CYSE - 445 Final

Secure Software Development

* Secure Coding * Language Selection * Validate input before processing *Parameter Validation *Use specific secure coding standards

OWASP's Top Ten Application Security Risks of 2017

1) Injection 2) Broken Authentication 3) Sensitive Data Exposure 4) XML external entities 5) Broken Access control 6) Security misconfiguration 7) Cross site scripting 8) Insecure Deserialization 9) using components with known vulnerabilities 10) insufficient logging and monitoring

Benefits of Threat modeling

1- Earlier your find problems, easier to fix problems 2- Abstracting allows you to look at big picture

Approaches to Identify threats

1- Informal, unstructured consideration of security issues 2- Brainstorming or unstructured discussions of security threats in response to system architecture 3-Structured discussions using STRIDE mnemonic (or variant) 4- Structured discussions using attack libraries

How can you address each threat?

1- Mitigate the threat by increasing difficulty for attacker (require passwords to reduce spoofing ex) 2- Eliminating a threat by eliminating features 3- Transferring a threat by letting someone else handle the risk 4- Accepting a threat

Zero trust 5 fundamentals

1. The network is always assumed to be hostile 2. External and internal threats exist on the network at all times 3. Network locality is not sufficient for deciding trust in a network 4. Every device, user, and network flow is authenticated and authorized 5. Policies must be dynamic and calculated from as many sources of data as possible

ICS Constraints

1.Must stay up - don't affect or screw up the operation 2.Moderate budget 3.Long term considerations: no vendor lock-in, upgradeable, etc.

ICS High level requirements

1.Operation is continuous and correct 2.Protect intellectual property (processes, formulas, etc.) 3.Protect IT data (financial, PII, etc.)

Top Ten Secure Coding Practices

1.Validate all inputs 2.Don't ignore compiler warnings 3.Architect for security 4.Avoid unnecessary complexity 5.Deny by default 6.Use least privilege 7.Don't share data you don't have to 8.Defend in depth 9.Strive for quality Use specific secure coding standards (SEI has developed standards for C, C++, Perl, Java, Android

Based on the CIS Controls document, version 7, how many sub-controls are there for each of the 20 controls?

A minimum of five and a maximum of 13

RAID 5

A technique that stripes data across three or more drives and uses parity checking, so that if one drive fails, the other drives can re-create the data stored on the failed drive. RAID 5 drives increase performance and provide fault tolerance. Windows calls these drives RAID-5 volumes.

Based on the CIS Controls document, version 7, which control has the most sub-controls?

Account Monitoring and Control

RAID 10 advantages and disadvantages

Advantages ▪ Very fast performance ▪ Redundancy and fault tolerance Disadvantages ▪ Cost per unit memory is high since data is mirrored

Raid 5 pros

All the advantages of RAID 4 plus increased write speed and better data redundancy

Elevation of privilege

An unprivileged user gains privileged access and thereby has sufficient access to completely compromise or destroy the entire system

Repudiability

An untrusted user performing an illegal operation without the ability to be traced

Broken Authentication

Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently.

Threat Modeling

Applying a security model of what can go wrong to a model of the system/software

Cyber Incident Risk Transfer

Approaches: Rely on business insurance that generally covers other risks (including "errors and omissions" coverage if can't deliver promised services or products and business interruption coverage if can't operate business)

How to mitigate Spoofing?

Authentication

How to mitigate DOS?

Availability

Spoofing of user identity

Breaching the user's authentication information

Using components with known vulnerabilities

Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.

Information disclosure

Compromising the user's private or business-critical information

how to mitigate information disclosure?

Confidentiality

What do both Linux benchmark documents recommend specifically for wireless network interfaces?

Disable or deactivate them if not in use

Which of the following is not listed as something the NIST Cybersecurity Framework helps organizations do?

Execute a penetration test of organization systems and networks

According to CAPEC, to identify and mitigate relevant vulnerabilities in software, the development community only needs good software engineering and analytical practices, a solid grasp of software security features, and a powerful set of tools.

False

Cross-site scripting

Flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. This allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

Security Through Obscurity

Hiding assets, services, or procedures in non-standard ways examples: Set up services on non-standard ports Rename local administrator account Reconfigure service banners not to report the server operating system type and version

According to CAPEC, what is the typical severity of HTTP Response Splitting?

High

how to mitigate tampering?

Integrity

Denial of Service

Making the system temporarily unavailable or unusable, such as those attacks that could force a reboot or restart of the user's machine

XML External Entities

Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.

