CYSE - 445 Final
Secure Software Development
* Secure Coding * Language Selection * Validate input before processing *Parameter Validation *Use specific secure coding standards
OWASP's Top Ten Application Security Risks of 2017
1) Injection 2) Broken Authentication 3) Sensitive Data Exposure 4) XML external entities 5) Broken Access control 6) Security misconfiguration 7) Cross site scripting 8) Insecure Deserialization 9) using components with known vulnerabilities 10) insufficient logging and monitoring
Benefits of Threat modeling
1- Earlier your find problems, easier to fix problems 2- Abstracting allows you to look at big picture
Approaches to Identify threats
1- Informal, unstructured consideration of security issues 2- Brainstorming or unstructured discussions of security threats in response to system architecture 3-Structured discussions using STRIDE mnemonic (or variant) 4- Structured discussions using attack libraries
How can you address each threat?
1- Mitigate the threat by increasing difficulty for attacker (require passwords to reduce spoofing ex) 2- Eliminating a threat by eliminating features 3- Transferring a threat by letting someone else handle the risk 4- Accepting a threat
Zero trust 5 fundamentals
1. The network is always assumed to be hostile 2. External and internal threats exist on the network at all times 3. Network locality is not sufficient for deciding trust in a network 4. Every device, user, and network flow is authenticated and authorized 5. Policies must be dynamic and calculated from as many sources of data as possible
ICS Constraints
1.Must stay up - don't affect or screw up the operation 2.Moderate budget 3.Long term considerations: no vendor lock-in, upgradeable, etc.
ICS High level requirements
1.Operation is continuous and correct 2.Protect intellectual property (processes, formulas, etc.) 3.Protect IT data (financial, PII, etc.)
Top Ten Secure Coding Practices
1.Validate all inputs 2.Don't ignore compiler warnings 3.Architect for security 4.Avoid unnecessary complexity 5.Deny by default 6.Use least privilege 7.Don't share data you don't have to 8.Defend in depth 9.Strive for quality Use specific secure coding standards (SEI has developed standards for C, C++, Perl, Java, Android
Based on the CIS Controls document, version 7, how many sub-controls are there for each of the 20 controls?
A minimum of five and a maximum of 13
RAID 5
A technique that stripes data across three or more drives and uses parity checking, so that if one drive fails, the other drives can re-create the data stored on the failed drive. RAID 5 drives increase performance and provide fault tolerance. Windows calls these drives RAID-5 volumes.
Based on the CIS Controls document, version 7, which control has the most sub-controls?
Account Monitoring and Control
RAID 10 advantages and disadvantages
Advantages ▪ Very fast performance ▪ Redundancy and fault tolerance Disadvantages ▪ Cost per unit memory is high since data is mirrored
Raid 5 pros
All the advantages of RAID 4 plus increased write speed and better data redundancy
Elevation of privilege
An unprivileged user gains privileged access and thereby has sufficient access to completely compromise or destroy the entire system
Repudiability
An untrusted user performing an illegal operation without the ability to be traced
Broken Authentication
Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently.
Threat Modeling
Applying a security model of what can go wrong to a model of the system/software
Cyber Incident Risk Transfer
Approaches: Rely on business insurance that generally covers other risks (including "errors and omissions" coverage if can't deliver promised services or products and business interruption coverage if can't operate business)
How to mitigate Spoofing?
Authentication
How to mitigate DOS?
Availability
Spoofing of user identity
Breaching the user's authentication information
Using components with known vulnerabilities
Components, such as libraries, frameworks, and other software modules, run with the same privileges as the application. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications and APIs using components with known vulnerabilities may undermine application defenses and enable various attacks and impacts.
Information disclosure
Compromising the user's private or business-critical information
how to mitigate information disclosure?
Confidentiality
What do both Linux benchmark documents recommend specifically for wireless network interfaces?
Disable or deactivate them if not in use
Which of the following is not listed as something the NIST Cybersecurity Framework helps organizations do?
Execute a penetration test of organization systems and networks
According to CAPEC, to identify and mitigate relevant vulnerabilities in software, the development community only needs good software engineering and analytical practices, a solid grasp of software security features, and a powerful set of tools.
False
Cross-site scripting
Flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user-supplied data using a browser API that can create HTML or JavaScript. This allows attackers to execute scripts in the victim's browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
Security Through Obscurity
Hiding assets, services, or procedures in non-standard ways examples: Set up services on non-standard ports Rename local administrator account Reconfigure service banners not to report the server operating system type and version
According to CAPEC, what is the typical severity of HTTP Response Splitting?
High
how to mitigate tampering?
