number of other tools exist for a variety of fuzzing purposes, many of them free and open source.
Secure Protocols
we can often find a secure protocol with the type of traffic we wish to carry. Instead of operating over the command line with Telnet, we can use Secure Shell (SSH), and instead of transferring files with FTP, we can use Secure File Transfer Protocol (SFTP), which is also based on SSH. SSH is a very handy protocol for securing communications as we can send many types of traffic over it. It can be used for file transfers and terminal access, as we mentioned, and to secure traffic in a variety of other situations, such as when connecting to a remote desktop, communicating over a VPN, mounting remote file systems, and any number of other tasks. The encryption used by SSH is RSA, a public key encryption algorithm.
Turn On Logging and Auditing
we generally need to be able to keep an accurate and complete record of the important processes and activities that take place on our systems. We will generally want to log significant events such as the exercise of administrative privileges, users logging in to and out of the system, or failing to log in, changes made to the operating system, and a number of similar activities taking place. For a simple Windows OS, there are over 200 security-related logs that can be turned on so it is important to find the right balance of logs and storage. Key logs should be tied to alerts and a monitoring program.
Apply the Principle of Least Privilege
we only allow a party the absolute minimum permission needed for it to carry out its function. Depending on the operating system in question, we may find this idea put into practice to a greater or a lesser extent. In almost any modern operating system, we can find the tasks a particular user is allowed to carry out separated into those that require administrative privileges and those that do not.
Tenable's Nessus
will conduct a port scan on a target, then attempt to determine what services and versions of service are running on any ports it finds open. Nessus will then report back with a specific list of vulnerabilities that we might find on a given device includes a port scanner, as a port scan is needed in order to find the listening services before we can identify the vulnerabilities that might be resident in them. Nessus also includes some other functionalities, including the ability to add custom features to the tool through the Nessus Attack Scripting Language (NASL).
anomaly-based detection
work by taking a baseline of the normal traffic and activity taking place on the network. They can measure the present state of traffic on the network against this baseline in order to detect patterns that are not present in the traffic normally. Such methods can work very well when we are looking to detect new attacks or attacks that have been deliberately assembled to avoid IDSes. On the other hand, we may also see larger numbers of false positives from anomaly-based IDSes than we might from signature-based IDSes.
Signature-based IDSes
work in a very similar fashion to most antivirus systems. They maintain a database of the signatures that might signal a particular type of attack and compare incoming traffic to those signatures.
buffer overflow attack
works by inputting more data than an application is expecting from a particular input—for example, by entering 1000 characters into a field that was only expecting 10. Depending on how the application was written, we may find that the extra 990 characters are written somewhere into memory, perhaps over memory locations used by other applications or the operating system. It is sometimes possible to execute commands by specifically crafting the excess data.