Sensitive Data Exposure

Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.

RAID 1

Mirroring, Data is mirrored or cloned to an identical set of disks so that if one of the disks fails, the other one can be used.

Tampering with data

Modifying system or user data with or without detection

Insecure Deserialization

Often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.

NIST Incident Response

Preparation, Detection & Analysis, Containment, Eradication and Recovery, lastly post incident activity

Raid 0 pros and cons

Pros Performance boost for read and write operations Space is not wasted as the entire volume of the individual disks are used up to store unique data -Cons There is no redundancy/duplication of data. If one of the disks fails, the entire data is lost.

RAID 0

RAID 0 is based on data striping. A stream of data is divided into multiple segments or blocks and each of those blocks is stored on different disks. So, when the system wants to read that data, it can do so simultaneously from all the disks and join them together to reconstruct the entire data stream

R4

RAID 4 stripes the data across multiple disks just like RAID 0. In addition to that, it also stores parity information of all the disks in a separate dedicated disk to achieve redundancy. In the diagram below, Disk 4 serves as the parity disk having parity blocks Ap, Bp, Cp and Dp. So, if one of the disks fails, the data can be reconstructed using the parity information of that disk.

raid 6

RAID 6 uses double parity blocks to achieve better data redundancy than RAID 5. This increases the fault tolerance for upto two drive failures in the array. Each disk has two parity blocks which are stored on different disks across the array. RAID 6 is a very practical infrastructure for maintaining high availability systems.

Zero Trust

Refers to a security model that requires authentication and authorization for each user, device, or service trying to access resources on a network, regardless of whether the user, device, or service is outside or inside the security perimeter

Broken Access Control

Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users' data, change access rights, etc.

Which of the following is not a mechanism of attack according to the CAPEC Mechanism of Attack hierarchy of attack patterns?

Reverse Engineering in the Physical Security Domain of Attack

STRIDE

Spoof, Tamper, Repudiation, Information disclosure, denial of service, elevation of privilege

Injection

These occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Examples of this risk can occur in SQL, NoSQL, and LDAP.

Security Misconfiguration

This is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched and upgraded in a timely fashion.

Insufficient logging and monitoring

This, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.

According to CAPEC, firmly grasping the attacker's perspective and approaches used to exploit software systems is necessary to enhance security throughout the software development lifecycle.

True

Zero trust is a _______ approach?

Zero trust is not a single network architecture but is an architectural approach that focuses on data protection, not perimeter defense · Devices in security perimeter are not trusted · Focus on data protection, not perimeter defense

RAID 10

a combination of RaID 1 and RaID 0 that requires at least four disks to work as an array of drives and provides the best redundancy and performance. layers in opposite order

how to mitigate elevation of privilege?

authorization

raid 6 pros

better data redundancy can handle 2 failed drives

raid 5 cons

can only handle one disk failure

Centralized systems = ?

data collection

Which is not a mode of log analysis?

encoded

STRIDE is used for

identify threats, not classify threats

Risk transfer

insurance to cover cyber incidents

raid 6 cons

large parity overhead

how to mitigate Repudiation?

non-repudiation

Norsk Hydro

o Aluminum production operations are primarily computer controlled but have manual backup; some parts need to be kept running 24/7 o Ransomware blocked access to computer control systems § Some production was stopped, some switched to manual § Affected parts were isolated § Some operations were down or reduced for weeks o Ransomware was LockerGaga § Manual targeting § No way to decrypt files § Leveraged the single central active directory to infect multiple workstations simultaneously.

How to attack system after solutions were applied

o Bribe/threated insider o Supply chain o Physical access and theft o Phishing o Compromise portably system when external o Forge update/patch

Cyber insurance

o Can cover direct costs of a cyber incident (but varies by policy) o OR can provide coaching and help during incident § NORMALLY COVERED · Network security costs o Legal expenses o Forensics o Payment of ransom o Notification to customer o Data restoration o PR · Network business interruptions o Failed software patch · Errors and omissions for inability to deliver on contracts · Reputational harm · Bricking (replacement of equipment rendered useless § NORMALLY NOT COVERED · are social engineering attacks, · loss of value due to theft of intellectual property · Betterment ( cost to improve internal technology systems after an incident)

Solutions to mitigate risk

o Data diodes, one-way gateways o Segmentation o Encryption at rest and in transit o 2FA o DRM o AV o IDS o Out of band process monitoring