Integrity
Denial of Service
Making the system temporarily unavailable or unusable, such as those attacks that could force a reboot or restart of the user's machine
XML External Entities
Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks.
Sensitive Data Exposure
Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser.
RAID 1
Mirroring, Data is mirrored or cloned to an identical set of disks so that if one of the disks fails, the other one can be used.
Tampering with data
Modifying system or user data with or without detection
Insecure Deserialization
Often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks.
NIST Incident Response
Preparation, Detection & Analysis, Containment, Eradication and Recovery, lastly post incident activity
Raid 0 pros and cons
Pros Performance boost for read and write operations Space is not wasted as the entire volume of the individual disks are used up to store unique data -Cons There is no redundancy/duplication of data. If one of the disks fails, the entire data is lost.
RAID 0
RAID 0 is based on data striping. A stream of data is divided into multiple segments or blocks and each of those blocks is stored on different disks. So, when the system wants to read that data, it can do so simultaneously from all the disks and join them together to reconstruct the entire data stream
R4
RAID 4 stripes the data across multiple disks just like RAID 0. In addition to that, it also stores parity information of all the disks in a separate dedicated disk to achieve redundancy. In the diagram below, Disk 4 serves as the parity disk having parity blocks Ap, Bp, Cp and Dp. So, if one of the disks fails, the data can be reconstructed using the parity information of that disk.
raid 6
RAID 6 uses double parity blocks to achieve better data redundancy than RAID 5. This increases the fault tolerance for upto two drive failures in the array. Each disk has two parity blocks which are stored on different disks across the array. RAID 6 is a very practical infrastructure for maintaining high availability systems.
Zero Trust
Refers to a security model that requires authentication and authorization for each user, device, or service trying to access resources on a network, regardless of whether the user, device, or service is outside or inside the security perimeter
Broken Access Control
Restrictions on what authenticated users are allowed to do are often not properly enforced. Attackers can exploit these flaws to access unauthorized functionality and/or data, such as access other users' accounts, view sensitive files, modify other users' data, change access rights, etc.
Which of the following is not a mechanism of attack according to the CAPEC Mechanism of Attack hierarchy of attack patterns?
Reverse Engineering in the Physical Security Domain of Attack
STRIDE
Spoof, Tamper, Repudiation, Information disclosure, denial of service, elevation of privilege
Injection
These occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Examples of this risk can occur in SQL, NoSQL, and LDAP.
Security Misconfiguration
This is the most commonly seen issue. This is commonly a result of insecure default configurations, incomplete or ad hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose error messages containing sensitive information. Not only must all operating systems, frameworks, libraries, and applications be securely configured, but they must be patched and upgraded in a timely fashion.
Insufficient logging and monitoring
This, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems, and tamper, extract, or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
According to CAPEC, firmly grasping the attacker's perspective and approaches used to exploit software systems is necessary to enhance security throughout the software development lifecycle.
True
Zero trust is a _______ approach?
Zero trust is not a single network architecture but is an architectural approach that focuses on data protection, not perimeter defense · Devices in security perimeter are not trusted · Focus on data protection, not perimeter defense
RAID 10
a combination of RaID 1 and RaID 0 that requires at least four disks to work as an array of drives and provides the best redundancy and performance. layers in opposite order
how to mitigate elevation of privilege?
authorization
raid 6 pros
better data redundancy can handle 2 failed drives
raid 5 cons
can only handle one disk failure
Centralized systems = ?
data collection
Which is not a mode of log analysis?
encoded
STRIDE is used for
identify threats, not classify threats
Risk transfer
insurance to cover cyber incidents
raid 6 cons
large parity overhead
how to mitigate Repudiation?
non-repudiation
Norsk Hydro
o Aluminum production operations are primarily computer controlled but have manual backup; some parts need to be kept running 24/7 o Ransomware blocked access to computer control systems § Some production was stopped, some switched to manual § Affected parts were isolated § Some operations were down or reduced for weeks o Ransomware was LockerGaga § Manual targeting § No way to decrypt files § Leveraged the single central active directory to infect multiple workstations simultaneously.