Polish Airline LOT Attack

o Flight plans must be sent to aircraft before takeoff § Flight plans have route weather etc. o DDOS attack over 5 overs prevention transmission § Cancelled 10 flights and delayed 15

How to protect IoTS

o Know the governance o Private networks must establish policies on usage, data retention, surveillance, and communicate to those users o Awareness of known and suspected vulnerabilities o Good practices on configuration, limitation of attack surfaces o Research and communication to ensure continuous reevaluation of risk o Penetration testing

Threat Vulnerabilities and highest risk

o Nation state: Compromise workstations o Nation State: compromise PLCs (DOS or small process mods) o Nation Stat: APTs o Competitor: Process details o Insider: time or logic bomb for corruption or destruction o Criminal gang: Ransom o Ecoterrorist: Dos/Destruction

why does IoT security have a limited attack surface?

o No UI o Pre configuration and limited configurability o Need to provide distributed updates via internet (some have a backdoor) o Limited ability to patch and protect

Petro Rabigh

o Saudi integrating chemical and refining complex o In June 2017 a Safety device had tripped part of Petro Rabigh offline "everything seemed to be working normally" though § Safety device are designed to act if dangerous circumstances are detected, serve as a backup to control systems o In August 2017 there was another outage, but Triton Malware was found § Poorly configured firewall § Got to safety devices through windows workstations § Plant was down for more than a week o Response included password changed and 2FA § Attackers changed account phone numbers to intercept 2FA login codes

Customs and border patrol data breach

o Subcontractor transferred copies of data from CBP to external systems o External systems were compromised and had the data copied

4 steps 4 questions of threat modeling

o What is being protected? Model systems o What can go wrong with security? Apply model of security threats to system model to identify threats o What should be done about threats? Address threats o Is this model complete and correct? Check model

Evil Ex

o When Jones did digital forensics for a divorce - One case where the husband hired someone to sniff wife's network traffic from outside of her house - Jones set up website to where he could see who accessed it - Husband installed a data monitoring software on laptop he gave to wife - Could see what she was doing on laptop

stress testing

placing extreme demands well beyond planning thresholds to determine degree of robustness (simulating Denial of Service attacks)

Attack librarys are used for?

provide a categorized list of attacks. MITRE CAPEC OWASP

raid 4 advantages

slow write if a parity disk fail, redundancy is lost

Raid 1 cons

slow write space is wasted by duplicating data, which increases cost per unit memory

Fuzzing

that sends large amounts of malformed and unexpected data to a program to trigger failures

Incentives that worked

§ Stronger passwords did not need to be changed as often § Displays length of time user can use password before it is needed to be changed

Key elements of the ICS exercise

· Protect the ICS network · Make sure operation is continuous and correct · Protect intellectual property · Protect IT data · Key assets to protect

Secure Software Development Testing

•(Automated) Static and Dynamic Code Analysis to identify security policy violations, such as not validating user input •(Manual) Peer code Reviews by developer other than the author •Testing by security team (in addition to business functional testing) •Web Application vulnerability scanning •Interception proxy software that logs and examines communications between two endpoints to check for (i) input validation, (ii)parameter validation, (iii) plaintext credentials, and (iv) session tokens that aren't pseudo-random to prevent attacker guessing

Tips for identifying threats using STRIDE

•Go through STRIDE order through diagram. •Example: For web browser, look for spoofing threats, then look for tampering threats, and so on. Then look at threats to another system element, such as backend database. •Start with external entities or events •Focus on feasible threats •Record identified threats even if not fit the STRIDE type you are considering •Remember STRIDE is not a taxonomy for categorizing threats but is a tool to identify threats

MITRE CAPEC

•Publicly available catalog of attack patterns to assist in building secure software •Attack patterns are descriptions of common methods for exploiting vulnerabilities that provide attacker's perspective and guidance on mitigation •Typical information: name, description, method of attack, attacker skill/knowledge required, resources required, solutions and mitigations, consequences

Cyber Incident risk transfer case Mondelez v. Zurich American Insurance (Illinois

●Zurich sold Mondelez (food and beverage international conglomerate) an all-risk property policy (not specific cyber) ●Mondelez was victim of ransomware attack that rendered unusable 1,700 servers and 24,000 laptops ($100M in losses) ●Ransomware attack (NotPetya) widely attributed to Russians attempting to disrupt Ukrainian computer systems ●Zurich denied Mondelez's claim based on its war and terrorism exclusion clause