How to attack system after solutions were applied
o Bribe/threated insider o Supply chain o Physical access and theft o Phishing o Compromise portably system when external o Forge update/patch
Cyber insurance
o Can cover direct costs of a cyber incident (but varies by policy) o OR can provide coaching and help during incident § NORMALLY COVERED · Network security costs o Legal expenses o Forensics o Payment of ransom o Notification to customer o Data restoration o PR · Network business interruptions o Failed software patch · Errors and omissions for inability to deliver on contracts · Reputational harm · Bricking (replacement of equipment rendered useless § NORMALLY NOT COVERED · are social engineering attacks, · loss of value due to theft of intellectual property · Betterment ( cost to improve internal technology systems after an incident)
Solutions to mitigate risk
o Data diodes, one-way gateways o Segmentation o Encryption at rest and in transit o 2FA o DRM o AV o IDS o Out of band process monitoring
Polish Airline LOT Attack
o Flight plans must be sent to aircraft before takeoff § Flight plans have route weather etc. o DDOS attack over 5 overs prevention transmission § Cancelled 10 flights and delayed 15
How to protect IoTS
o Know the governance o Private networks must establish policies on usage, data retention, surveillance, and communicate to those users o Awareness of known and suspected vulnerabilities o Good practices on configuration, limitation of attack surfaces o Research and communication to ensure continuous reevaluation of risk o Penetration testing
Threat Vulnerabilities and highest risk
o Nation state: Compromise workstations o Nation State: compromise PLCs (DOS or small process mods) o Nation Stat: APTs o Competitor: Process details o Insider: time or logic bomb for corruption or destruction o Criminal gang: Ransom o Ecoterrorist: Dos/Destruction
why does IoT security have a limited attack surface?
o No UI o Pre configuration and limited configurability o Need to provide distributed updates via internet (some have a backdoor) o Limited ability to patch and protect
Petro Rabigh
o Saudi integrating chemical and refining complex o In June 2017 a Safety device had tripped part of Petro Rabigh offline "everything seemed to be working normally" though § Safety device are designed to act if dangerous circumstances are detected, serve as a backup to control systems o In August 2017 there was another outage, but Triton Malware was found § Poorly configured firewall § Got to safety devices through windows workstations § Plant was down for more than a week o Response included password changed and 2FA § Attackers changed account phone numbers to intercept 2FA login codes
Customs and border patrol data breach
o Subcontractor transferred copies of data from CBP to external systems o External systems were compromised and had the data copied
4 steps 4 questions of threat modeling
o What is being protected? Model systems o What can go wrong with security? Apply model of security threats to system model to identify threats o What should be done about threats? Address threats o Is this model complete and correct? Check model
Evil Ex
o When Jones did digital forensics for a divorce - One case where the husband hired someone to sniff wife's network traffic from outside of her house - Jones set up website to where he could see who accessed it - Husband installed a data monitoring software on laptop he gave to wife - Could see what she was doing on laptop
stress testing
placing extreme demands well beyond planning thresholds to determine degree of robustness (simulating Denial of Service attacks)
Attack librarys are used for?
provide a categorized list of attacks. MITRE CAPEC OWASP
raid 4 advantages
slow write if a parity disk fail, redundancy is lost
Raid 1 cons
slow write space is wasted by duplicating data, which increases cost per unit memory
Fuzzing
that sends large amounts of malformed and unexpected data to a program to trigger failures
Incentives that worked
§ Stronger passwords did not need to be changed as often § Displays length of time user can use password before it is needed to be changed
Key elements of the ICS exercise
· Protect the ICS network · Make sure operation is continuous and correct · Protect intellectual property · Protect IT data · Key assets to protect
Secure Software Development Testing
•(Automated) Static and Dynamic Code Analysis to identify security policy violations, such as not validating user input •(Manual) Peer code Reviews by developer other than the author •Testing by security team (in addition to business functional testing) •Web Application vulnerability scanning •Interception proxy software that logs and examines communications between two endpoints to check for (i) input validation, (ii)parameter validation, (iii) plaintext credentials, and (iv) session tokens that aren't pseudo-random to prevent attacker guessing
Tips for identifying threats using STRIDE
•Go through STRIDE order through diagram. •Example: For web browser, look for spoofing threats, then look for tampering threats, and so on. Then look at threats to another system element, such as backend database. •Start with external entities or events •Focus on feasible threats •Record identified threats even if not fit the STRIDE type you are considering •Remember STRIDE is not a taxonomy for categorizing threats but is a tool to identify threats
MITRE CAPEC
•Publicly available catalog of attack patterns to assist in building secure software •Attack patterns are descriptions of common methods for exploiting vulnerabilities that provide attacker's perspective and guidance on mitigation •Typical information: name, description, method of attack, attacker skill/knowledge required, resources required, solutions and mitigations, consequences
Cyber Incident risk transfer case Mondelez v. Zurich American Insurance (Illinois
●Zurich sold Mondelez (food and beverage international conglomerate) an all-risk property policy (not specific cyber) ●Mondelez was victim of ransomware attack that rendered unusable 1,700 servers and 24,000 laptops ($100M in losses) ●Ransomware attack (NotPetya) widely attributed to Russians attempting to disrupt Ukrainian computer systems ●Zurich denied Mondelez's claim based on its war and terrorism exclusion clause